Installer.Win32.InnoSetup.2_9b2c0a54c9

by malwarelabrobot on July 19th, 2017 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.DealPly.gen (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.InstallCore.2961 (DrWeb), Application.InstallAd (A) (Emsisoft), Artemis!9B2C0A54C9AA (McAfee), SMG.Heur!gen (Symantec), PUA.InstallCore (Ikarus), Win32:UnwantedSig [PUP] (AVG), Win32:UnwantedSig [PUP] (Avast), TROJ_GEN.R08NC0OGC17 (TrendMicro), Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Installer, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9b2c0a54c9aade6c36ddcfff1a90e2f7
SHA1: bcf27ff751d059f072acc87bb041b787eee49d1e
SHA256: d808ab1aa59ff3b3f92974d32565d3140ae994e75f5329e3b1592fdfc1486b9b
SSDeep: 24576:eQbF9KnTwyH2DhSzvzXDVoOFNtR1/4ZZXUMBTlP0QjcpMXVJoL:ecLKn0Azvz6OFNtReUGpf
Size: 1230112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Installer. An installation package.

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):
No processes have been created.
The Installer injects its code into the following process(es):

%original file name%.exe:2936

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2936 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067F5C.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\RU.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\JA.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\BG.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\DE.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\default_poster.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\WK9W39FP.txt (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067ECF.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\bootstrap_61895.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Quick_Specs.png (609 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Close_Hover.png (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\FR.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\display_thumb[1].jpg (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Close.png (293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Color_Button_Hover.png (863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Color_Button.png (846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Grey_Button.png (1 bytes)

The Installer deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067ECF.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067F5C.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\bootstrap_61895.html (0 bytes)

Registry activity

The process %original file name%.exe:2936 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\9b2c0a54c9aade6c36ddcfff1a90e2f7_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Gusame
Product Name: Bobunu
Product Version: 2.6.7
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.8.1.0
File Description: Bobunu Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 40240 40448 4.60121 d411f6f383ef527f45ebff9943d8d94c
DATA 45056 592 1024 1.90742 1ee71d84f1c77af85f1f5c278f880572
BSS 49152 3724 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 53248 2384 2560 3.07115 bb5485bf968b970e5ea81292af2acdba
.tls 57344 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 61440 24 512 0.14174 9ba824905bf9c7922b6fc87a38b74366
.reloc 65536 2244 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 69632 38424 38912 3.91991 b68889a0b278d974fe4e07137b0a082b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 48
2fb4be35dee6b5562b374a8758fd3af4
f0149308f1b1fc150ecc50499fae5267
8d4d603f85464f61ec7b8d10c06b48bd
e5dc6984ade1d5f220332bf72e6faaee
14efe7fc800b3345e0f5d32ee780aef0
f24282d9cb5a8db3ad86ec2f93d87b42
b01721004bda7cd79ea85603d3dfce18
0fe4bccdd0f9fb69e6571dc5f3c48223
13db3b0d5047b391b1c922c447460258
c93af939e17603130064f4d9cede0f07
206f72525e9e9a39e37b00838ce954f1
5f2eedadaf11fc2e6db7fd149981549b
cb61476440a083f212ab62547d9c3508
7cf9b595de13092b69c63da35016aa5f
9aedab2c58e99c9a42c6254ae67acc82
10cc91b5f5dd85e78a225f88e262d33d
ae8f71902e89a7d9d5f96a168aaa0158
f744998d695f02624eaa038fd320639e
0cc2241abf035ef4768503e016593e3e
5d5c324cf8d3b6dd4c8640514ad59950
afe8e0c0c27a92fc951e7a4efaaabe81
27594eef970d591fb03846d3fbc0fc07
367f2bdf241e7a13bb856b1691e3863a
438949d58887f67b32be98bd6d96aa42
5427b31402322e134ba461c4deeaba58

URLs

URL IP
hxxp://rp.bonesenopu.com/ 54.171.31.17
hxxp://info.bonesenopu.com/?hekeh=0 54.154.229.88
hxxp://www.opensubtitles.org/addons/display_thumb.php?imdb=3414954&x=160&y=240 104.25.131.104
hxxp://os.bonesenopu.com/OpenSub/ 54.77.226.70


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /?hekeh=0 HTTP/1.1
Accept: */*
Host: info.bonesenopu.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 176
Cache-Control: no-cache

.^.S...N)Tw?.G{&...6........./.m.....Yc.Z..N............uz.@S......9...5}._]..u...........##.. ..6..0!(h....~"f....LO..........9.k.vE-../......F..0.B..;.&1 ...k..l....4
..T.
.
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/plain; charset=utf-8
Date: Tue, 18 Jul 2017 17:58:08 GMT
Content-Length: 1132
Connection: keep-alive
PsgRydIyzWvXJagpIKkLvgV1yd2ds4vhDW9mHcMTyXkS eLv2sNjxVysTDBJ2CbJSVOubb
iEQKqZg92Z6uF9wPbACbPP2wDAndLDRcRYNtzyYe6PdojdS7BV3vMjTYPQnx1qXZql05a4
apxARaxu1ZAoS7Gww1m0XPwxn87ih4P7vFH2ceKVT0jY2z8ksMjJnxVR1YQZGCeNDE9kpt
LCXvE5QshL0yYHPgwy9iBfl t/RlDfGJIbbyj7AV082VBx7XAFaFHbCZ9WADXKUFX1qpcV
L/6IZJwLGLMb5YIJBEWbVXbfUSoAxdciA kWS5mBpKcmY2 hws3pN1XMGE535Y5NczqPli
SQOd3sNmYSBon9raFsByo7/u YupAgvJYlcu0PxrZYXPwNpu4G85w2heKM1fq9vQMgZIjk
aKPO/tmCAGZokiuHMAMPLv1sBoPXe70XYMOqkt4Lrt20Nh4zDbBQptEwh/T8tFhnd19mWw
jXpjbod8SL0m5RArlf2/HNNB9pgvkUToYcQYYr6MXMynqDmCqcjgoYZvfTeJMIYWVJEgIM
BXlHoCdcVKn5/x5SlqrLAhGMiyCRxHWOfvkQnKybYRhJVbbINBPXDCLwXp3j 7fdjjsXk2
8mNOq4oib4qKJFbDymw6NSz8Etzj5IIDpqX/uzQLNXCkxYbYFHVEfOBLEoYxJVmCnP8kwh
QnHlQaEgjD9wTu/1YC0t99icZ8rAKfozv8mFT6f7lyj8CkUG2GHyh/kk1AOB3x69JH7G/F
IwFOWaWBlJg5cTDKDx/oXFtdNUCvtt8lmqBwB/hOawGpOnGz6QLfV8KRerSP6d3MVfub2D
S0nWe6F 13TWNMewQGfQFOkZsD87EszxPp3CAhBmCrzMRvt6e8I9zJxVew XZIe3FeeNen
VZKXA7U8NBOMFftIgc6mmRMkO vQCUGDrA0 jdeZi6YLVDBi/EQHda5t4COMBZLihfbNvd
31xv f7Kk9zybs/pMIUeHgd  byHtlKmSvvBN 2viBiOYOEUQvNq6VJ8xk/PTPz9dhI/O4
NjfiFRo1CYjWcqBdVP4RhICG nelhZlT7Uh9 OixsoiEi/O504h5z3VVmfGA7xT64wO8h2
Wmvv0o00yE0=HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Content-T
ype: text/plain; charset=utf-8..Date: Tue, 18 Jul 2017 17:58:08 GMT..C
ontent-Length: 1132..Connection: keep-alive..PsgRydIyzWvXJagpIKkLvgV1y
d2ds4vhDW9mHcMTyXkS eLv2sNjxVysTDBJ2CbJSVOubbiEQKqZg92Z6uF9wPbACbPP2wD
AndLDRcRYNtzyYe6PdojdS7BV3vMjTYPQnx1qXZql05a4apxARaxu1ZAoS7Gww1m0XPwxn
87ih4P7vFH2ceKVT0jY2z8ksMjJnxVR1YQZGCeNDE9kptLCXvE5QshL0yYHPgwy9iB
<<< skipped >>>


GET /addons/display_thumb.php?imdb=3414954&x=160&y=240 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.opensubtitles.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 18 Jul 2017 17:58:09 GMT
Content-Type: image/jpeg
Content-Length: 12544
Connection: keep-alive
Set-Cookie: __cfduid=d1e07a961b410066fa06efacf6c06ded01500400688; expires=Wed, 18-Jul-18 17:58:08 GMT; path=/; domain=.opensubtitles.org; HttpOnly
X-Cache-Backend: web1
Age: 0
X-Cache: MISS
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 380753d1d1e083ee-KBP
......JFIF.............C..............................................
!........."$".$.......C...............................................
............................."........................................
.E.........................!.1..AQ."aq2....R..#B....3Vb...$...45Er....
................................<.........................!1.A.."Qa
...2q...BS....#$..CR.Tb.............?..>.OcG.I.ji....c.J...z...)..C
>.OcG.I.ji...........)u....'.....54..?.....ipJ]`(_.I.h.i=.M?t....@.
.\..X.....H8..m~...........K.{/.x...1E.X...~\............."K......`...
O.]a....[.b....{."..LK;xD. d?/I#..S.{P.j.ZWG.GW}....*.........?...D.ri
....,V..K.!2..J.. .Io.CRMw.[.7...a...... {.g[B.i..=Du...............s.
.........B......`NT.#....G ..8...W..Ou.....C. .|....C...2HGe...o.._.$.
....=....o.Ps.-j]...y...........n.....[].....^........c9.Q....qR..3n..
...6...k.{;.l..a ..KH.9..2.'?.>.r.........n.........LS.F.....z.2j..
*.lo...~.....SH.Y.-..W\1..G. ......51... ...... .....[..X.../...4|4...
.....?t/......P.......{......4~...K.R..C>.OcG.I.ji.............P...
..SO...h.......&=.4..^......`..........'...^$}.b..................#.$N
..3[.E.s.X.7.2i...9.....y?j.h..:.Sd...W.}..q.i..w.............Guc.J...
.h......y..$..m..\u..n7.x?.]#..Z..g...}..........Q....?.....K.....F...
...q["e-.....r.m.>.0.kG.gyz*.C..tM^.V......h..b..R..G ..if...[.X..f
.....$....a.X.98.{d...s..f.~.X.j...j.(...\6=.Ue....#.j^.yh..sso......=
..6V.V0.{3.I$...I'.%.z....;iZ..Q.<.;...I#.c$.P.a.V.6/$`...d.X....5.
......e...{_?.!...E....oE...........U.....Q-.o.7..wz..z...bW..8...
<<< skipped >>>


POST / HTTP/1.1
Accept: */*
Host: rp.bonesenopu.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1216
Cache-Control: no-cache

...3E.Q)_l.y...K.. ph....^-......I.4y.^/.68.'.4.... ...l9.....P...u.T.67iCAN^..~p...sL..4./h...|.. ..hjp;.E......]H.u..yo=.......wk.!....-.B....{9/H..'.9..S ...4
/...9X...D.......8.@x...<z|...?.......Y..G . .rS...[....\..eq..L...j..;.H.._0o>sQ|%.C...iNT........5..&?tE9.L..y....6<.....F..X..]....n.%p.....K..HW.........g..U.5...N F.....F. .....{2......*O*.E.NJ........`z....TdB...&."m.Y;.rA|..R(jT.L.G}....}P..|.".....W..(....0Q.v\....Au.}^Z.n>]..7.w....0..
..=1...52...... .^Z.'..3p/.\..?...*S....n....~. @..pChe.].ES......9...E?....Q.L......!.:.DE..HV..C....|..$X?f\..:...I..2}\........l..d.K.l..P..,.j[..R.G..o...>.#,.......T/"/2&...D)5UCo.....5....@.2.6#..g.......6p...OY=...Ty......<..#.....0..M.FFF...`..
{..X.....<.v..1..2.h..s.y.md...1 ...o...?......U.[WT>p...R...>.q...f..M,.'.4.@...Kl.\ym.T.V.R.._p..U..pJ......h...\..
.c.....6%D..2?.H..._..V4C>...>S fTo..=P.. .C/#`........J.j...?.....p.8..S.Y.T...3...L._e......... .\.Ef$`J..........q*f... .D..I.p.<...Ss{....iA.a.@..`!..s..........`...KC.....?3..........U.%..DJ.|0.v....}a.....6....k..........*.......&.B....Y..5..B........H$.....(...x?..... ..O-.U..1.X!..G......*'.X.QP_.iGL.v.,RQ..
.\. ..>k.X.......M...4
H.?.. J4..T.X..Hm.
,......%....r...]...v.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Tue, 18 Jul 2017 17:58:08 GMT
Content-Length: 0
Connection: keep-alive
HTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue, 18
 Jul 2017 17:58:08 GMT..Content-Length: 0..Connection: keep-alive..ont>....


POST / HTTP/1.1


Accept: */*
Host: rp.bonesenopu.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1504
Cache-Control: no-cache

...4.....>.K..~....?P........e.... ........%T............}.....m...Q;.J....a..v...D.....!...jN)..$...Q...U......``._.m.....j..#J<<...^....,..KU..;..Y..Y...jF.....P$....p.'....
uP..x5.....t.....:../.DX.Y....q.8
.`....L>.-.R......./.I.. ......6(..............O....ag......Wmbr..T.KC..4..S.w~sd...^7.LzY..[.. ..^.N.c.;.?..Y....{........:.......0............B..............b..v.EdT.Y.......PJ.>......te......,.3^.>K!^$....(..{..w[N
...?.....i.h./.. ...>.!..L.}..}a..WF.U'.......4...8.K...)......K.. .....t...[,A.WE'.r...S..7..%.?.{....=.jJfi....S=l....KY.....p..E.G~..
=x.e
  |e..k..7mD....].#{.n~. ..%...z.TsD,D.~.].....#.>....0LkU.E...~=$.......|...,.z
.}..F..ln^.'.1...]oH@#.....DAN.@h}6...........Xm} ..;<P..y%n.......`..6...~...#..&.Q..h.y...,1;...x..(..6.e....F..n....X.W.n,..].2T.......\.?.......TP.w........0....O.........I[..:.%,..$....o...B.W&)...8....@g1W...l....I..S.....u.......,A..n..SA....
......D...c0(.(...lq.\Fo.......s:...... .ur.....S..^...9.y.H._..P^...rr..Qt..S9.I.V..&6..... .../.../..}.......V..S.}5...}............j.D.l..<...u.".
..%..."LjV.q.R.Ht.ea5..........)..80........J...1.....'..&.Wb.s.@.{..}p}....oh<..QT.|.%d....."(v.8.*....... .fFVUdK.S.2}M8H..........H.m. .
..V..D.....v.S......q..#..6....s.......|.....g........*.S.......g.....{..?.a.s..?&L.W|T[.8r...Y,.....GZ.`....
.\.J..x....[w..?
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Tue, 18 Jul 2017 17:58:08 GMT
Content-Length: 0
Connection: keep-alive
HTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Tue, 18
 Jul 2017 17:58:08 GMT..Content-Length: 0..Connection: keep-alive..



POST /OpenSub/ HTTP/1.1
Accept: */*
Host: os.bonesenopu.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1488
Cache-Control: no-cache

.I..~...$$.......
....?f.......qb.B....J....z.......D..#.0.[.*L.T.P..~....#..4.....Ie.........b{... ..<.
...0..K,.....X.M`..._#...% .....P.)...y.&,...FT.L.F.61S....,..,E@...d5R.4.........E..*.D...;C.B...`Wi-...d..$z,... w............0....jWf...@.z.)...(....G.E.g.......Z...n;..>[..d .c.....V......r../...uj.k<i.s.#.G1..M.....u.=^......E.J.^8!....g.#....R...,L6]..@.ig....=...c...5;Q.......hWw.wP......B5.p..F..S....&..c(@
m.......=....b.(g(..?].
<u^.}..n...\E.....*..............AE....GQ..t../...y....yY...r!D....J&..,.]2S.f.D...X.g!cr...;tb..r...'...`RXfh .....B.J.b..@......X......."6.Y....P...Vr...j..Z..a4w.}.......\...J#*......T....G....../.i.f{...^.A.K..Er-......8.......
.e_......rBNH.k....3x. ...[.............!....&2..|.,N..K1.4...*Tu......{[d.Y...IDa..Q.....]..
.FEh.Ry.......|...on.vA..."
./.Y....a.v...UG...3V.T.9...Y.O**...f.c.i2....[#......V..I.A.. o.......O.'...88........I....[`..(...d......K.M..v..o<.G......kL......X`.zj......Uq..e.#.X......M.eW.\...m.uS.L.J:]....Q0.b...ksOE.}.`.....?..^....mw^#0J.&...i.).`]....>.E.h.[.m..'n[.t...2..G..."JC.........s.
..z..Q.i-.3W.YMr.*8/I.#.....o........9..Y...K........}..(.e..W.J...s.k.E/3.>....C9.=\.#..c.y.*.FsJX:..8.q'..
w...1.KZxj:. !.z.s...i..QL0.n..<
.\.
......{.S.IW.s#...r.@.spc....V...j@.<..s..........OZ.j.~E..B8...fv..T....*c.....Vk.d.i.~n...
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 18 Jul 2017 17:58:12 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: nginx
X-ICSCT-CC: UA
X-ICSCT-GICSET: 137155icutDeep
X-ICSCT-IP: 194.242.96.226
X-ICSCT-SERVER-NAME: ads-slave-162-p-production-eu-west-1-i-016e884dc9573af80
X-ICSCT-TIMESTAMP: 20170718125812112
X-ICSCT-VERSION: v1.6.2
X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a
X-ICSCT-XS: 91bba9083b637bbb85f2bc525458ea3d2e0cb405
X-Powered-By: PHP/5.5.38
X-Robots-Tag: none
transfer-encoding: chunked
Connection: keep-alive
363f.. .r~?.z~?......'...CXxo6s.sh...E.....M6....z.o.....G...|S...Z..2
....[..v..kp.y...e..1.Y.%....p..!^.!.2...6u~Y7.9...5....Dh..B....f...g
.........IA)...].AAy..u.....p.....2...a.gJ.n..1,(....Y.d...,.S.iw.....
....[.C....^&.....N......L..D...l&...s...D....]...3Y..u......~....]...
....].q........>.....b...Kx<.c.1.O.W/....1.F .Uq...8.*..Egc.....
,......r......p...j.....E.I....R.B...a3.3.Yt...L.)J..D...Ex..!......gH
....'#.#....JTQ .3...*s8.9 .{....`..S.....t..&.....N.m.P..t..3^S..1..3
......| ....U..N?....G...i....B." ......`1v..3.H....q........%.($.....
...H.....T...V.&I(.H......K..im.q&..A@.".......i.oV......T.......o].;.
>.*.&............[...........F.7....dp.:....-..2.e.tL..`.......#...
.......v.5(J..y#*K........3....`s=......g...6...[...i..S........9..L[.
...@7T./..o7.;_....T.]...s.....Y.3..d.%.$n.....@.A.............qd....v
v\..iF}j..B.....M.W..w.\.......x..R.fL.c...D.8`8s...6..-..|... L|....*
6..v<$...?J.c...*@x...Z........dhR.G.U{..~.......'M....F.09E..n;%..
....3......C.....S..]........D.....s...0..k.....H.....<.O.O...t.D..
C.t.f........h........b.....R.(J.&...."...^("." ...u..F..B.B....'C;...
..X..b.h/.Pw.z6..I..b..p..=.`G1xB[S....0...,Q?..kH.!.d...n..!..1.s,.`.
Y.m..z.F2....u....O.]w{?..P.O..&..5x|#1..vo...WX.yw&."7\.')..N.L$.a.aP
.O._.....B=W.4...PZv...p^t.5....!f.......Z.D)..4.T.'6.@..`)W.....H...K
..;....7.....K..|.|.J.^L..|1.4...A_Q..O.:.....`S...{k.?...1PEV........
Z..k....qc...k.z9.........L......of...^.F.f.e.........}.`..PJ.N.%.....
....J.4.~....\K...)#....e[x.1y`]E...T.N.\n{.Z...#H..`....P.Y.. ...
<<< skipped >>>

The Installer connects to the servers at the folowing location(s):

%original file name%.exe_2936:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
.DEFAULT\Control Panel\International
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
shell32.dll
/SUPPRESSMSGBOXES
/PASSWORD=password
Specifies the password to use.
For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.5.0)
Inno Setup Messages (5.5.3)
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
MsgWaitForMultipleObjects
ExitWindowsEx
comctl32.dll
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
1.8.1.0
2.6.7

%original file name%.exe_2936_rwx_013F0000_000CB000:

[5%s;U
=z%u7q
$6.Dh2nVRQ
S.YA9`K
.sQI`
.aUQ_
!.RsQ
.oN<7
pC.mL
%Cjk9
*.xLnb}
.km^&
`XS".Tn
%Ux6Ga.tl
BmU.yK&
%f"Nz(O
%u0Bo
^%xD.
UDPEo
a.sb/
X%SBJ
4.sSE
QQ*%u
 %Xa#ma
r0%sN?
%dVrj
6V.Az
d%c^k
&7ym÷
-'#uRH%f
L.qjd^H
g--O}
]90)|^=?=
Q>m%x?Y
T.nm?
%D,)*
FPk%c
d.fd]
^Sl%S
u.WGLG.
56j.bU;
%xdO~
%x~b7'qf
j.xCu
y-q}S,7
m.qv9m
.OI|x
.jo[X
.NH;~
v.ROS
.zcSk
/o.Mh.
x%sR]*
(.sUM
-v}~J
.WqIUe
9VÞ
.isP@
S.SAZ;
;v.vwY
.qS9'
}.gLy
]dY.Eb
}~.cp
.XZxERc
5m.pw
-t9}1
..YW]|

%original file name%.exe_2936_rwx_014C0000_000CA000:

u~.sOv
,%FmZM
.Fm:|
SsH8u
^%Ä
pM.KQ
.KG%G
j.Gs t
.islZQ
[=`_`! 6
%?%2S
.RuU#
_X"%F
I.XD`
z%Xr(
>IM.rn
=e.QH
`.pCY
.WQo5r
\.hUXSV
/!.Qz
9%d^m
tiw%xhj7TEO
_,K{O%uN
wEca%St
%FSV%
8m].wP
#%SpUd2]
bA.Vh
X.yiv}
Y.rm7
|6Ê
4ßX
%U a377
.Cb&"
lUn.Tgn
.LJm|#
h.WF~-
U%T%u2b5
.GxqG
UW%frA
.MmRl
yf@.oH9
!N-8}Gy
GÊ&3
kR.va
BJdZ%F>
.XZ sN
GM0.XY
$.YX9
%9X*b
.EPaK
@.kcK
=d.qM
Q.JE^
.dgV;fl
d.vjaH
Yh%x(
-mWf0}
T`7.YK8

%original file name%.exe_2936_rwx_01770000_000BF000:

Z.dhB_Q
:.VAF5{
a %c&
HYVH].nH7V)
1Q%CV
h%c_M
WjP%S
{%d\[9
T%.Jp
O-:8%f
c=vqb%C
~dk.hL*5
;.GwY
X_.ro
O.ug%U
t%Cm4
.hJ#9j
jNK.II
%F!>x
fn.lU
}^%Ss
WEb@T`=K}X
.XRUR
&.PVd
M%s5hzN
.J.tv
or.cW
 EF.jZ
oÌ"A
>.ZXV
A.eT(
BU%ue
@(%U"
.zN3M[
p;>.ag
WebT
.bN~S
 SD.AQ
=.EnS1~[
.Rj]5S
/Y.UW
E~.uF
^%schp
.AjIW
:}$[%c
F6g.rN
.Hv)jW
%uO>X
`NM.kn
>D.Zbi
.NVqtRH
%UAs~
WA.ix
.Yy-{
gzI.Gj
lUrlP4x|
%s: t
W".Zm
$.oEY
.BzqrZ
v%X[)
2&h.Eu
\MSg^
~%u3R
w5%Cj
.xmph
vi.kz
TCpO|
CB.oC
<H.zjZ
2%DY<
wW%Xk`,
*%Di*
M9e.CJR
kU%u|$
%XBW^
 .KBg
.vdS'
.ICf`ciqb
]L.Ck

%original file name%.exe_2936_rwx_01901000_0018A000:

kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
UrlMon
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordD?
crSQLWait
%s (%s)
IMM32.DLL
AutoHotkeys|
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewp
WindowState
OnKeyDown
OnKeyPress
OnKeyUp,
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
A`bng`@ikc-4,uUxlxs-4,Ht.HA
Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP
Portuguese
ZkkdDocjn^g-4,o.ye
^ioM-3,iiziGmwItI.cG
\h-2,Jfal\`dgxj-4.DZ
b014hTCP7
,-\ T,/.Om
hcl.sf
uy-11,i-3,xib,,nu V,C_,,`c-3-, T,DGI_SOYT^IBRSY_C^P_ijx-0,g-3,iP T,7,,meoi-4,u,,hetioxju,,yhhi-3 V .,DGCUSOS^^IHXSYUI^PUcjxqm-3,iZ[c-0,08?>Hchi TR.GA
webqskv`T-Y
oj-2,`ac<<*kcb.jo
ak-2,`ob<< T,jcb.je
Lvhg-1,zdkg,.L`dgcIfjh T,HJ@[MKJVHJH T,`-2--,jfz,-w-132,k-0,zh`2,.xw``j T,HJ@[H]R@L]FPF^,-mg-2,yahj ST,Ogaa3,.M.d
IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl
7Teah P,Ckh`-3,fkgo-2,7*NNYO.uh
1.2.3
 P,=3/.sY
Gx-21,\igh]ixyj-42,M.DJ
A`qjz``-0,ZkdkNgij.pc
Kcqjpc`-0,Aaj-1,gEdafa`.pM
Kf`, -1 W,hefc,.cxb`,,juoocbz,,.I,x
Kn` R-1,/-2,`zfoiauk UU,/\`kjgsmk,.miajim/gv(aaq(kkcaaka^.s
Ecezcb-4 S,Tmeic6.fA
Bc/K-33,`-1.jG
Jbhblnrefc V,H-0,bv-1,li.AT
Uju-0,c-2 W,Ht-2,h-4.Rq
Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l
Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F
Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL
V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a
ebP-3,dLfnda`-4,`yj-4.PL
Uf`qd,.lp Q,`j S,rapqbk U,thzm S,sokdd,.vvq-3,jqu,.cls,.flo```ugjm,-,.ujbelmf,.jmd,.rjufjvu P,5.\
Ifqba-2 T,Ak-3 T,ey,.vikj-2 P,*zkxkb T,ob-0,jgy4 T.?e
Tkpwokr`b,.Gjhzakr S,P-1,vk T,mco``t4 T,T.a
\kxwgkz`j,.Jlbk,,Vgti?,.\.i
Hy,--3,dh`-3 Q,yelu,-yed,-kdmh,-bo,-yed,--3,hs-0,h-4 Q,el-3 Q,ohho,-ne`cjhe,--3,donh,-vh,-a`-3,y,-u-4,dhe,-yb Q,ibzoable,-dy/,-_hryl-4,udcj Q,ibzoable,-lce,-djob-4,doj,-n`neh/.XL
Zmfvk U,bvk U,mk,.hlvk U,pk-0,w`a-2 U,`e-3,dahk U,lb,.als`ilejlmc RU,eegijji U,wlk U,gkykokoa,-C^
Dmnb)hh-0,g`hmm,,sd-0,ifh)-4,bid-4 W,xf,,ei)jucsii,, Q,ah-3,l,,sdhb W.BD
Cdkf,.am-4,`imij U,v`-1,`cl,.lq(ldac,.qm(bldm,.,-cnz`p(oupp P-7,^
Aoeo,,jcvbbc`h,.xi-3,kme,,g-4 Q,chjhogmm`w,,rxooj P .-4,um-1,xhbi,,dak-3,fi`ox,,onn-3,z R,/ RL.g
Bkgl/Fam-4,*jgnnbmla,.uny,.qznjgafw R-2,o-2,mc-1,kf S,*zm`*bc-0,o,.vge-0,eg T .-d
, .Qq
,.zk,-.Oi
Eobafj, zqg-4,h S,zd,-b,.mdok W -,t-1,bywke7 S.V^
Gnkcick V,Ccw V,hkkc,.qst-0,ass-1,g,  V,Mjrheq W,Kor W,`gnb V,geii-1,gc<,.g,.
Dg-0,bl-1-.,Af-4-.,jnck,,qj-14,n``,,/.Ir
Eo-2,dnpkudb,.ahjki`kk W,hh,.Dis`lr V,Cfq<,.-3,a
Zxbw/yzk-2,oj T,fd,.Gg-4,`o-1,*Ce-4,*jmilkv/l-1,kb*zlj*ajjy,.t-2,exmkoj(/cij`xgjh*zlj*Mlzdew/Got5*N-d
 SR,ihfli W-0,m,.tzq-3,baf,.n-0 R,hh-2 R,`hx,,-3,/
 Q,7, mib, lm,,hod`nj(cebq,,m-1,ga, ciee,.lc-1,`dcjj(cy,.i-10-.1,dykih*.fC
Je`flizafd,.-4,hy,.ag-3,kf-2,cafhfbq)ibgzoj(hlzm-0,*YagC`m-2,*fignbmz*-1,mzoz V-C^
 Q,@/,.fplyC-0,9,..^ Q
Mecakiyfad,-f-2,*bzz*bi,.ghbaxt/ V,ix-21,oc-0,4*.x-c
]DKizHi-4,exc-1,Hc`hk-3.GI
L_LCUNTF, KHC.op
0.0.0.0
3?:96=>?59:;.ZQ
6?0N2=.Lq
;768>1-80
cabinet.dll
\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y
000000000000
n-3,Kkexhibi.jR
 ;7.Q,>N-Y,[ T,Tc.Uv
Uktjuzmk`,.bdnbaa W,aj U,agvvs,.eqskius RT,vbmkkc,.eqskius,.mv W,mekdkhibj T -,agjdkbm-4,n`c,, V .,Lqs-3,V`t4 T,T.b
In-2,n7/.tx
Hd-32,z,--3,k-3,b-3,z,.lxzk`-1,z,.kmgbhh R .,jcg`j,,ha-4-,2,knc`j,,,,Fzy-1,\k-3,6,..gY
C-311,ge-1-.,Ctzat<(coueore`,.dc-1,yccf,.ge-10,gj(hjg-1-.,`odk V,uatc V-1,a V,r`k V,ifk V,of,.EO[,.ncijct(hit2,..c,f
ME](hebm,.-0,gdb,,lm,.iv-11,mm-1,kh,.A`Akea-3,w( V,0=8CN WV-C.I
Namzh`w,.bh S,HaowHdbf,.zop,.hvw-1,lmwki,.wa7,..^h
Y]H.if
d-3,tdcQqdc.Lb
)hix.CB
Y^`acxziagKphh-01,hy,.kle,.jh, mzhjzmi, afar,.gchk V-C.8
Lt`l-1,x`Ldh?/bi-1,2.pD
ch_strtup_urls
,.Hqcz,-_kbxl0,.-^.Y
, Isg-4-,,]ogyn4, .fF
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable@
OnWindowSetLeftx
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeight(
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath
OnTranslateUrl
OnCommandExec
'%s' is not supported.
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown$,
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
This object does not support this method (
Unsupported type for Parameter with Index %d
Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.
hXXp://
hXXps://
FQ,.cylmqem` U-40,`f Q,gv`owzlcl,.cmkb`h R,ylxj,.hiq-2,dkg4 U,^,,
Jcfngfmh)zs/hiwj-0,/Jaz-0,bcejqBhabhl-2--.nt
Zmfzdbh,.kc-2-.,l`c,.-2,mlelkj,.yd-2,klh-1-.,yc/zh-3,bgcm-0,k SRQ.jH
Umg-1,kbi(dc-1,(vdk(ch]mpzkz R,xfzgmj(vc,.kma-3,dgxk V ,R-C.=
CJ[hx.Xu
NAER_[URNDT].Lw
@vjfp-2,`-1,`,.Lr`m-13,lag*hamo U,gz*vy`-3,ffln U,zf0 U-^.`
xcdeieb,.inukif-3-.,zgwazvbj.b,(
LJ_.ge
(,.kyc-2,0, .5_
fxk S,Cym^rk.Um
eiOnKeyDown
eiOnKeyPress
eiOnKeyUp
OnKeyDown
OnKeyUp
Handler with EventID = %s already exists.
Error on IConnectionPoint.Advise
Source don't have connection point for [%s]
RZ-3,i-1,/ImznQ.Hy
MAPI32.DLL
LeftPopup
Gjsk S,mh-1,njs,.jx W,yqdii9.b-h
]jw-0,gad/,,Kbfbv Q,/z-2,jhijq.ny
, .Yd
YR-0,xh]izn.cQ
2.1.0.0
This exe was created with an old version of HtmlAppMaker.
[_FMTZG].mF
WDM.DM
uaixcbzaShz.CP
z-1,o-2,Nl-3,f`a.uz
-0,cnyzgcEi.Tc
Idm,.rjy,.dgxkdos,.vndz, .e0
https
Sf[.t,T*.lJ,e
Ocb,.Kxq-3 S-3,`-4,vivz S,dd-2 S,jdgoia RS-3,`-2,9,,.`>
@mj,.mcp,.pdky S,xlk S,\vad-3,a-2,p,,baqa T-2,jbgk S,ep)p,,ebqiejz,,v-0,mbm`d R._>
Obbao,--4,`(-3,c`-4--4,gm,-[-2,gjyj-03- ,ig-4,f Q.vS
MSGALL
irsoMsgDialog
irsoJoinPath
irsoGetCmdLineParam
irsoGetCmdLineCount
irsoGetCmdLineIndexOf
irsoGetCmdLineParamValue
irsoGetCmdLineAll
irsoRegCreateKey
irsoRegCreateKeyTree
irsoRegDeleteKey
irsoIsRegKeyExists
irsoRegListKeyValues
irsoRegListKeyKeys
irsoRegSearchKeyKeys
irsoRegCopyKey
irsoGetRegKeyInfo
irsoHttpGetData
irsoHttpGetDataInThread
irsoLibraryExecuteProc
irsoLibraryExecuteProcW
irsoLibraryExecuteProcWithResult
!irsoLibraryExecuteProcWithResultW
irsoExecute
irsoExecuteDllInProcess
irsoSaveExecuteUsingCMD
irsoIsMutexExists
irsoCreatePipeServer
irsoStopPipeServer
irsoSendDataToPipeServer
irsoSetDebugLogUrl
irsoGetDebugLogUrl
irsoGetWebBrowserHandle
irsoGetCurExeCheckSum
irsoGetExeInjection
iubnyybRolkanldf.RW
B-1,gmrpkai T,CjjmlCh`g,.F@OQCAE\F@G,.nw R,`hp R-2,rtraupgj< T,w-2,nje,.F@OQFW]JBWIZHT R,giwvkf`.],G
b-1,[-1,e.Hv
.html
H-4,njBdi-2,o-4,r.vY
-4,fhxXahcxgw.rg
gghYcjrf.ae
jehGbeags.qB
PIPE_DATA
PIPE
LNYCD_^.eP
HMVH9>.PE
Tdaguutw V,dhztx V-1,clixce<,.NukbSH V,Ltnq-2,cs V,adkcmr V,u,.OD1,.``jbd`ee V,rs-3,vntz V,hu,.hnq,.cogljdb P.a F
JxgbWE*Lpc-22,g-3,*a`fomv, y,.KI=,.dmfb`mie R,mf-1,gmnw R,hc-2,cnfkf R.e=
-3,1 T-1,`-4,b-4,w37 P,abov=.vN
Zfxh*lg`gnfi*zffd`-4,c0/.Su
Thhhnca,,jhu-4,fjc,,sb V,csec-3 W,dh-4,slhob7 V.AR
Oid-1,fby(gix-1,oihm,.ne(ZBYEGIJ\K W,x-1,o`n(gt, k-0,uym`sgq,.u-3,f`neo RW,hg`sbf-0,neo P,)-@3
Wkmqf T-0 S,bmgwkfz S,jm-0,wbmkf S,q-2,mmjfd/ S-1,kjp(sqlkfpp(tjod S,`ogpf,-83
DNB@H[,,-2,sn-3,z W,kihfz`z W-4,e-3,b/-4,kuyi-1- ,/-1,at-1,elkj,,-1,bn-4,ai/e-2 W-0,dos/m`h-0,dku/e`t-0,m`dj,,aa/xfn-1-,,gi-1,xokci-1 W,f-4-.,t-0,yml.gr
ung`.Nr
gbo`dhfm.cV
Nelg,.Pm-0,fea T,Nkk`wkw`mc U,jbhiz S,ld-4,f T,glfj U,elwq US,twfah`d S,sl-2,k T,Vpmg U,dfgmhmmvd,--J,C
Wju-0,d-2,rNvNbbla</PNE/l-1 V,kl-1,gmijb SU,nu-1,pboab/v-2,jlc-1,v/nnv/gkhfh/u-2,oylcch`-1,*/f`h-0,lasj U,xo-0,m`s-0 U-2,c-1,qnt-0,laa Q.qp
]htxn-4,sM-1,Lcafc=,,\hdcai W-3,j-3,sm-2,y WQ,/nhb-0,diyj,-pe-0,ehy-0--,fb`yoi-2--,ui-1,yf-30--,sc/lqcfi W,``bw R.BZ
Vxan`-3,qkpa-0--,whobshf,-qeg,- W,Wmc` S,Ki`cvdcdg-4 W -,Caq^v-4,`lo.MP
Ppgusmfb S,p`` S,Iilm)\mqaia,.Igkjpgwjjo U,nakmbjavn* V  ,XC
irsoExecutePackage
irsoReportPackageError
irsoReportPackageSkip
irsoReportPackageQuit
irsoReportPackageSuccess
irsoReportPackageInfo
irsoGetPackageFilenameFromHttp
irsoGetPackageExecExitCode
irsoGetPackageExecResult
irsoGetPackageDwnldUrls
irsoSetPackageRelProgressShare
irsoGetFireFoxEXE
irsoGetIEEXE
irsoGetChromeEXE
irsoGetOperaEXE
irsoGetFireFoxVer
irsoGetChromeVer
irsoGetOperaVer
irsoUninstallAddExeCmd
irsoUninstallAddOpenBrowserCmd
irsoUninstallAddRegistryKey
irsoUninstallExecute
irsoReportStart
irsoReportInfo
irsoSetExclusiveExec
isroSetReportUrl
-11,jycmjaOaahDgvyc-11.Pg
zfc.bz
]no^dun.Vx
\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>
\GCAPMA][.oj
TcUlue.PL
W`mmqzeon,.wvamaff P,4.]
z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1
e-1,f.Cw
-0,ilCcbd.LG
)h-4,k.bR
Blgbai,.zk,-kvan-0,za,-o,.Slzmlh-1-.,t-4,ama-32 P.iO
Ycylfg-4,/yc-3,/-2,wnlkq-3,i-0,nt/kzhl-0,vhk,.kc/cmij4 R.x..
Zn-0,nej-2--,k`zci/n,--22,`oajb Q -,J-24,b-2,Lbij5,-.Zx
Ukszv.ra
 T,/-2,b V -.Tq
[eckbn R-2,a, kgg-4,khbbxl,.blzzjneky R,N[B,,-G.9
FbghLbtaYhe.AU
1.2.1
deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly
inflate 1.2.1 Copyright 1995-2003 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
TBv}.Bv
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
-Vphd}
]mJ%s>&
&X.LJC
.sCDO
752.yN
g.UJf
6B4uWa%f
Vn,%FW
9ˆu
p/S%6X.3
\JP\.oC$
q`%Sw
O.mb\
{ %S;
.voMa
eR.hG
GetProcessHeap
GetCPInfo
RegQueryInfoKeyA
RegOpenKeyExA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
GetKeyboardType
"$ %),'8
38000=344
4? 3!0 3!6
H.JXA
1 0 .'7(2':
- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)
&)"%&$&'&",,/- '
944(@32%2u8
.PMDF<7I
2222444424
.idata
.edata
P.reloc
P.rsrc
- /*-( ,'.:
*/.)*72-7)
P.re<
SOFTWARE\Microsoft\Windows NT\CurrentVersion
errorUrl
\bin\SubWCRev.exe
Please login as administrator and try again.
CCTWEBFLPKLEVVA
OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid GUID value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Installer file.
  3. Delete or disinfect the following files created/modified by the Installer:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067F5C.log (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\browse.css (337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\main.css (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\form.bmp.Mask (244 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\RU.locale (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\images\progress-bg.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\JA.locale (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\BG.png (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Progress.png (104 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\PT.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\DE.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Resume_Button.png (718 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\images\button-bg.png (131 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\default_poster.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\ES.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\WK9W39FP.txt (125 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Grey_Button_Hover.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\ie6_main.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067ECF.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\button.css (417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\bootstrap_61895.html (156 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\checkbox.css (190 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Icon_Generic.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Loader.gif (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Quick_Specs.png (609 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Close_Hover.png (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\FR.locale (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\display_thumb[1].jpg (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Pause_Button.png (577 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\csshover3.htc (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Close.png (293 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\PL.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\images\progress-bg2.png (978 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\ProgressBar.png (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Color_Button_Hover.png (863 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\css\sdk-ui\progress-bar.css (506 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\locale\EN.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Color_Button.png (846 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH42567948020\images\Grey_Button.png (1 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now