Installer.Win32.InnoSetup.2_93448dc282

by malwarelabrobot on December 16th, 2016 in Malware Descriptions.

SoftwareBundler:Win32/Tillail (Microsoft), not-a-virus:HEUR:Downloader.Win32.Generic (Kaspersky), InstallCore (fs) (VIPRE), Trojan.InstallCore.283 (DrWeb), Artemis!93448DC282F8 (McAfee), Heur.AdvML.B (Symantec), PUA.InstallCore (Ikarus), InstallCore.A98 (AVG), Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Installer

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 93448dc282f8c89966f2110b7678ba06
SHA1: 5b31f428085c329ebe3e177ce10592bff9143f11
SHA256: 631cdfde0e022b1432e6580a2c2d27c5a6cae2954381ca98021b9b14ba930256
SSDeep: 24576:xpk4NyzRXv6iY/z8c3rJXBNm9IIyvfAS8NTzb:xi5zRf4rJXBg7yvfA/7
Size: 936888 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-08-25 17:41:25
Analyzed on: Windows7 SP1 32-bit

Summary:

Installer. An installation package.

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):

ClickOnceSetup-1481769362.exe:308

The Installer injects its code into the following process(es):

WerFault.exe:2528
ClickOnceSetup-1481769362.exe:3032
%original file name%.exe:3668

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ClickOnceSetup-1481769362.exe:308 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-H3LL7.tmp\ClickOnceSetup-1481769362.tmp (391 bytes)

The Installer deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-H3LL7.tmp\ClickOnceSetup-1481769362.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-H3LL7.tmp (0 bytes)

The process ClickOnceSetup-1481769362.exe:3032 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\BGD.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\ProgressD.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1C75789D\561FCBC6_stp.DAT.part (5180 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Color_Button.png (341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Color_Button_Hover.png (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Close.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143986.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1C75789D\561FCBC6_stp.DAT (196199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143929.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\locale\DLM\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Grey_Button_Hover.png (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Loader.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\bootstrap_55051.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\mainDlm.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\ie6_Dlm_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Grey_Button.png (341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\ProgressBarD.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\sdk\roinew.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\images\button-bg.png (131 bytes)

The Installer deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143986.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\bootstrap_55051.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143929.log (0 bytes)

The process %original file name%.exe:3668 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E7EC0C85688F4738F3BE49B104BA67 (632 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ClickOnceSetup-1481769362.exe (1636 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B179347615B32FE859CEABBE50C3EE6_7E363A5467DEEE48BE57B739C028611D (2040 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab35BF.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar35C0.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E7EC0C85688F4738F3BE49B104BA67 (693 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B179347615B32FE859CEABBE50C3EE6_7E363A5467DEEE48BE57B739C028611D (1 bytes)

The Installer deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab35BF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar35C0.tmp (0 bytes)

Registry activity

The process WerFault.exe:2528 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 BA 16 99 75"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

The process ClickOnceSetup-1481769362.exe:3032 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ClickOnceSetup-1481769362_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ClickOnceSetup-1481769362_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "ClickOnceSetup-1481769362.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\ClickOnceSetup-1481769362_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ClickOnceSetup-1481769362_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\ClickOnceSetup-1481769362_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ClickOnceSetup-1481769362_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ClickOnceSetup-1481769362_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"

[HKLM\SOFTWARE\Microsoft\Tracing\ClickOnceSetup-1481769362_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ClickOnceSetup-1481769362_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:3668 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

Dropped PE files

MD5	File path
6e55e972c57f29b4a7bbaf34de43a041	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ClickOnceSetup-1481769362.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: MediaFH Downloader
Product Version: 1.0.5.43965
Legal Copyright:
Legal Trademarks:
Original Filename: ClickOnceSetup.exe
Internal Name: ClickOnceSetup.exe
File Version: 1.0.5.43965
File Description: MediaFH Downloader
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	896548	897024	5.44633	fe83eab07dc70fed08dfc51b4d623162
.rsrc	909312	35768	35840	4.30895	2bbfd0777e67ae7fd5786c0a761a97a3
.reloc	950272	12	512	0.070639	a2d1cc8a5c1d166839dd399f85d92e0b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
1fb31c30ac58505644060f27725d58c9

URLs

URL	IP
hxxp://crl.globalsign.net/root.crl	198.41.215.186
hxxp://cdn.globalsigncdn.com/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEh/wx5gwp7Er5OaYA4wp2vmg==
hxxp://rp.madihehife.com/?pcrc=173628753&v=2.0	52.51.153.166
hxxp://info.madihehife.com/?v=1.03&c=7b09ef7c&at=584795107&cntr=0	54.154.229.88
hxxp://geosrvlb-629133695.us-east-1.elb.amazonaws.com/details
hxxp://allmyapps.com/binary/16891/213427/direct-download?token=90c4f1d505d730885cc98010575156fddefdb54b	54.221.210.220
hxxp://static.binaries.allmyapps.com/6fa7457f23ab31e68a674e5342fe32bd_jre-7u60-windows-i586.exe	50.23.103.19
hxxp://giserv.madihehife.com/details	23.21.150.180
hxxp://ocsp2.globalsign.com/gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEh/wx5gwp7Er5OaYA4wp2vmg==	104.16.25.216
dns.msftncsi.com
cdp1.public-trust.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE DealPly Adware CnC Beacon
ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

HEAD /binary/16891/213427/direct-download?token=90c4f1d505d730885cc98010575156fddefdb54b HTTP/1.1

Accept: */*

Host: allmyapps.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Found

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Type: text/html; charset=UTF-8

Date: Thu, 15 Dec 2016 02:36:12 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

location: hXXp://static.binaries.allmyapps.com/6fa7457f23ab31e68a674e5342fe32bd_jre-7u60-windows-i586.exe

Pragma: no-cache

Server: nginx/1.10.1

Set-Cookie: AMASESSID=57e45af9715ddb586b8fc19adfd9bbd0; expires=Thu, 15-Dec-2016 10:36:12 GMT; Max-Age=28800; path=/; domain=.allmyapps.com

Set-Cookie: AMASESSID=57e45af9715ddb586b8fc19adfd9bbd0; expires=Thu, 15-Dec-2016 10:36:12 GMT; Max-Age=28800; path=/; domain=.allmyapps.com

Set-Cookie: ama_t=e16156dd-c5f5-44ff-b30b-5f94dc0738ac; expires=Sun, 13-Dec-2026 02:36:12 GMT; Max-Age=315360000; path=/; domain=.allmyapps.com; httponly

X-Powered-By: PHP/5.5.17

X-Store: allmyapps

X-UA-Compatible: IE=Edge,chrome=1

X-WebHost: web1.allmyapps.com

Connection: keep-alive
HTTP/1.1 302 Found..Cache-Control: no-store, no-cache, must-revalidate
, post-check=0, pre-check=0..Content-Type: text/html; charset=UTF-8..D
ate: Thu, 15 Dec 2016 02:36:12 GMT..Expires: Thu, 19 Nov 1981 08:52:00
 GMT..location: hXXp://static.binaries.allmyapps.com/6fa7457f23ab31e68
a674e5342fe32bd_jre-7u60-windows-i586.exe..Pragma: no-cache..Server: n
ginx/1.10.1..Set-Cookie: AMASESSID=57e45af9715ddb586b8fc19adfd9bbd0; e
xpires=Thu, 15-Dec-2016 10:36:12 GMT; Max-Age=28800; path=/; domain=.a
llmyapps.com..Set-Cookie: AMASESSID=57e45af9715ddb586b8fc19adfd9bbd0; 
expires=Thu, 15-Dec-2016 10:36:12 GMT; Max-Age=28800; path=/; domain=.
allmyapps.com..Set-Cookie: ama_t=e16156dd-c5f5-44ff-b30b-5f94dc0738ac;
 expires=Sun, 13-Dec-2026 02:36:12 GMT; Max-Age=315360000; path=/; dom
ain=.allmyapps.com; httponly..X-Powered-By: PHP/5.5.17..X-Store: allmy
apps..X-UA-Compatible: IE=Edge,chrome=1..X-WebHost: web1.allmyapps.com
..Connection: keep-alive..<<< skipped >>>

HEAD /6fa7457f23ab31e68a674e5342fe32bd_jre-7u60-windows-i586.exe HTTP/1.1

Accept: */*

Host: static.binaries.allmyapps.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Thu, 15 Dec 2016 02:36:13 GMT

Content-Type: application/octet-stream

Content-Length: 29405096

Connection: keep-alive

x-amz-id-2: VH5aSAcJcKW0E4QxPr11rUNYk1gGB25CSu2YXz75ac08 QxTRINRlUspJosV2T4F/J1eWxOCVmI=

x-amz-request-id: E95BF0334352328D

Last-Modified: Tue, 23 Sep 2014 19:32:16 GMT

ETag: "6fa7457f23ab31e68a674e5342fe32bd"

Accept-Ranges: bytes

HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Thu, 15 Dec 2016 02:36:13 
GMT..Content-Type: application/octet-stream..Content-Length: 29405096.
.Connection: keep-alive..x-amz-id-2: VH5aSAcJcKW0E4QxPr11rUNYk1gGB25CS
u2YXz75ac08 QxTRINRlUspJosV2T4F/J1eWxOCVmI=..x-amz-request-id: E95BF03
34352328D..Last-Modified: Tue, 23 Sep 2014 19:32:16 GMT..ETag: "6fa745
7f23ab31e68a674e5342fe32bd"..Accept-Ranges: bytes......

GET /6fa7457f23ab31e68a674e5342fe32bd_jre-7u60-windows-i586.exe HTTP/1.1

Range: bytes=0-29405095

Accept: */*

Host: static.binaries.allmyapps.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive


HTTP/1.1 206 Partial Content

Server: nginx/1.8.0

Date: Thu, 15 Dec 2016 02:36:13 GMT

Content-Type: application/octet-stream

Content-Length: 29405096

Connection: keep-alive

x-amz-id-2: VH5aSAcJcKW0E4QxPr11rUNYk1gGB25CSu2YXz75ac08 QxTRINRlUspJosV2T4F/J1eWxOCVmI=

x-amz-request-id: E95BF0334352328D

Last-Modified: Tue, 23 Sep 2014 19:32:16 GMT

ETag: "6fa7457f23ab31e68a674e5342fe32bd"

Content-Range: bytes 0-29405095/29405096

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......jf-}..C...C.
..C..I..,.C.5...0.C.5.....C.'...*.C.'...5.C...B.a.C.5...c.C.5.../.C.5.
../.C.Rich..C.................PE..L...%.jS............................
..............@.................................w.....@...............
...................i.................................../..............
....................06..@............................................t
ext...d........................... ..`.rdata..........................
....@..@.data....P.......,...p..............@....rsrc.................
..............@..@.reloc...Z.......\...:..............@..B............
......................................................................
......................................................................
......................................................................
......................................................................
.............................................D$...t.....8....u.P..`..Y
..D$..l$..............w.r....w..L$...3........U..V.u...t&.}..t .u.3.Vj
..u.f..P.u.....B.....#...3.^]...U...E..E.hpSC..E.P..`....D$...t,...t .
..t..."t...Pt.h.@.......hW.....h........t$..t$..t$..t$...`..P.........
V3.VQ..(.B...u...$.B.;.~.%.............^.U...u..u...8.B...u.].VP..4.B.
....t(.u..u...0.B..M......v.;.s.I....tV.u.;.r.3..........#.^]..D$....@
...j.P.t$...<.B...u...t$.P.t$..z.......SVW3....C.S....Y..3.G....u..
t$.P.....YYW.....aY..G..u._^..[..t$......Y..t....Q...P....B..L$...

<<< skipped >>>

GET /6fa7457f23ab31e68a674e5342fe32bd_jre-7u60-windows-i586.exe HTTP/1.1

Range: bytes=22118400-29405095

Accept: */*

Host: static.binaries.allmyapps.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive


HTTP/1.1 206 Partial Content

Server: nginx/1.8.0

Date: Thu, 15 Dec 2016 02:36:35 GMT

Content-Type: application/octet-stream

Content-Length: 7286696

Connection: keep-alive

x-amz-id-2: VH5aSAcJcKW0E4QxPr11rUNYk1gGB25CSu2YXz75ac08 QxTRINRlUspJosV2T4F/J1eWxOCVmI=

x-amz-request-id: E95BF0334352328D

Last-Modified: Tue, 23 Sep 2014 19:32:16 GMT

ETag: "6fa7457f23ab31e68a674e5342fe32bd"

Content-Range: bytes 22118400-29405095/29405096
..R.>..i|..c... .7..ArC^.H{.P.=. m9f..w."4..0..X....^A.3.O'..%....a
o7{.V..3 &..Y\k.w.;7Z...\B..}.v.=...xE.P.u.DB.<......^.........nDt.
.....Y.6..!..=....Dy..o%..v.&.....d.g.@$:Q...,j4...K..].-S#....xqmC...
'.mv!..LR8.v.....;.-f..fvW.R"Nc..E .0....WOLw..i....n.t.smou....Kn.>
;..........N....#........=....Uq......Y.'..D.8a..-. .y..@E..p.{f<..
....B.a1...<..#...N.nk.x.z..{..1#...v.e...>...YzO.."....P.......
....>......=.JR-8!...c...?.Hcw.5../...T.Ko...n...ml...(....j....M..
.. ......B.E....T...Nx..2.C.3X.m....)...|$......!.f...J:'H.U{..D......
..w..E..SE.....;....u.;..`.N.5h...n....qE7.'...c_.....OK.....%.H......
Xjv.jo.cG.........X..E.8q.:....E....R.n'..Y....[...^.V1..0|..nHh......
..-^.....n.z.{..V..X....c.#h7...q..A.B".1..&.<..^...D..Yu...}.c...i
..sB0.$.*ey[s9.&M...1cbFww...3..4..1.Q....w.....w.*...6.....]..f'.L."0
..a........D.@.../....X.....> `...DwH.HN...3'N..j.K...!.B..{.....)C
..LC...A.$..t....hC...".a5...K.......).N.....w.I.K.L...),.............
}."T5...sf....$.e....>^#.ol\.xx<"..f.......L...a.*.:...1...TG4,4
.<V.#..^.......#M.Z....$.@..:$$..r.o.bx.G~..........o..a~.3t=K..q::
.U2......c......\..!N..p.Q..GJ.Y..D2.Z...x3 ..XJH.K.SX....^...".Y..@.x
.{4!.y....N...&.?..-m*..`.%)....'..l......u..'pN.d~i..)...5.&.........
.\8.1....w4%...&...f..s`.jH .O.U..#...ux.Y.q. .b........L.cF.........G
..y.....-.....Iq..Yn...........(.C.._.u..-?rz.-........I...Wj...z.%.0N
.*......-c.:q.5..q?_|V.;...X.G.w ..XzEd..~..9z...........2'Q#&:.....d.
*%FL..,.QghE...r.OZ....&...{`2..C..X..0cJ.<u...[.z....Y.].<.<<< skipped >>>

GET /gscodesigng2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRruLd2WRFk6cRYGFIqkQ4J8hxDogQUCG7YtpyKv+0+18N0XcyAH6gvUHoCEhEh/wx5gwp7Er5OaYA4wp2vmg== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com


HTTP/1.1 200 OK

Date: Thu, 15 Dec 2016 02:36:02 GMT

Content-Type: application/ocsp-response

Content-Length: 1571

Connection: keep-alive

Set-Cookie: __cfduid=deb2bce0a1ac5bd6c56ac0825a097370b1481769361; expires=Fri, 15-Dec-17 02:36:01 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Thu, 15 Dec 2016 01:01:49 GMT

Expires: Mon, 19 Dec 2016 01:01:49 GMT

ETag: "09b7efc10c48c4b4241034c6ed5d23762d310fd3"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: MISS

Server: cloudflare-nginx

CF-RAY: 3116816cc7d1403e-SOF
0..........0..... .....0......0...0......Q..Kd...IV.....N.B....2016121
5010149Z0..0..0K0... ........k..vY.d..X.R*.....C....n......>..t]...
./Pz...!..y..{..Ni.8........20161215010149Z....20161219010149Z."0 0...
 .....0......20151216010149Z0...*.H.............BIA......[.c...Ox..3q.
I.l..?"O..Z./b.....'x.......>.IE....._..% ;..Q:h....=.~#..:...P...-
..........-2.Si."....3..dNhP._PFWXM._..l $#U./.&...T........s;...c.x{.
......_.7 =jZ..W......",QS..za..C....)...!...$.hU....9r(BV.B.....d....
\c8.J"[)b..W.7.4.........?.... 0...0...0..........,}.......H,.0...*.H.
.......0Q1.0...U....BE1.0...U....GlobalSign nv-sa1'0%..U....GlobalSign
 CodeSigning CA - G20...161104033328Z..170204033328Z0y1.0...U....BE1.0
...U....GlobalSign nv-sa1.0...U....2016110400071806..U.../GlobalSign C
odeSigning CA - G2 - OCSP Responder0.."0...*.H.............0..........
P...D..0 E........8.. c..$.w....n}.$...Gn.!..*K`./`.....P.hu..O.......
.Tm..8.....5..s..!..[K.4vmYv...).{a.......5..H9......&...M.Q.}.>...
d...0...z.8.._B.f......c.x.Pq..nB.(..G~..z..C....R...@fw......No.Z..H.
..'\(...6.......?.D9.9..y^............S\`....'.........0..0...U......Q
..Kd...IV.....N.B..0...U.#..0....n......>..t]..../Pz0... .....0....
..0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/r
epository/0...U...........0...U.%..0... .......0...*.H...............B
p.\3...<..a...I5....d.ct..|1............YW5....;..o..0..j...{3-....
.~:.l....[D..Uq3$.d}.....{..h.......A.....dj.<Y..w.g...R....e.F....
W.u_..i..{..].8OJv....]..j#.,.>%.....G9.$!.`.&#`...Q6..|5quS./.<<< skipped >>>

GET /root.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.globalsign.net


HTTP/1.1 200 OK

Date: Thu, 15 Dec 2016 02:35:58 GMT

Content-Type: application/pkix-crl

Content-Length: 693

Connection: keep-alive

Set-Cookie: __cfduid=d750b83678200d3596edaa5bb65f772f41481769358; expires=Fri, 15-Dec-17 02:35:58 GMT; path=/; domain=.globalsign.net; HttpOnly

Last-Modified: Fri, 07 Oct 2016 00:00:00 GMT

ETag: 36

Expires: Sun, 15 Jan 2017 00:00:00 GMT

Cache-Control: public, max-age=2669042

CF-Cache-Status: HIT

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 3116815c97104f2c-DME

0...0......0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.
0...U....Root CA1.0...U....GlobalSign Root CA..161007000000Z..17011500
0000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....1
41125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......
0*........,^.....141125000000Z0.0...U.......0*.........KZ....160107000
000Z0.0...U......../0-0...U......60...U.#..0...`{f.E....P/}..4....K0..
.*.H.............N&Y..fN..1@.EDm....r..U.?.rz\..7N........fO..i.).b).:
).....,"j"...U&.Y....T..$.Np.."....u...(.!.\.^.....!..e..........9}*..
<..B........L.~......T1...}..-7..~...(..:Kl./...x1.E.......OF...2S.
p-XC.Y}Ht01i..AcHn........k..O.5..F2=...4A.....A..5.}........J2.e.HTTP
/1.1 200 OK..Date: Thu, 15 Dec 2016 02:35:58 GMT..Content-Type: applic
ation/pkix-crl..Content-Length: 693..Connection: keep-alive..Set-Cooki
e: __cfduid=d750b83678200d3596edaa5bb65f772f41481769358; expires=Fri, 
15-Dec-17 02:35:58 GMT; path=/; domain=.globalsign.net; HttpOnly..Last
-Modified: Fri, 07 Oct 2016 00:00:00 GMT..ETag: 36..Expires: Sun, 15 J
an 2017 00:00:00 GMT..Cache-Control: public, max-age=2669042..CF-Cache
-Status: HIT..Accept-Ranges: bytes..Server: cloudflare-nginx..CF-RAY: 
3116815c97104f2c-DME..0...0......0...*.H........0W1.0...U....BE1.0...U
....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA..1
61007000000Z..170115000000Z0..0*.........D.....141125000000Z0.0...U...
....0*........)E.....141125000000Z0.0...U.......0*........ ...h..14112
5000000Z0.0...U.......0*........,^.....141125000000Z0.0...U.......

<<< skipped >>>

GET /6fa7457f23ab31e68a674e5342fe32bd_jre-7u60-windows-i586.exe HTTP/1.1

Range: bytes=10444800-14745599

Accept: */*

Host: static.binaries.allmyapps.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive


HTTP/1.1 206 Partial Content

Server: nginx/1.8.0

Date: Thu, 15 Dec 2016 02:36:36 GMT

Content-Type: application/octet-stream

Content-Length: 4300800

Connection: keep-alive

x-amz-id-2: VH5aSAcJcKW0E4QxPr11rUNYk1gGB25CSu2YXz75ac08 QxTRINRlUspJosV2T4F/J1eWxOCVmI=

x-amz-request-id: E95BF0334352328D

Last-Modified: Tue, 23 Sep 2014 19:32:16 GMT

ETag: "6fa7457f23ab31e68a674e5342fe32bd"

Content-Range: bytes 10444800-14745599/29405096
.e.......Z.a...p&..O@.....p&.?....3.......W"......;.....xs.g.4.n...0.E
.X..UX..Og.6..k2..f.`M.....~.%..3..U".l....M....(.. .dR.g....%0;..i~!@
{)k...(...A.jw(A....G.....3..t.z.{...i...[.b. 0'.>........<.....
.:...w...vE/.........l.(i..?..%...w~...z.?. .O.?..CK.}.|S.........$@..
U.V[....Tl.....R.:..m.U....jA1...!.....mnnS'?....1.R....Pi.U.9O.(.(}..
..9..7IA.....4......<.s.s...../....U......K<.....].y...........&
lt;..RZu!..0sW.ES....b..m.Q.F:..8.n....X.....u.Un.._...J....i.{.x....]
....'.L...Ba...."f.~.pad.......u43.....v....5.9.v....{.....:... ..iK\0
..Hx.$V......1...n..V/F..z.#..a..Y... ....w.....5s|..tE......R...._...
..#.*.P..a.i.."."\B"......ex....a.J-u.G(...0.._.W...........B.ml.n.O..
....EC..J.'..j..........f..k...6...%..8.......w.b.=...G.x.>2......Z
.'.^.=.Q..n...Y(.a!q.j.It..A6..O|,.M..^)..IY../n..KP.^.n.-.&{.|.....K.
)..[v.....H....]..,..v..@....}. ..k...j%%yj....$USD...X.>......s.q.
..........U....,....P2.d....X:R1.tz~p......f[bt.. wPt..,.g..S...I..".S
z.........%...n;&..Y.[cd...:5,hlOoh...C.s08...]h|...$..T.`......R({...
.7.b.......q...u.v.2U...@".eu^.~Zk..."<....\......}.>.n.[..=.4..
-I,......lC2u....n.w...Di@v..8}....C0.X..a...%..a.....Bk4...TW.X.g.NA.
.....h:~....O...^......Q>..8...I.............._...>.....Hm%<v
.t0,&v..K. 1IW.C..".%EH...L.....a,....&......v...l...2...6e)....Ef....
...k....$2K."....3......'.a..6....n..W`u6.:..B).....-.Y#....G.a<..`
...a..?.`.......:..]....B..i...HF..<{!........`...V6.V..yX.......Qb
.s.....Q....x=L..g_f...Z..;C.L'M.mB.].>f..1...PLw..0.)v.1.....J<<< skipped >>>

POST /?v=1.03&c=7b09ef7c&at=584795107&cntr=0 HTTP/1.1

Accept: */*

Host: info.madihehife.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 172

Cache-Control: no-cache

6l7GU7LYt04pVHc/00d7JqV6q8cj1lxkkttuM2iOTS7r1bgnBOQ6d75HMi0oiLZrt 5upzjLapuYtAJxNZoalV 2Yx85O7zJozm4LZaZQ XzWsjYXErov2pJhKyVPK03a0AIeX54pqTPjE3g4BS5rAYahvw2GWyieNddoh07Qf4=
HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Thu, 15 Dec 2016 02:36:05 GMT

Content-Length: 2240

Connection: keep-alive

hcu4I 5LbSkcg1ZZzxsK8pi13asjQa9A9vUhIMFmkHHn4d/liSPs14mwlRs6l36ad0r/bY
IVneh2z2nL1n895TAICw9pUvEVybS3hwj7dQtxoUwsR7w5kT6n1Fbkq/fNE9jb/U9/6Dhp
Rb9Yg0/SUqhmtAZGWwjxw5rWsHF6MNxddtwQRM1MPMZI14hJ4NlYPEn23DrJifA4d/NUa0
Opogb0APtTVcnZG/sagHxeVfnI1h6J8MIH1uO4inR7/Kvq2DK1aEJH25bsd/hBz0/ySPtS
7XHWfpiZXcMO/bnt8hUkOy1KhD4jiJN8U7NijznHcc5jtheXmZ1G URFM tWRU rkQSbpg
YxR3hyqkE6q5QXBbQwAVIify4o5ighJy5p/zWAWWaxTeyU8/As6wJFvNBj18tX1T8sjy1w
8/z8T54bG8DzhNeDFCCHWyvl1930s2VxjjC2dt8uYltUfcd2VZjRmsKEFAojUrMLURzuVn
tCs5wMKfCVeO5ER2sohioMpphEMIJOHalmA1d3ZSJZuxgunfYMFuY8 QliVBuCFTPFc5GX
ER91zYSyVjxgE25Y Pvs7dVVbf/NShaFDnswNtbp2zUmd5KihJ/hteNC2ftQEgo6W/2BsL
fploORd8U dupXBeU8AlGvlLhGtAYJ/NE8vO1z7X6wnZPQBt2K1mODq8kozDpmfWIqxifO
Et8dpuVe0/0 Gczqulz3i31eG5h5Ngbik75KM2RkWyD9cLnacd4FpW KL2ZbqUBqCC7iCt
FVZVplv4QkLdG/mxN7K34r/Rv 1UVkt6A4MXka1SPjPoq4UHA7GGrlnJjigN/r/xCn9nOZ
NhyVNK5BWC3JBNoMhlMl6H2KePPbP5OZXcpMhlnFk6h4B5KKgga2jVtrcqhDGpNLs9h/d9
alzyLNKVYED2y8Yvh xqHT2gNNzmtZXX2JcC7yxDkS5S9Yo4JgxIpdnzkGaQE4zPLNDjB5
6B0cHCaQNSXUht9Q35MndosSNl/w8PKbFFkIW/okQbnCSTdb d vRoa7ARDcUAPzUk6B7y
Hb/mp88An40kjwqtUSuto2fCWph5oqcxumNCDcQh/JC5MaSZcSSyTaV ULq1ShZ8yHI4vd
1I2u cfab VUmfPzNB1LTztG0U 6nR9FUb6bXT3SXC DxhTyo1YRcoXXaVpgr47eig74kR
Uq0qsKq9jhqxowotyhi4ilS9pYbuNj5BPJf4kEynd50T1bA5zzz44W8859eJzE4paFjXUW
w/6O0yQkdkIxgHfbxwYV3dtLZE S1J5QRymWG5tZAsKmEYi8jRqveU7tEU9Ck7b/jXMrI2
Co0jAecAbOcJx/mUxUvocbD4KYXzMdX22umeOkPWLVL5Hd1cbsyXM7OVTee8xrbZ7Qq1RQ
PL9yLEWFjvVCT2mPiMcqOiH27 uJEFBZI7T9hm8jBiwPGScAFuVz53iBqLVxX4vtCcOJ6u
x4JgBtK/77EgaTe432iVCPSA XuhJoK9fbyvwc9PdFLzrN8KQ990UW6QJhcunRxvO7

<<< skipped >>>

POST /details HTTP/1.1

Accept: */*

Host: giserv.madihehife.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 7

Cache-Control: no-cache

foo=bar
HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: application/json

Date: Thu, 15 Dec 2016 02:51:43 GMT

Server: TornadoServer/3.2

Content-Length: 306

Connection: keep-alive

{"city": null, "region_code": null, "ip": "194.242.96.218", "area_code
": 0, "time_zone": null, "dma_code": 0, "metro_code": null, "country_c
ode3": "UKR", "latitude": 50.44999999999999, "postal_code": null, "lon
gitude": 30.523300000000006, "country_code": "UA", "country_name": "Uk
raine", "continent": "EU"}HTTP/1.1 200 OK..Access-Control-Allow-Origin
: *..Content-Type: application/json..Date: Thu, 15 Dec 2016 02:51:43 G
MT..Server: TornadoServer/3.2..Content-Length: 306..Connection: keep-a
live..{"city": null, "region_code": null, "ip": "194.242.96.218", "are
a_code": 0, "time_zone": null, "dma_code": 0, "metro_code": null, "cou
ntry_code3": "UKR", "latitude": 50.44999999999999, "postal_code": null
, "longitude": 30.523300000000006, "country_code": "UA", "country_name
": "Ukraine", "continent": "EU"}..

POST /?pcrc=173628753&v=2.0 HTTP/1.1

Accept: */*

Host: rp.madihehife.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1968

Cache-Control: no-cache

...3E.Q)_l.y...K.z|........|. ....>~.....b....s..["...h....T...I..V|Q...._.........Z..XD...O.R..C..,...=.1.b8y...9^........<.....j......>-.....Fk.R.b.,d..FP...g...P.)....#.......F.X.

..n...ayW..}...%.......@..2g.....mY..%K.Z=..2..P.....F:...R.....D.n.d<.Y....Jv.}.0(...Y<.....%|W.#.|4.{.J./........#..O.......O.;..Sn.?..dE.Z$..6...{..3..u.^..;}75b..'~.d..oLH9%X...;......;6..|...@......4i...M.........S...k..PQ..C_.......L.^`....A._.Ug.i..nRv..u.q...c(..KZ}...~....,.F.$...W.Be..v...)....s.>&12j.

"... ..gfYb.5.,gz.=.]..:F.5.T#a..SU.F4..3^..b..(z........M..W...H.....$.wC..D.(m.....`....\..;...oI..=<r..@....4..N!X...*.....O.2;...F..BJ...WD...0.A..
O.0.@Eb....9.mw.g....R.N\A....<.Y,W.7...Z..].....C.G|..MK[..}...?.r.....L. .g_.fP'...B.9w|9.......q..x..?.{{..7Jo..^..wf....(..K^e5....2.}.@...n..T....*4....g..)..
.....59...{3...... :.7..kI\t..\..v..Yb~.....\OdHa.^..
..........79O.$7XX0{<.qLVMcDjb..iy..s.<......y..@.......~&./...y.Y......O.Y.....zUI....e.....3.............<.v.Z.... ..2{w......q...Q6...-...b..oS.!7.c..N}..h...d.......=.?o..-....!...m.I....s......,o$..'_>.\vK...Xx.b......x..5l..D..$.....N:.f.>oQ.Y..L(........I.@......le....J.IR.#...

...Y.h..T.....fXr.D.g.;...6....U. ..tW

q_."....n
...Yy.V.tNl....t....1$.t..e.2...t.;@./....[.....'..R....(.yA2<.........9......L.x
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 15 Dec 2016 02:36:03 GMT

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu
, 15 Dec 2016 02:36:03 GMT..Content-Length: 4..Connection: keep-alive.
.DONE..

The Installer connects to the servers at the folowing location(s):

svchost.exe_3920:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

<description>Host Process for Windows Services</description>

<requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

ClickOnceSetup-1481769362.exe_3032:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SUPPRESSMSGBOXES

/PASSWORD=password

Specifies the password to use.

For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.3)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

2.7.5.7

WerFault.exe_2528:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

USER32.dll

msvcrt.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

IMM32.dll

wer.dll

COMCTL32.dll

faultrep.dll

Starting kernel vertical - %S

rundll32.exe

NtQueryInformationProcess failed with status: 0x%x

Reporting never started for process id %u

StringCchPrintf failed with 0x%x

NtWow64QueryInformationProcess64 failed with 0x%x

NtWow64ReadVirtualMemory64 failed with 0x%x

NtQueryInformationProcess failed with status 0x%x

WerpNtWow64QueryInformationProcess64 failed with status 0x%x

StringCchCopy failed with 0x%x

Invalid arg in %s

wdi.dll

dbgeng.dll

dbghelp.dll

SETUPAPI.dll

SHELL32.dll

VERSION.dll

WTSAPI32.dll

WerFault.pdb

PSShD

tSSh,<

t.PSj6

t5SSh

SShx`

tsShxc

t.Ph0j

_amsg_exit

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegQueryInfoKeyW

GetProcessHeap

GetWindowsDirectoryW

RegDeleteKeyW

ReportEventW

RegOpenKeyW

RegSetKeyValueW

GetProcessWindowStation

EnumWindows

NtAlpcSendWaitReceivePort

NtAlpcConnectPort

ShipAssert

ntdll.dll

RegisterErrorReportingDialog

WerReportSubmit

WerReportAddFile

WerReportCreate

WerReportCloseHandle

WerReportSetUIOption

WerpGetReportConsent

WerpSetIntegratorReportId

WerpReportCancel

WerpAddRegisteredDataToReport

WerReportAddDump

WerpCreateIntegratorReportId

WerpSetReportFlags

WerpGetReportFlags

WerpIsTransportAvailable

WerReportSetParameter

WerpInitiateCrashReporting

version="1.0.0.0"

name="Microsoft.Windows.Feedback.Watson"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<requestedExecutionLevel

ÝCD0

#$$$3355<

##$$$335566

% "#$$$3355666=

"#$$33555666

!.DQ$

.Py>o

Kÿg

.ib:?

T3%X_

a,M.cbd

KEYW8

KEYWH

? ?$?(?,?0?4?8?

1 2$2(2,20242

>,?0?4?8?<?@?

?%?5?:?|?

5'565^5{5

3#3(353_3

=#='= =/=3=7=;=?=

=#=(=>=]=

>!>&>3>}>

1!1&131[1

Microsoft\Windows\WindowsErrorReporting\WerFault

%s %s

Global\WerKernelVerticalReporting

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

CrashDumpEnabled.Old

CrashDumpEnabled.New

%SystemRoot%\MEMORY.DMP

LiveKernelReports

Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports

LiveKernelReportsPath

BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u

*WerKernelReporting

%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue

sysdata.xml

%s -k -q

SOFTWARE\Microsoft\Windows NT\CurrentVersion

<OSVER>%u.%u.%u %u.%u</OSVER>

<OSLANGUAGE>%u</OSLANGUAGE>

<ARCHITECTURE>%u</ARCHITECTURE>

<PRODUCTTYPE>%u</PRODUCTTYPE>

<FILESIZE>%u</FILESIZE>

<CREATIONDATE>d-d-d d:d:d</CREATIONDATE>

<NAME>%s</NAME>

<DATA>%s</DATA>

<ERROR>Failed at Step: %s with error 0x%x</ERROR>

%sDrivers\%s.sys

</%s>

<%s>%s</%s>

%u.%u.%u.%u

*.mrk

WER-%u-%u.sysdata.xml

Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER

SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic

Web Server

Software\Microsoft\Windows\Windows Error Reporting\Debug

%SystemRoot%\Minidump

0xx (0xx, 0xx, 0xx, 0xx)

%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp

*.dmp

Software\Microsoft\Windows\Windows Error Reporting

Software\Policies\Microsoft\Windows\Windows Error Reporting

\KernelObjects\SystemErrorPortReady

%s\%s

Microsoft.Windows.Setup

\WindowsErrorReportingServicePort

(0x%x): %s

%u %s

WindowsNTVersion

%u.%u

ErrorPort

\StringFileInfo\xx\%s

HKEY_USERS\

HKEY_CURRENT_CONFIG\

HKEY_CLASSES_ROOT\

HKEY_LOCAL_MACHINE\

HKEY_CURRENT_USER\

%s="%s"

%s.%s

%s %d

Software\Microsoft\Windows\Windows Error Reporting\Hangs

_NT_EXECUTABLE_IMAGE_PATH

wxmu.dmp

wxhu.dmp

axmu.dmp

axhu.dmp

hu.kdmp

mu.kdmp

hu.dmp

mu.dmp

Software\Microsoft\.NETFramework

NOT_TCPIP

sos.dll

version.xml

.version.xml

%s.xml

memory.hdmp

minidump.mdmp

Local\WERReportingForProcess%d

atk.kdmp

Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes

%i|%d|%d

xxxxxxxxxxxxxxxx

xx

%d.%d.%d.%d

D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)

D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)

dc.noreflect

dc.xpmemdump

dc.xpdata

dc.CustomDump

dc.expmodmem

dc.expmoddata

dc.OnDemandKdmp

dc.xpmodmem

dc.xpmoddata

default=%s

memory=%s

module=%s

.dbgcfg.ini

ElevatedDataCollectionStatus.txt

Open process failed unexpectedly: 0X%X

Attempting to cross-proc reporting process!

Elevation:Administrator!new:%s

Reflection attempt failed: 0X%X

Attempting to reflect reporting process!

Could not collect dump for reflection cross process: 0x%x

Could not collect xproc for reflection: 0x%x

CollectFile for reflection failed: 0x%x

Could not collect dump for cross process: 0x%x

CollectReflectionDump failed with: 0x%x

0 processes found for xproc module: %s

Could not collect cross dump from module: 0x%x

CollectCrossProcessModuleDumps failed: 0x%x

CollectCrossProcessDumps failed: 0x%x

KernelDump failed: 0x%x

ProcessHandle

%s|%s

rpcrt4

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug

sntdll.dll

WerDiagController.dll

Software\Microsoft\Windows\Windows Error Reporting\Plugins

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession

%s\%s\%u-%u.etl

%s\%s\%u-%u.etl_%d

Microsoft\Windows\FDR

%s-%d

Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier

Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder

%d-AppRecorderEnabled

%s /stop

psr.exe

Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules

verifier.dll

nVerifier.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

lsvchost.exe

"%s" "%s" "%s"

%s\system32\cofire.exe

psapi.dll

sfc_os.dll

werfault.exe

%s\%s-(PID-%u)-%u

%s\%s-(PID-%u).dmp

%s\*-(PID-*)-*

SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s

SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit

kernel32.dll

kernelbase.dll

ReportingMode

WinShipAssert

WindowsMessageReportingB1

Windows

ws2_32.dll

Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo

%s\Sqm%d.bin

CorporateWerPortNumber

BypassDataThrottling

Software\Microsoft\Windows\Windows Error Reporting\Consent

Windows Problem Reporting

6.1.7600.16385 (win7_rtm.090713-1255)

WerFault.exe

Windows

Operating System

6.1.7600.16385

Microsoft-Windows-WER-Diag/Operational

ClickOnceSetup-1481769362.exe_3032_rwx_00404000_00001000:

kernel32.dll

ClickOnceSetup-1481769362.exe_3032_rwx_00670000_000C8000:

.rsrc

el32.dllwGetLongPathNameA

T_(_.SCK_LINES/2

;.OVI

Keyw

%s[%d]

-j}9}

%s_%d

gO"%F

~!.CC

.FDiag

Z.eX&

E(AL("%s",4),"

u...CXR

.ZZZH*-

[.yNcX

2,#.hE}

`h=.sd0

%6S=f

OS.FP K{

$%3Ui

.cu%BY

G%4xoD

%uGcW

.in1%

tLcibD.ZP*

rpOi.br2

I.trmor

^Io.ye

ToiZc.Xhj

`cc`k R,uc,.fd

 B.gG

Gisr%S

-\ T,/.Om

kW)Rh.LDPX

s:.LG

I.LLP

\.HTXrK

.XEC'

].jl_&4

.mTC\A.d,o

.RM^^HBU zlfHK

vT.whxyW6z

N1.2.3

THttpt

",M.DJGA|

.FJn`w

ic6.fAX3V

FRI.AT'

.ePnM

,0489999

/K-33b.jG

mw.ll

.LjgtT2d

d.vLO0V

vgc4(.aR

j,.bpo

\þliaL

]@W.zb

}`<(-]4_,[.sO ]$

.jfo-X

QW],.WbciyFus_

.dof*

klkibg*7.Uw

hky4*.fe

I`?BaT'5.zJ

j,.OD

T.PdxH

Y/LYB.MT

J@, NYL.qZ

a.ZrOIU

@_YH.hD

QvKJA.ZS

f.OGpH

ZX/GBX.mCIN

GM.Pv

J.%fI

2.dt(1

H,.JZ

AQ.jZ

.TBH^-O

6gQ,.YGU

.ZLQQ-H,

.SLL_-4 H

?:96=>?59:;.ZQ

6?0N2=.Lqf

W]E).rG

-[4/>;84

/(.Ag

o.hA~

B}`%X

C%FQhxf

` `).L.dw

VQzd_%CN

Tc.Uv

<w.Ch7<(O\j)p

F%D\2

%C ZH

]H.if

bh[muQ.PT

.Lb/[

Uo)hix.CBO

.ev40

2U7%D|Q$

H..fyw KK

TPipeSdv

RW?CJ[hx.Xa

%Xlqe`0

AC^@[SQWLHEM G.so

].Lw/OFL[^\\

.Hktz`ikk

_.gROUHUOP

1/.vs

ym^rk.Um

.vok^/i

].SuspXL!K

IWeb)`A

D_:%F

rfKey?

pCmd

t.mI2

'%s' (

|ftp:

|p"h%F

.Advi

.1..WAH

1%X-o

*.Vt[

`cs>I.VN

.Ppi#

j~hq5.nM

Dô5=

PPi`djv D.zZv

yhe.Vf

ghl9.CW"

JYDH8Y@BKCo.Xd#B'O

KPERHCV.Zt

Ei.Tc/hEde

FT*.lJ,e

dMSG_

.Ek{-K

anldf.RW

e.Hvw

r.vY?

X(kbm N.qX

hWkkaTmjC.Oo

ZY*rf.aeWv

.qB/hkk[lfqd.

NPIPE_DATA'

.OAX7u

HKz).jGNNL6.i-

?@C@NHL-N.PLNYCD_^.N

HMVH9>.PE?

.CONTAE

PTcpw/

v=.vN

RO-\.Ac

pi1/w.vw6h

ung`.Nr

.qVi>^`RM

nGM[wha.Mo,

m-X.so

xEXE&a

$.PgGd

pek,.mmhka

D.DDmU>

W.ezfc.bzG

u-f.woaq

]no^dun.Vx

Z.Oo0

qzeon,.wvPA

/M@VNJPu.IgY

Ccbd.LG

4)|k.bR

`dd\.Srr8\T

.qshe|

hJX]J8.gWxubB]C.\

szv.ra

n.rvU*

uxy"rhD.bq

Mv.fi

Zc.KR&

UOp.SOj.DVs>uR

.GYu6W

.RTr>^_

.Yc7G

C[g$JI.Oy2l

.hMm"e

_&.YpG

{X.jQ@6

Dl%%x

'`p.kfcE

.vbChO

.NL?_

$Fz_%f\

ScMd

:%UO!

yX.F%d

-s.Vir

"$ %),'8

$"!(&&$' )#

H.JXARDb

1 0 .'7(

 /*-( ,'.-!:&'('

*/.)*72-7)

#-**(-#,

.PMDF<7

DP.re

KERNEL32.DLL

advapi32.dll

comctl32.dll

comdlg32.dll

gdi32.dll

mpr.dll

ole32.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

version.dll

HtmlUIInstallerSADLL.dll

tP%S]

.Eh! )

Bj.GY

%XT~N

?.iF/

Xx_.JY(

Yc0F%s

-kZ%s

c!NØ4I

eÆC(7K

&\%S4v

]!%U{

'P.nR

dhoc

ClickOnceSetup-1481769362.exe_3032_rwx_007D1000_00154000:

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

UrlMon

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

IMM32.DLL

AutoHotkeys

AutoHotkeys$

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDown

OnKeyPress@

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

A`bng`@ikc-4,uUxlxs-4,Ht.HA

Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP

TThreadExecuter

TScanAllWindowsCallBackData

Portuguese

ZkkdDocjn^g-4,o.ye

^ioM-3,iiziGmwItI.cG

\h-2,Jfal\`dgxj-4.DZ

Y`cc`k R,uc,.fd`kvd,, B.g

,-\ T,/.Om

hcl.sf

webqskv`T-Y

oj-2,`ac<<*kcb.jo

ak-2,`ob<< T,jcb.je

IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl

7Teah P,Ckh`-3,fkgo-2,7*NNYO.uh

1.2.3

THttpTimeOutThread

THttpCallBackShell

Gx-21,\igh]ixyj-42,M.DJ

A`qjz``-0,ZkdkNgij.pc

Kcqjpc`-0,Aaj-1,gEdafa`.pM

Jmvgknm Q,2,,<,./accwcxgeni5 W,O_GB R,=>)27,.Pkbjhu-4-.,IV,,8)37,.Spejblx Q,2,,< W.g W

Ecezcb-4 S,Tmeic6.fA

Bc/K-33,`-1.jG

Jbhblnrefc V,H-0,bv-1,li.AT

Uju-0,c-2 W,Ht-2,h-4.Rq

Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l

Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F

Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL

V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a

ebP-3,dLfnda`-4,`yj-4.PL

Zjlqk R,`p,.lf S-2,m-1,qmg)tgva S-1,cgdk R,zv-3,rfqz R,ol-1 R,jl`ll`zkfm RR,yjmi`mi R,fmk R-3,jzjfvz,,9,.

Bc-2,ni-1,k-4,cn,.bpo-1,agz-3,dhm,.nid`he-3,gbhy R -,aegca*zb V,ioceob,-idk,-,..Y-[

Hz U,pdkhp Q,zmbu,.qkd,.hvmzlsmk U,pd-1,sfs-2 U,`n`qbh` U,ghhcfskkw Q,mjmukkw:,.blh`b S,ua U,gh-2,tv`blex,.dom,.gvu,.qkd,.wfbkkw Q,akf/5.\

Elik, la,.dvu,.yfv-0,nps-2- ,buk, sf-2,xjii, ji,.[qhvr S,Jaof WS  ,pr-20,fdzbm`,.bmflbonzr S,sa, ghyeohoo S,a-1,dn W,m-3,qukew W-2,nqqky/ W,zyzn`l S,f`dwoky S,OKJG W-1,nrrkxw W,zd S,jo`f W-23,qb P.b,;

Mz,-xak`x T,zejp,.yca,.kbhk,-dj,.yca,.-3,nvxhy T,flx T,lhnj,.nce`jn`,.-3,bjmh, sk,-ge-2,y, p-1,dn`,.yd T,jb-1,jbbj`,.d-4,*,._nwzlypgcl T,jb-1,jbbj`,.le`,.dlja-4,bji,-hemen*.8_

Ykvuj-1,qhei U,uck U,dezlsn,.an-1,`injj U,)ykvuj-1,q Q,ea? QE.f

Vku-1,e-1,raji V,aj,.egj-2,czrorark V,ekjc(),.hg T,oekabczezogj,.iz T,FCI@,.`mezsza-2,(-;._

Zlipk T,mpk T,bm,.icpk T-4,m-0,vog-2 T,oc-3,ennk T,cd,.`cu`hccjmbe RT,jcgheli T,xjk T,hmyj`mo` R ,,N

Clbk,.idr`addj,--4,m-1,hja,.-3,n`c-3- ,qa,-i`,.kyjthe UV,`dwk,--4,moc, [.Y

Ka-2,`cakj/fk-2,/hkgckn R,/ckga,.nax`fanj*zg-1,ook,.c-2,/-230,le T.ej

@k-24,a-21,dk,.-0,yimc,-lg-0,ngxm-4,mj( P,(zgb(bgco,.-4,d-1,fgx-1-.,fh-4-.,kbf`mn-1,ggc V .,Oba`o,--1,a(-4,m-21,lzz(y`k(igyfagol SVP.Sc

Icpbacfh,--0,f-4--,Ofbnik`hh).BH

 UP.wg

Mfjh, nsyd R,eaj-1,udmfci, nu7, .Qv

Ubx-2,` S-4,ktvh-2,q S,dikl-4,ka/,--2,`q-0,kwp,-ylweapw,-FQW],.Wbci` S-30,usb-1,q S,zgio,-mdv-3,k U,gbykoboa S-4,kvwl-1,q,-.h,5

Lmboj``eak,,e-1-,,bcx,,ocb-1,`i-0,i R.GJ

*,.Nhjk[h-1,k2 QH.a

Kmr,,Ecdbco-3,eib*^gbmi V-0,k-4 V-4,ox V,xe,,.EA

Zydqjfdkn,.Ij-3,`ajhjhw)k-4,wf-1--,ffjh U,o-1,bh3,.].d

 V,/y-3,f5,,.Gu

Hoo,.xkogxkhz*`-3,chky4*.fe

Rvgmdpwhto T-1,dgm-1,d`p,.ovildq>,.._,1

 V .,bk-2-.,Y-1,f4,,.ge

<,-S-2,k7 V.qR

Tc-1,zbt,.et V,k-3,ui`iru,.jht,.xhi,.`hhi,,/.I,g

]KnzgcnlmLncgjby``o S,Mjry-0,`x UP,/vlz/blecdi)isbd/ob-2,/`x-2,gn-4,`udi)-0,i-4,lne,- Q.Lt

 U,4 V,mma V,li/eo`ccj,,`hbu/`-1,cb V,cmfh,.h`q```gj,,`t,.m-4,v,.xgtkmk W.aw

Zbb)-2,ou-4,kx W,m-1,ewykn W,jadilm-3,nf`*/ekyt)jksh,.xbjkcqlj*saod W-0,k-0,rl-23,bm WT-Lc

Zfj R-1,k-3,wk-20,gj,.-2,c`ij R,o`k R-31,`tgjjf,.aag,.jfdhk-2 RV,/.i

Qok R,vh-0,pfb,.fwh-3,r`c,.pdiig U,t-0,ruh-1,v, ,.u

 V,H SRV,odzcxc`a*ybcoz,.sd-3,gj*iahdomrce` V-2,cbj*mkr*bot-1,o-2,ron P.e-[

11112095

01089935

NA,.OD^ C.F

U[ W,YJY.Ur

40579382

[Y/LYB.MT

J@, NYL.qZ

31146207

03517390

I^,.ENc-T

12981927

62008128

[M*I^I.rH

ZX/GBX.mC

AY W,EFX.eb

QN,.BNAD-H.r

18624103

14559332

56264338

27502473

56736915

^H,.JZBCh

50890627

SA,.ES_M-X.p

PD,.KPXC-[

10561110

UL W,^AB^.UN

75326035

\Q,.YGUN-X,^

WW,.ZLQQ-H,5

68080913

05028256

27311256

^P,.SXTNCL

]DKizHi-4,exc-1,Hc`hk-3.GI

L_LCUNTF, KHC.op

0.0.0.0

3?:96=>?59:;.ZQ

6?0N2=.Lq

;768>1-80

cabinet.dll

\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y

000000000000

 ;7.Q,>N-Y,[ T,Tc.Uv

/,.bwQkxtl`xaUogmg4, K.^

@FR,-efmh S,xhao/ch S,jyyqnbyfk Q,DmBd`l-2,x,-, 32=NM( S.Ln

Nbdzhc-3-.,bk*Hal-3,Hdao,.zly,.hu-31,ln-3,ki,--3,a7,-.eX

Y]H.if

d-3,tdcQqdc.Lb

TUninstallExecuter

)hix.CB

Wiglqsonn W,glqs-1,wasgmlt,.dmu,.crw,.lcjk8 R .,r

Y^`acxziagKphh-01,hy,.kle,.jh, mzhjzmi, afar,.gchk V-C.8

)Yoa-1,j4.Yt

 T,_jbpF`t>.PO

\jfaxjMgbj1,..fy

,.Kyfz,.Wnb-0,d5,..li

TPipeServer

TPipeObject

TPipeServerListener,p

TPipeClientU

isrPipe

]mexcbk,,lc-3-,,k``,,-3,di,,ebkccbk,,xi-1,cxx-4-,3,c,,oea-1,`oxi RTR.GE

M`on`edh,.yz/oj-3,j-1-,,znmgkhk-4 TQP.uI

CJ[hx.Xu

Clne,.Dixzlkgk-4 W,_f-4,bjj,-unononj,-jjv,-i-3,coby,.ba, hlng-04,bx,. U.2Y

GiOrxBvamwzkgi V  ,(r`jiijnmc,.gzuap2 WV .,x

_.Wo*BC-T5p7d.V-b,

K`unngg/o-0,o-0,k-3,b-2,v,.Azljoj R-1,f-1,ram-1,g,., flhl5 R.n]

NAER_[URNDT].Lw

Midiihk`,.Hktz`ikks U,Iol` W-1,dtrkrq W,y`v W,jdknke U,c-0,d U,sa Q,ifmj U,hh Q,Uugwlkkf` W,Cnab P,u N

PJU S,`f`mdke S,bhufq,.`w S,bdbpz Q,lmk Q,qf-3,nqw,.`oqk`gz,.rfmz/1.^

rdkecbm,.cizkcaq,.p`xapqmj.c,R

LJ_.ge

Mw-42,il-4,/zjzzm-14,/yznzmk W,/ljx-0,aaj-0,a`e/n`gkm-2,1/.vs

fxk S,Cym^rk.Um

ole32.dll

olepro32.dll

IWebBrowser

IWebBrowserApp

IWebBrowser2

TEWBWindowSetResizable

TEWBWindowSetLeft

TEWBWindowSetTop

TEWBWindowSetWidth

TEWBWindowSetHeight

bstrUrlContext

bstrUrl

OnWindowSetResizableh

OnWindowSetLeft

OnWindowSetTop

OnWindowSetWidth

OnWindowSetHeightP

grfKeyState

TComTargetExecEvent

CmdGroup

nCmdID

nCmdexecopt

hhctrl.ocx

URLMON.DLL

SHDOCLC.DLL

rcmDefault

rcmDebug

DontExecuteScripts

DontExecuteJava

DontExecuteActiveX

DisableUrlIfEncodingUTF8

EnableUrlIfEncodingUTF8

CheckFontSupportsCodePage

DisableSubmitUrlInUTF8

EnableSubmitUrlInUTF8

lpMsg

PMsg

pguidCmdGroup

TTranslateUrlEvent

pchURLIn

ppchURLOut

CmdID

pszUrl

pszUrlContext

szPassWord

ErrorUrl

OptionKeyPath

OverrideOptionKeyPath

OnTranslateUrl

OnCommandExec

'%s' is not supported.

TMsgEvent

TKeyEventEx

Port

Password

poPortrait

OnKeyDownL

0.750000

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(

This object does not support this method (

Unsupported type for Parameter with Index %d

Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.

hXXp://

hXXps://

eiOnKeyDown

eiOnKeyPress

eiOnKeyUp

OnKeyPress

Handler with EventID = %s already exists.

Error on IConnectionPoint.Advise

Source don't have connection point for [%s]

MZ(hrgkznff,.tpfm*lpkd-11,ghg(hf`dkc)-4,gsa(cbz-0,o`l2,..c-L

D^,,Jxhb-0,4,-.wY

Mhxohoj,.apk`p V,alncmz> V.i,d

MAPI32.DLL

LeftPopup

 W,@-1,sbfpfc? T,Z^\],.JH)GCQLK=HI9TV4W

Jcwh,.kp,-glulbkg7.N..

 S,Blcwg9.Nn

V-4,jhehq5.nM

,,kx-4,c-1,*-4,mgyhh R,*zezb,-aky-3,mio,-6,..Ug

YR-0,xh]izn.cQ

2.1.0.0

This exe was created with an old version of HtmlAppMaker.

-0,cnyzgcEi.Tc

[-2,o-4,j-2,cal/-3,`, -1,oao/-3,gn/f`l QTQ.uv

Fbi R,yh-1,to-4-.,Wxa,.ky,-`m-3--3,pe-0,gfoi P ..U

https

Sf[.t,T*.lJ,e

]ddegom Q,Bnm Q,zn*ufd*gamfnyhdf,.Txm4 QJN

Sw`iq`-12 S,c`-1,n U,xowfgkq U-01,jbhkq`k,.bc-0,kq U.j,S

I`nhlah,,C`-2,a U,xn-4 U-10,cu-44,ia/njqj-2-,.Jp

MSGALL

irsoMsgDialog

irsoJoinPath

irsoGetCmdLineParam

irsoGetCmdLineCount

irsoGetCmdLineIndexOf

irsoGetCmdLineParamValue

irsoGetCmdLineAll

irsoRegCreateKey

irsoRegCreateKeyTree

irsoRegDeleteKey

irsoIsRegKeyExists

irsoRegListKeyValues

irsoRegListKeyKeys

irsoRegSearchKeyKeys

irsoRegCopyKey

irsoGetRegKeyInfo

irsoHttpGetData

irsoHttpGetDataInThread

irsoLibraryExecuteProc

irsoLibraryExecuteProcW

irsoLibraryExecuteProcWithResult

!irsoLibraryExecuteProcWithResultW

irsoExecute

irsoExecuteDllInProcess

irsoSaveExecuteUsingCMD

irsoIsMutexExists

irsoCreatePipeServer

irsoStopPipeServer

irsoSendDataToPipeServer

irsoSetDebugLogUrl

irsoGetDebugLogUrl

irsoGetWebBrowserHandle

irsoGetCurExeCheckSum

irsoGetExeInjection

TExecArgs@

iubnyybRolkanldf.RW

b-1,[-1,e.Hv

.html

H-4,njBdi-2,o-4,r.vY

-4,fhxXahcxgw.rg

gghYcjrf.ae

jehGbeags.qB

PIPE_DATA

PIPE

LNYCD_^.eP

HMVH9>.PE

Rgjsc/fr V,n/schfrr-2,v Q,nnlj V-0,` Q,v-2,jwca-0 Q,N-0,bmSF/Ct`xrc-2,/ndejbr(-1 Q,OJ8 Q,`ncmdnlj VR,/ggfcdb/-0,n V-2,jliyj Q,o-0,/)NDJXYLZSTJAUYZ\DT VQO.q

\fkym,.gx(o,.ymigx-11,w, `om`(za, x-1,k-2,m`z, @zcg]G,.Izayxm-1-.,djdkh-1,)-2- ,AK9, nobgjom`( S .,migbnl,.zd(-1,kfgxk, az,. S,@EKRWBAHIBQFIMFBFK WU.9c

Dkejajc,.aj T-21,aeb-1,l T,cg`a R,(qvb2 T._,H

,-,.mhnz-1,u`-3,/ahbj= Q-4.\

-3,1 T-1,`-4,b-4,w37 P,abov=.vN

Efgefc,.-2,l W-2,hub,.-2,kb,.klhzzwuoy S,agef=,.-S,s

KH*ZgoH-4,mzyhp,-nba_ocf@eig,-c-3 R,cey R,:* U.UM

 W .,ebj,.jcz,.@e-2,of`kGA;Hohnomo R.?i

@mtmimva,.Ipva-3-. T-2,xcp-04,8 T,B.I

THtmlUIExeAppU

HtmlUIExeApp

S,-.QY

7 W,Lay W,yk-3,wd`-3,b, hbuf,.bsck-4 W,b`-3,sj`nb1,..f-2

Rbj-1,c,--1-.,gd`zno-2-.,od-1,zgdlk V,xz`hcai**-0,foy/-3,telkuy/yofc,.ef`-2,c T.j-[

Wgxc W-2,mtqkz V,SGECC,.GSS,. TV,dof Q,s,.lcskzkn`m V,nh(rokzc P-2,(gia-1,nb-1,(oi-21,gimm V,u-0,fhn`o( W,mghsgfsn`o()h.b

Umn-1,d R,x,.`kdzi`y,.hkxz`khk Q,w-3,`olei,- U-4,fhv, -3,sjhkrv, yhig,.bid-2,d, .f,Q

ung`.Nr

HtmlUiExeApp

gbo`dhfm.cV

Hckhkf R,pa R,pacmta,.vja,. P,Xk`g,,Mjglpgdka-1 PR,EbvQp-1,gciB,.

irsoExecutePackage

irsoReportPackageError

irsoReportPackageSkip

irsoReportPackageQuit

irsoReportPackageSuccess

irsoReportPackageInfo

irsoGetPackageFilenameFromHttp

irsoGetPackageExecExitCode

irsoGetPackageExecResult

irsoGetPackageDwnldUrls

irsoSetPackageRelProgressShare

irsoGetFireFoxEXE

irsoGetIEEXE

irsoGetChromeEXE

irsoGetOperaEXE

irsoGetFireFoxVer

irsoGetChromeVer

irsoGetOperaVer

irsoUninstallAddExeCmd

irsoUninstallAddOpenBrowserCmd

irsoUninstallAddRegistryKey

irsoUninstallExecute

irsoReportStart

irsoReportInfo

irsoSetExclusiveExec

isroSetReportUrl

-11,jycmjaOaahDgvyc-11.Pg

bhVkqz`-1 S,hjcbek,.mmhk S,ap-2,w,,wknml` S,xmk S-4,dcf,- U,[q`?,..`>

zfc.bz

]no^dun.Vx

\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>

\GCAPMA][.oj

TcUlue.PL

W`mmqzeon,.wvamaff P,4.]

z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1

e-1,f.Cw

Zhtagcgxgca,,zec,,Ylrofht,,Blsbmec-3-.,yn-3,klb RPS.AY

-0,ilCcbd.LG

)h-4,k.bR

Yorifkt*you*-20,eik-2,ul-0,b-4,*kvci-0,zcn,.gh*cabo4,.-[.i

Ukszv.ra

[eckbn R-2,a, kgg-4,khbbxl,.blzzjneky R,N[B,,-G.9

FbghLbtaYhe.AU

1.2.1

inflate 1.2.1 Copyright 1995-2003 Mark Adler

deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly

?456789:;<=

!"#$%&'()* ,-./0123

333333333333333333

33333833

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

uxy"rhD.bqK.RrV"e|J

,!J\r7IOk.PXtL13

_6) {CEr.PXtL73

Ko.VOi5YKc#;,

,'OBe>VDt8AUrLKxB

Ko.ERk!GS

Ko.VOi5YSg<C k

v#OKo=CZc.KRb4;,

,3GNc.BRk0OS

\b.UOp.SOj.DVs!;uR

Ov.SOjLniR

G6- {OYv.CEr@;~r

,0SIi.GYu4TKc#;- {OYv.SOjLniR

e5HXs.UXt'CO

.SOjL

Hu4YRu.STy=GSaL6

u:OMy>@[c#;- {CSg3JXy$HTh"R\j=YPg?GZc#;, {UVo!YKk.EUc2M

.KRb4;{G

ux {UUi&YNv>HNi#CYy>@[c#;- {VOi5S^r.RTr=CBe>JRtLdqG

,'CSb>TBr8RQc.ERj>T D

inC.NrP

rrH.NrP

hz {BX`0SQr.I[t.ISy7OSo"N

^n>INc.BX`0SQr.I[`4T

kq {BX`0SQr.I[t.NIk=5 B

kq {BX`0SQr.I[t.EUc2MXt.V\r93 B

\p.MXc!Y_c"R

,.YpG

,.YnH

,.YnP

y.enKL7%

D.Bj&

.MG,n

{X.jQ@6

Dl%%x

'`p.kfcE

-.Ypw

.vbChO

.NL?_

$Fz_%f\

ScMd

:%UO!

yX.F%d

GetProcessHeap

GetCPInfo

RegQueryInfoKeyA

RegOpenKeyExA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

GetKeyboardType

"$ %),'8

38000=344

4? 3!0 3!6

&W!%D)*

H.JXA

1 0 .'7(2':

- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)

&)"%&$&'&",,/- '

944(@32%2u8

.PMDF<7I

2222444424

.idata

.edata

P.reloc

P.rsrc

.PMDF<7

DP.re

SOFTWARE\Microsoft\Windows NT\CurrentVersion

errorUrl

Please login as administrator and try again.

OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Clipboard does not support Icons/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid GUID value

I/O error %d

Integer overflow Invalid floating point operation

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

ClickOnceSetup-1481769362.exe:308
Delete the original Installer file.
Delete or disinfect the following files created/modified by the Installer:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-H3LL7.tmp\ClickOnceSetup-1481769362.tmp (391 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\BGD.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\ProgressD.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1C75789D\561FCBC6_stp.DAT.part (5180 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Color_Button.png (341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Color_Button_Hover.png (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Close.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143986.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00143929.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\locale\DLM\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Grey_Button_Hover.png (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Loader.gif (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\bootstrap_55051.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\mainDlm.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\ie6_Dlm_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Grey_Button.png (341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\ProgressBarD.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\sdk\roinew.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH132535333783\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E7EC0C85688F4738F3BE49B104BA67 (632 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ClickOnceSetup-1481769362.exe (1636 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B179347615B32FE859CEABBE50C3EE6_7E363A5467DEEE48BE57B739C028611D (2040 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab35BF.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar35C0.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E7EC0C85688F4738F3BE49B104BA67 (693 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B179347615B32FE859CEABBE50C3EE6_7E363A5467DEEE48BE57B739C028611D (1 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Installer.Win32.InnoSetup.2_93448dc282

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Installer.Win32.InnoSetup.2_93448dc282

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet