Installer.Win32.InnoSetup.2_83a4ddb30e

by malwarelabrobot on November 4th, 2017 in Malware Descriptions.

not-a-virus:AdWare.Win32.DealPly.afhun (Kaspersky), Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Installer, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 83a4ddb30e1420462d74f6820b557efd
SHA1: 89f912fb5070cb311ba144f5798612913e6f78a0
SHA256: 8e37aa7c457f6a571358bd0cea7d6d7ff441d5b2f06d3d2e1294db1b12730de9
SSDeep: 24576:WFiZ6vT/vIAALpw2xNcptRWl0UojL5OOeOWVlQv0iI5XMbmFs6tke:0M67/QNiptRXUizS/dD/V
Size: 1289848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Installer. An installation package.

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):

%original file name%.exe:3828

The Installer injects its code into the following process(es):

%original file name%.exe:2452

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2452 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\DE.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Color_Button.png (341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\ProgressBarD.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\CS.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\NL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\004D6587.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Grey_Button_Hover.png (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Color_Button_Hover.png (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\mainDlm.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in0DF01217\32981BAE_stp.EXE (26835 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\ProgressD.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\SV.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\DA.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\IT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\BGD.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in0DF01217\32981BAE_stp.EXE.part (1242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\EL.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Close.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\TR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Grey_Button.png (341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\ie6_Dlm_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\JA.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\KO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\FI.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\004D673C.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\bootstrap_36006.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\FR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\NO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\004D675B.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\ID.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\ZH.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\RU.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\images\button-bg.png (131 bytes)

The Installer deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\bootstrap_36006.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\004D6587.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\004D673C.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\004D675B.log (0 bytes)

Registry activity

The process %original file name%.exe:2452 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Tracing\83a4ddb30e1420462d74f6820b557efd_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\83a4ddb30e1420462d74f6820b557efd_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\83a4ddb30e1420462d74f6820b557efd_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\83a4ddb30e1420462d74f6820b557efd_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\83a4ddb30e1420462d74f6820b557efd_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\83a4ddb30e1420462d74f6820b557efd_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\83a4ddb30e1420462d74f6820b557efd_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\83a4ddb30e1420462d74f6820b557efd_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\83a4ddb30e1420462d74f6820b557efd_RASAPI32]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
65133da829359a4e4079d965d05ba5bf c:\Users\"%CurrentUserName%"\AppData\Local\Temp\in0DF01217\32981BAE_stp.EXE

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Gob
Product Version: 3.4.4
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.6.1.5
File Description: Gob Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 37732 37888 4.56743 2237a227084ebe0eadc86036d7f0c384
DATA 45056 588 1024 1.89736 5d98c64569668b0235ae89005918165a
BSS 49152 3720 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 53248 2384 2560 3.07115 bb5485bf968b970e5ea81292af2acdba
.tls 57344 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 61440 24 512 0.14174 9ba824905bf9c7922b6fc87a38b74366
.reloc 65536 2228 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 69632 11264 11264 3.1178 62288f23c26548c0efde7c9e765dc9d1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1181
0022dd6931edc90715a6ee190b6044fa
7358542f801340a4018af91e2ac50675
fa262f9527a8a80fef6046882733fc42
9e7e40b9b11d75fa4fc022408d2e5f47
b7d4453d8655736264491733403edb1c
23f613371094370acfc1860f34808d63
22ad7fe958d2ddc6953928c45a503633
ba993fd7696e8afd38f6cbd15066e881
db1c1932324452361ca90d4014c6dd92
d99a81630a94b17b55b36a72977e0c89
c159f0727d1744e4b8422c06e4d8e22d
591bd7eecda99841ee02ab51d300bc86
f9813b366aeecae1e05d0fb67881bded
f5198835925ca8063729649e2b268aca
ec21e3004fd0a6465544bbb6924ef5c4
e4fd1a328f72a5d438ab885d74875a02
dc36fdb21f115f588877fd46d4b4c72b
d66cc6590326450ca17a6d50747322d9
cb5a3f0e0af8789bacf1231358cadd64
c00f4e6f4af41c6c7e14c46e7e3bb39c
b5bcec7fb998ebb3a56cfe82f5faf59b
91d912494b993a967fcc2983496a7186
8595dbf0daf49904a50bee87183b17d9
7c41acb73cfd9feae61f0f39277c442b
6c02e34c9ab52d97171808c3ebc9b888

URLs

URL IP
hxxp://info.jajajapa.com/?yicawi=1 54.77.123.135
hxxp://info.jajajapa.com/?sechey=2 54.77.123.135
hxxp://os.jajajapa.com/PopaJar/ 54.76.240.125
hxxp://cdn.excediumwall.com/HDPlayer_Setup.exe 104.24.109.153
hxxp://rp.jajajapa.com/ 54.154.51.84
hxxp://info.Jajajapa.com/?yicawi=1
hxxp://rp.Jajajapa.com/
hxxp://info.Jajajapa.com/?sechey=2
hxxp://os.Jajajapa.com/PopaJar/
dns.msftncsi.com
cdn.installationsafe.net.s3.amazonaws.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

POST / HTTP/1.1
Accept: */*
Host: rp.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1520
Cache-Control: no-cache

.I..~...$$......2e......1....A
.....?....X<_.b...5.:.o8......-A.f.q.........?@{.g.H...t.zo..ZO..w{.XF.0.~ M...YSA^.V.5..'......J.dGH......X'G...............4in...._l-LW.0.....?l...%K....
hs)$. 2t.. o..%:.J...[.K.(.?..sZ...yGQ<.N...A..T2zUa!..v%.p..jQ[..Pq.cg...x5.~..y.......BFZc=.....bSE......cNt;.F...BY...5..z...K.9..b....,.i.{.. . $.9.....,._A.e...w~....n..`
.&9}m..r....'...l....c).
.../....BK.no.H.Pgo49.LjP..@.......3.q.5..g..>[.J...}..;.....~... <P3.=..{......W....6.8w....&..R.d.....q&.a...g.|z.....U.<..6[u.}...s......1.......>x.u.p..T.n...1%.
..{.<
-..~B6.=... ..C..MteW.....Pk.}o.&.... .4.H.T..f....7.v.?._..%3]......^J..r.H.....l.....o....C...Vt.`........_....L.......Jx.G..I"....z........i5......m....t.N.xK...Mi ...1.1^-...t/w\.pl.......Z.V/rO...b....Z.$.v..=..Y..?).q...%...5.".......S.8..|)0c/..#.....a.n...D.....G..b..vVx..U....B...w../*U... ...8.SfK..gfE......q..Z.\.7q!OF.DZ......l..A3 .].K<......)o1..$5.....%.:....$`.a.:.Te.......
......n.....HlMvIw.*H..jY...{c._|.........1..P>....2.j..C....O...#6.at.a5.MQ.W...$.b..R~s.|&l...z...]..=....K
........3l.1G...dx#.KV.......T.;U6=w.t.....,r%..lO.vr...(....?NK..VP.....X..f...,.y.......|~..{...n.."%?......6...O\.A
O...s...C.. ...%..GI..v{
.X..;.>).........q.,s.$..$..b.b.....dY..?... T.U....^..........C..Au...9..Y.9........ ..........-..qo 
..pcq.4
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Nov 2017 04:27:19 GMT
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Host: rp.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 944
Cache-Control: no-cache

(:.] .N
.......O3.|..........^.1..h.!(.KI..,.ff..Q6..]/.....3..X4..*...D..e.w..g.....r...8.J.O... .....%.g.y..#.`v..L...!>...Y.z..>n.....Lx......uL}}..i^.S$./.WZ..w:.b...L*8.s"......>z.UT.L......K........s-.?k.L.....~.}....Y....O*...e....}..Z.
..F.Y.2r".....I....\M'.4L?..y. .`W..r...P.......... ..T..V..n-.`..?...<.~.I..8L.A."M.6..X..'...<......'#...EO......!75RC&^2......_.K. ..Tw....eL...r....1g.e_...z!...........Fj.,_.fC.F.......\kY.A......tH..'....
.6.H.2.7....N.kA~.~@.^..|....7...... ...Q!....?z5O....5......6!.=..w."....&..3...FL.$a......4.>....m...fZ.VZ..|.`....-KJ.%FT.M......i.V0.."(xR........`auU.|..X.r....qz.8.(..0...`LK.......R_....1..}.!.M...W.[.....X.R>.N.G...%.....f...Z...)q..G$...Z...S.i9.....R.^.

:y.e..36......W...r....j....u./._.J
...;.../.N..
x..!.cF.K......p..K$<\....^U.[.M.K[......E4E...9J.ID..b..v..:.....x....Y.h;..:".....j...k..........)..|.......Z..f.

...G..T.G.....d...i..0.{....w8
..`?..).......0.n].
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Nov 2017 04:27:19 GMT
Content-Length: 0
Connection: keep-alive
HTTP/1.1 200 OK..Content-Type: text/html; char..



POST /PopaJar/ HTTP/1.1
Accept: */*
Host: os.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1440
Cache-Control: no-cache

...4.....>.K..~.gN....#&".<...>=.c....4.P.c..zYI=........w..62.?.ec..j..G...=!{.......].....<........a.
.E.....ASz..|8R.....".(e1\..u....28..G.3....\M...
.4c..T..8.nE.......;Y.F.."/.GO..].)..........G.NL...J!E...e.f.
..Q.......'0.......!.....8....>..^g.%..|....1..fcC.U.s.V..h..T/..8..)w.3..w......s.......#T.W....A.nJ.......T......../.B.;.`...._wH1....*?_T....]. bt..~/.'.:...t.S.".yB_.v.i.. ....sd..w._l{.S.....%S)=.......1...9../*p.7gF'....4..7.c.VU..................>....Y.......,ImB.?S..K)U...3.<7".....C...q....._3o.v.p..#...TT.
...........@.1..z1...Q..%.|E....v......d7...I(.....Ie..O.."(....O.L...Q..6.K.{m=r...Ix.^....}....%...L..b..L39...'......45.....V.&9 z..{0.I.g..K`...8.....Y'. m...A..y..o..G.......B`.....R..~...;..J.RIHS.....u.:.3.*.f..mbV.9...c..8.....B_..2..[....b"Z. ..Z..Y..-.,...1.......YxYA.j1...Edr$..
).....rL5.....X* .b..U]$%....R.J....<....,.7../]........}...#...c
=.M..g...(by.
.^......?......X^Q>...K..4.%h...c........(.W..w.y<..`I.M3...tc.!.=.....jh...*g17.......b....1.a......;..].."..N 1w ...T..<*"..P.N%..'..X.D?....>.%K:.RY.<@.s.T...a.).......'.b..
D...d......
 ..f.....FA...Vq.g 
...hTw8......^<PFI"..V!F.E......#...$...-.4z.St.B.>Y.d......b...fR..Z5.t.=...j.ta..d....Q#.......z..w..:.....H...6..m5...P..Q....s..9..
y..%VN..O.N<..=H..3.....^....
..L.$D...@...
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/plain
Date: Fri, 03 Nov 2017 04:26:59 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: nginx
X-ICSCT-CC: UA
X-ICSCT-GICSET: 13723fredv2
X-ICSCT-IP: 194.242.96.226
X-ICSCT-ISP: Pitline Ltd
X-ICSCT-ORGANIZATION: Pitline Ltd
X-ICSCT-SERVER-NAME: ads-slave-182-production-eu-west-1-i-08e9f91ac07381059
X-ICSCT-TIMESTAMP: 20171102232659399
X-ICSCT-VERSION: v1.8.2
X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a
X-ICSCT-XS: 91bba9083b637bbb85f2bc525458ea3d2e0cb405
X-Powered-By: PHP/5.5.38
X-Robots-Tag: none
transfer-encoding: chunked
Connection: keep-alive
3607.....a...a....z.>......t6..=D!......y?....s!.S" .....E;..l.s5G.
..;.Fk.....K..77.~;..TG.....|../U.z..t..w.X......../=z....pp.....".m..
\...6....2^L.!..{> ......4mrj(.A... 44z.NxS..#.t.z....$.}4n..,..F,k
=.(]"2.=..U...l[......../..$..j...*@.zd.c...g8h.e.9..|......g}..:..y{.
.....c........p..|&.Lw^...........F.igT....m..s.M.E...{.Lf...'A.k4..zr
..@...r..5c.... !{..A...R..@..P_....[.4q...k.e.6!YO... w..2..~........
w......r.SY/.....67.N.Z....L....3]%H....X...7G4Id..h.o...t.zK.S.;....i
..gY.h. .a.......j.9.$./..N?t.*...Q.l.QR|.A6.....Q.H.>.v.C(....'...
....\a...x.^.|.R.j9..U.3.B...E..%UkE.jwFr..|.i..#{.u.&~.._3R.........V
'..%..4.~]S..X...s......."n29....o".}j.C1.[.... .....zl%.%.....]...h[.
R<....U.-:.3R..X"..P. ..iS.I..,.e;..lyY..r.2.TF...R...*U.....T.W...
#.R..".._.........Z$..:.L.i.o.r.*3..\t.<.n....'.T..:n..U....|."....
.....h...U.j.,4..C..q...........J%....K..... 4.....4RWp-r.C....E.h....
........yp.F...../-.....y^O.&R...._.1wC.|.......a.......9.J.o......LT.
.':-........D.....%.........i]..y.._.u....(...7..S............I.?.3I&l
t;...-.%>~]J..!..h.Xd.ei. .1g..'....B=i....<].#~9.#.z.=}c.....T.
....X...4.|..6G.hl.xY.W"oL.M.......qt^..@..Q0Q(.....>...`....U.....
."..#..X....'.N.x.*..E .....g.&......... R.b....9.E..,..S.~LY.*g...U..
L.1<.;.t....,g....>6.W.1#!.....g.W..=......R .Pi .D.e...u.1.....
...{:.|.p1M.n.........b.....K.E.X.d.._,....x8....7.G....7r@=.0a..e.[..
).f6[.....L.x..... ....%"z....8.....V.e.p.b..`(.Gx.....X`......W..#.7.
.C0....Xe.........Q.B...R{..\b..|.D..[..........^.R.(._u...@9.:R.a
<<< skipped >>>


POST /?yicawi=1 HTTP/1.1
Accept: */*
Host: info.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 176
Cache-Control: no-cache

.^.S...N)Tw?.G{&v.....s.@....Q.yR..e.\.(&..iU...;.^.3.{.U..%a.8.....t.....|V%].f.9..OH...P.
.1Lh.bN.F.j;....'.r.-eH..rE...d.^.m...$Il.@.".........
<..J........[....b.8g j...
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/plain; charset=utf-8
Date: Fri, 03 Nov 2017 04:26:58 GMT
Content-Length: 2668
Connection: keep-alive
FwKo04D1IpOC313lSK4s1hGzXJKeRZCGuZk38QqDlD0R1LdIq9EXgktb6XMoDSz IOSwPT
V7D7D4Ug0T35H0CgEwlDi0LuBNwJ2lBXjRg/PK4jUGNhLYvW eXjq057Hf7 1ojuEvLj 4
M6fRdN2PSCcbjMIC5 5H9 63XFW2xv4ghMUcZ0ECqdz3DEmXPnbTAuSb8xApA1y9Nmm4d2
VnkfTbIEmOh8F8N70UWmPEXx4PXlMsHxK7/Tu/j6tPz32 L18vNwyIIAL4JIpmCDxZGsn1
eAzLKExL90vk5ajCSdzfht3Ibi8SCZRpyqjgh0YNeriidbXyOzQ/j0laM4nGXXbU3GtaN2
wrNC3lgMadkT3ngRQMr5 ddLHI2/dPApAeLSPgqKoegS0xBrm5b8XLC0GOztINbHPgpITH
ZYeXQ OPeZH/VtwVjElEBJZF4DlyTWjZAn8ECGXVvPj2tyL1hEO2yTt8GSZplPSxhc0G/Q
M3ruqP0UmxjLTKjrK5w87jnQFH2LBc52jqYaQgcn0b0i9YQZYvTmVdUzId03ERkMO8OvJy
K9Ihj9jbjJYhP9k4zROfXMPLChMXUm740jBti0axh FOpdSHZ4XuaGEglMzOKSBpFeonTn
GogmIYsjVNixTUtQmcTgiM/xGQqjsqu8HugompxnjZHCKsprVc7DchSG9CmCCALJwGgNrk
Hi8pShUrzZQTBDUwHBj2G9Bkhlb9PFnwpIH0HQSd9FM3t8b9NZVjD7ykjjDayHp7mW1lOz
AG1S3O0qbER0gC69FaCjLxZ/kkk20MwP4uASVB7hJmgix3G69MDEy/pyypsU08e3kZhbro
JtScpRtwqCKVcqlWpgmjcQ3jbW3q24yeci1DsEXm4L6LnVgbFD8R1FjFEjJ7iMl0n0A0S2
jnHfT9FVpGPdElUwT1HcVsh63NJD3AMGS7qMSegJ2S/iQ7IQgScP8fZIbI7eB/Ozp7SUxS
mJlfj6XDeklWJ/fKV6SVjNmkk rrMkXqgXWR4qZUcC Pwg2qrViPoF5a GLtQl6H6hbETm
JqbIOVLr8GP9x3BI4SH1z7pliOZbJ 3dRV2 ixragVSmY Fl0bNJbl fIHqhi9Xo3xpGAy
AWVscydD3VF0EipFIRDMnmtJipGcNstSdU1V1iW6rgzf5tCzq6UsHqgxuJp9jfSthTQ/J1
phep5cFAhQtkQUgth Fo5pVrEVESrQ1Dmx7knRJUMp1AFD 35SrmJsrY8qR7 ddB6qfmXp
VFxTvB2V/OHQOeWnM/EIHBLBMJYReHquCcX5YKZvtUIA74U0q7BWS6CsETHdyfJXHiAPCt
/dPTFenwtEWTq4E5V7PGi86KBc3OCaYnTlOfj Gxt8ymVScNV7cUEfZL4O3ju3cwu0zNt6
0c/NvYLQQsEbWH q/I2tYbOsn1jpkgcs0BOf0g5c4LhMgZ004aF/K91D3K9pCz76tuKfYI
kntgp8l6zqQFjrQAgGlRMfHmMXPaEun8MjOkc6f6TRTnj6IL0zhED6mkqsPZIPzEa1
<<< skipped >>>


POST /?sechey=2 HTTP/1.1
Accept: */*
Host: info.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 176
Cache-Control: no-cache

.^.S...N)Tw?.G{&v.....s.@....Q.yR..e.\.(&..iU...;.^.3.{.U..%a.8.....t.....|V%].f.9..OH...P.
.1Lh.bN.F.j;....'.r.-eH..rE...d.^.m...$Il.@.".........
<..J........[....b.8g j...
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/plain; charset=utf-8
Date: Fri, 03 Nov 2017 04:26:58 GMT
Content-Length: 2668
Connection: keep-alive
kCH4RtHyoCwCcgDciLGZxqQvbKqJuQr/YsXvrdcyZRHWjdmzpF5HRIinvWfRXEK34dbQxW
CEtayuubzX6rmN4GJldNDoEsFOd7dU2TaP9j5OCrPW0wgSMoC8MXdhZiozxvINMM8KU4Kv
nXHYdZac7z4wtbuE0VaxvSrByG0Bix1meNko8RfgnmTPn1ejXiG0CkvgFoZbVE3g67dmKQ
RDXxesK55AvEO96wLXDOBCXRjk2zGGxwg63FhzBbZbk79X7s8776 5e046VTS8uZkNpnNf
DWlcItvxK4E6ohziZAmL0vtQu8Drd8FtS8eeHZ5vV1g/O6d5gkd0QqDXZJIjgiwP91plwa
4eV8fN9Hq0tijyG9BLA3/Mqvl4MLLMtBGyDmUy0XQyy1N5mB1oH404JbILcEMp98Z8lX3Y
UxJEFxeKET1DSTt1Vf5kx6qa2Wy4VY8UdUYEa5lnM60eBy9w84Nh S4g5fQ5OqgbBSpVAE
VYmOaXcxmIUELfNgNJGAwdSjiDutmcaC9KnKID15vUcP/WvOCcXYdHg9vNRt3HMWwAM8PS
QdMWn6p8pnOehQSawNzmloW/ZlyjhyLB /olS0SMRoZkFP2XW4VXwlJ5UGSBCp2gdiB2Wx
K0fVrVQL/TkXhpwaklLN1bap53Hf0GisuRkA4VI7DqjVa6V9e/aAfAdY7/JtuLnkLo4 0g
GEZhnAYRDvTrWt2GlyMq/hSVApUKbkZ FgQACop8bIAEAAkRg8b4Lf8//rojgOQg6PsXCH
H907xeW48c7DaZPCyE5KQCEV1TGH1wVnMWFcYuMW41pPTR7Ty5iS/rzeDpDIYcY MyhrZm
qCcNWq63KdvTd0NPO6BlWrI8x9gmz9/B7LBQ5p6bMWvMmJf23OSIIKSNBQRsb7jBB6DpFM
mH7xlsgMNlUVjbOd/01ICWmZPfC0/DZZufZwkerq9vJEmemKWBb/osdfs0JPDDrse04JvT
Bo92VyvOg03U/tFDcGOj/dpg ExVpz/8qBxfmPOfazMsOCVKjHiNM7ckSNTKbgC9gNTcKs
3SATKOeX/EWEgHymKW WOorXDdvAcObg69LOJBLVaX6ir2Rmy5aodFPt0WN2/BTn4iZCod
O/bvb2bbUZJhuhCQU/b6tO56bo/nbvSDb6vGALnrCG1pt3PBRBEOdRtoNTZGDQpqYo6wTn
rJ0DGnP5TIjuFAMlqC2BN/0tTGYU41g N3fVHYFY1JVvNPurZDsVaBsTls C61MxJA49A8
G6XzmR RwN/bH /le/JS3DGYeUEdtUkaUsGUOCZhUoCG3uom8dXXXJ kovJlo/jSzfpBuS
T6zDuOOhVNDNrgGOdyfW54ZSTqNLO60rJU eLe1aFjq3ljqRmyENgFakf7 zIkMpPcBTkh
JRoS6zpYnYOPwMXtunXsOEaCj3wf2sHpT5pRARj3kZpkkTtje0A gDTudPfHG1MWQGqPkT
hI5IrqgF6ot tmx/cY3h cCrg6lad0SuRRnhXuFpLClymd7L8kueCsR52xIPwP6tjW
<<< skipped >>>


HEAD /HDPlayer_Setup.exe HTTP/1.1
Accept: */*
Host: cdn.excediumwall.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 03 Nov 2017 04:27:03 GMT
Content-Type: application/octet-stream
Content-Length: 30510920
Connection: keep-alive
Set-Cookie: __cfduid=d90be36b2754a1e434d07a4a324bc2ee31509683222; expires=Sat, 03-Nov-18 04:27:02 GMT; path=/; domain=.excediumwall.com; HttpOnly
Last-Modified: Mon, 08 Feb 2016 15:35:58 GMT
ETag: "083f9678662d11:0"
X-Powered-By: ASP.NET
CF-Cache-Status: REVALIDATED
Expires: Sun, 05 Nov 2017 04:27:03 GMT
Cache-Control: public, max-age=172800
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 3b7c942dc6f38231-KBP
....


GET /HDPlayer_Setup.exe HTTP/1.1


Range: bytes=0-30510919
Accept: */*
Host: cdn.excediumwall.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Connection: Keep-Alive


HTTP/1.1 206 Partial Content
Date: Fri, 03 Nov 2017 04:27:03 GMT
Content-Type: application/octet-stream
Content-Length: 30510920
Connection: keep-alive
Set-Cookie: __cfduid=d4c786f07525c92e73074fca92b1825c21509683223; expires=Sat, 03-Nov-18 04:27:03 GMT; path=/; domain=.excediumwall.com; HttpOnly
Last-Modified: Mon, 08 Feb 2016 15:35:58 GMT
ETag: "083f9678662d11:0"
X-Powered-By: ASP.NET
CF-Cache-Status: HIT
Expires: Sun, 05 Nov 2017 04:27:03 GMT
Cache-Control: public, max-age=172800
Content-Range: bytes 0-30510919/30510920
Server: cloudflare-nginx
CF-RAY: 3b7c943287608231-KBP
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...n..V
............................]C............@...........................
.......t........ ......................................p..Pk..........
.q....................................................................
...........................text............................... .0`.dat
a...............................@.`..rdata...i.......j................
..@.`@.bss......... ........................`..idata..................
............@.0..ndata..............................@.`..rsrc...Pk...p
...l..................@.0.............................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U..WVS.......U..E....t...F
..........B..H...H.......E..5 .B..D$..E...$....B.SS...E..E......D$..E.
..$....B..E.WW.E......E..}.9}........E.)..E..FT.........FP.....E.....}
.........FT.......FP..E.....}.......FT..........FP........E.....}.....
.....E..M...$..`.B.R...E...D$..E...$.D$.....B.....<$..h.B..E..Q.H..
..~X........F4..$..d.B...W..........$.E......E......D$.......x.B.RR.FX
..$.D$...|.B.QQ.5p.B...$.|$....E.R.E.R..$.D$. ....D$..D$......D$...B..
...B..U......$.T$...QQ.<$..h.B.S.E..D$..E...$....B.PP1....D$..E
<<< skipped >>>


POST / HTTP/1.1
Accept: */*
Host: rp.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 944
Cache-Control: no-cache

I'.........a.o.~..!.D......@<..........#.;.].
....
.n.eZ.F........@.L0.<.|.%w.........>..q.....wb.p.W..A.K........
........2........`tBw...!.q..y.....F>.......x.G.Y...4..'...7.4aD.X..N..V..j|e...8l/.>mC.?...itK.9.0'F....V.E.v &.a....}
...|...V.].m.d....x.......0.v.~..... ....IW~.< ....R.N.(....c.....g......)........l5..'.f..3..n..=.NA..S3X.....u.../...*...[V.......\.vS...
L..?....:2#).-.D.0.6XtfSs*....8......L....~]...,{c..v.7.6...........zf$...iw.f..R.X..0F...F[....I*..0.uI..e....... ...w.S...o...y4r..I.S...tO|j.z.P7 ...Fi(MHo..g.;..h&./.o...51#...S..v.......,....sK.............e..':.q...osa...y.
....t... U..^.p.V..4....>...l...'%.}.... .:...9..-.~_^....$.U......E$Q.........qu.............K...A..:.4k.......x....@....Xewh..#^..>.?.EU.....I..axo.f...D.....^...[U......~............@
...;....F..z=.{y..I.C.*,...Y...r..]...Vl.'^q...Ds$R"v.b..#.ok).NX.U.c...!.<.b.....j....s...#:.....T...Y.}
......
....'.O.
k..m.C..^|.%....,z.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Nov 2017 04:27:19 GMT
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Host: rp.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 976
Cache-Control: no-cache

...QzK....i......,|.@...G..I...d* .Y....z.9..L._}..w.'.....2y..K.8b..`..U..#t.V..7.....i .O..EZ>..vdQ..dP.0>J6.lG.S..j...}-.T...qp...E..'.o.L,.0>..l..\.........%..........GV..n.
...?.... ,5......B........M..%..\g.{X...2.:.......i..
.DZ....)...@.U........q.z&WL.K ..QZ.jM.<...;.}"....D...t..1....}TQ.........gX....h.x.Nf."A)...CuV.\.2<j...x.........M...N.-...CW...(...>....4.=...v?z.d.........`.....cR.-z.&..F.
.
N.`R......C.N"%"}...L:,sv....$...t7..V.......6......\...A...JU.$.E.<`...9...O:..'n.?G..
m...W...`<...S..-s<.Lg...y...PH......~.5.a..r.[Mbh.4&.V..f..*....<<.<.`..1..zU.y.....K.Z.{K_..3y8|2]u....s..o...y.4B{..d.zq...x..Q/.{.xkq.RiYh.H...>9...
....04.o....Mu.!.g......7.ml... ..:U1..Z..j83X....T.!.;.
_.........`"..?..(......i.m.vp.n.|..b......).Q........u...AR.;.S.y..*.#MW.3^].G$U..*V.!Of"....r..M..../F......m..k9.#..rbp...............[...?.9~|..;....<B>....m.._.
..G..~.A.X.G.~....k.>....9
..."..d....$... ............b......9.
.../#...!...vs...7.Q.;.x.s.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Nov 2017 04:27:19 GMT
Content-Length: 0
Connection: keep-alive
HTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Fri, 03
 Nov 2017 04:27:19 GMT..Content-Length: 0..Connection: keep-alive..



POST / HTTP/1.1
Accept: */*
Host: rp.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1584
Cache-Control: no-cache

....V.....2$....leL../...
.X......{....d.Fnq...M....
l.....L..d5..K;..........4.BlR.....x.1...-../.a.a.r...e.v.NFJ."..R|.&.L.Q(|.t........4l...T,K.SS...F...D#Y..{YAj..P....(....k.E.....9Q.PeG4...J
....$.:.I.5.x...~{....t.4..g......q..%YC..0.A..?.....q!..k.Z..).R.`i......E.,AD...N...<`%.x...........&}m...k....'BR2#.V..B M5..]R....E.....t..oP......$xP....3..0...CraKPR/._E..k;.6...<....H...vC!............T..8Z}...~3.`1...Jl.......ES.7@,.j
w.~...X..?"./.S..;...X.I..........P= ..........g.e..2&..z.G......t=5(..h......=.X..R.m`.....
;h.....!......0...E/.....K<?.h7....ZZ
...=..L.a!=.&.s:WX.....B...]..4n...`6..P.j.h..n%....xN
.....X.
.....Z..: ..)?7...e..X\.6.a...kE.}..'...%;.p...)...4...0...A.,&...`\Vy....Z....b.5..o..y......tn.|.....1E$..aBFu{L.y.....v&.Z.."...w)dlV1E....wy..b....f.......B..?.k....~Y.%A....1.1I..E\%.<..X.5=...~..ZW.YISy.............[.r '.r.Z.~.p.'..
Bq......<e....QW...y...i.mv_..??jj............,...E.....iM.../..:......#...-.n.V{"..(.B...8F..U...._e^....O.
2...Wg.aj..y.....5:......h...G.;.*%..(...}..}./...C.W.,................25....^.5.]..t.p. .....e..n%&.$....A8..5X.(..7....a..D.=8...~M.6..w2.....PB>....
S...Xm.. .L..U..d};.>5..
....L.*}.......<E.'7.3.|............s.....T..:.7`...D.9..y]Y...Y
-..y.UD^[....,.`..RM.'.U..%..EJ@\s.w..}...gq...m......'.... p......3G.....A.y...Q..O.v0...FCB.^ 
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Nov 2017 04:27:19 GMT
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Host: rp.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 944
Cache-Control: no-cache

W..$...1.:.A].PP..\.J.Eq...Q...t..n...>...Bv.t..L<....>......s;..a.(.a*Y..9"..:...|d.L.G)..V9.=..z...h.z...M...8..<l...0...>...E.I......y.P.......m.....W.....u^..t....>.)a.....Rn6.~2Ei...\Q.:..
oIM1......}P...!...^..p....7[....
.G.[.....U.B..........c..9..S......y...l.C4.n..s....t..P.....[Sk.qT..n...!>[...~`E".Jm....rD... ..:,.A.R....,s..5...Q4.._..H....c....!...`.Q..dkf..-.j2.<G.&m"... ..L..q..?1X....^..e..d..j?..
.4.w...xUf.KH%..Jkh1t.$...U3...T. .{..9(..].7H..'......W...)...O...........g8.vyW....u...
.....)......&..#.3:W...-.........~...........sjzB...U...).. ...K.i..Z..z..-yZ..vx1..V...yI%(tv..I.........B..C.V.z...`._.4.....# .D-.....<...p].c..7...Z.jy/.DGZ.J~...I.
.L.......P.H......]x.I
5..D......V......'.1`...5...cD}.v..Bw.>q.7..l.......oy.$.w......6........;.N.Bc=...w.n.p......A0...#.#...t.-.p(_.V ..`46....p.B]o.......Pk.Q..@P..i@....W#......][j...9..0<J.f..8[.5....`..........~`.l..W\y.ZT.o.L.
............. /.-...._.
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Nov 2017 04:27:19 GMT
Content-Length: 0
Connection: keep-alive
....



POST / HTTP/1.1
Accept: */*
Host: rp.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 1584
Cache-Control: no-cache

.I..G.)E..,(D-.......J.n.U3 s.T...=R{.]a..8?.1.=....9nt..lk....K1.....9...#.}.2..%......J.p.....XV...-.#WK..c.%...6...".f.........0x.._v....5,u....G..-......BRT...D.b...#...S....-z...;.~..w}..@.PK.#.9._V......I)rr..<.I2.../..E...W..f......,.......klw%C.8".....Ds........r..C.p7..j.,..p...A .^j....f/...:...G....^.....h<Z
.]z....*..*^p...i....rLC\./..=.....epws.....I.&i...>d.
.
,......w]...R....#.'i.kN\...'T.H)&.)K... T,{WV\..J..._......h.@....oG.......`I}.Y]....q...V....)..@......h.....9..%g4.,...B.....R..7.G..G./v...99.....Ei.I2....C....
3..h
..(...]x..e....e*....2J.v".z..!..,t;O.7....v..........T..4{.h..\..D2.,g...^....P.W....A....0s.F`Y ...bF..b...2'.^...j!/..RF....
.......)..............f.....0~...:,].H.x*.......FB.7
.
..v..!...l
......
N....3t.z7]....0.......zP..(.\...U..........g:SoM<....8.!...N0..tD=O..%@}.../.. 1...Mp.I.....y(...`..J.... ...~..
.J ../.."..X......w.R.D........i/... ..v.V...Rt2'..p...... ...u`.H.S........vE.E...m...S;m_I6....?..>X.u.l.@.WEt.".......a....
-.&f!g.K.C
Z..Zt....Q/n..4#...l..Z....8.......0...]!../3k)...}...8U.A...$..,..]...`.D"u..*g_.........$......e..........x...._.O...z.....2.v...>...2.2..^...._...L..t..Cv.&!.D.2P=c.]...6..v..tw...^V.p.........]......(?...f..q....t..;.I.@~....q?.Y...ct..C.S...;..w.q...;>....6..
......^'B....X..C..`.S.'..
.V.......v.b.......>o...jZ^M..
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Nov 2017 04:27:19 GMT
Content-Length: 0
Connection: keep-alive
....


POST / HTTP/1.1


Accept: */*
Host: rp.Jajajapa.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Length: 944
Cache-Control: no-cache

xg.
.......F.......B...a.....^.@.. IJ_...(.L.......PF.{JO\....~ l..j&l.Y.e..`......3T2....l[...U.*.k.Z/..qg.....T~.iO.Lj.j..E
. ..y..T0T&.....2.g/...,..b..z..pv..c..vh...L....6.5c/....U.[....[..B.....OK..{.p...nZ..x}.q.u.."RI.QM...k.........J.V.[
....)"y8..G...{.-. 5.......:<...5.OX\`].0A ...f .BYcJ....7..<.UF..b._.m...AZ.kh..Z.f.7_w!..p.w9....>Q..8q...6].DU..%^D..#...Lx..\..#..c......Y.....(^..@".n*7=e.....;.D....q..b.n.!=I..r.p..s.n..%..j.s.y..Y~.].i..r&d....liv.E..%o.~....@...T'..bO.................J..s.'..If....4@c..........8q..L....6.Y.....1....K.L.
M. .d..d\!......n......t.....$D....Obe.A...4>*b..B....du.1..1.'..Fa}.6..%..i.....X...O..r.H....%......:
.:..../..`.{.uX.!....H.....^..:..W...eg5....2.z.....l.p...Hh..v...u%N..I.....H.....3!......:.}8*..H..t.v.I..c...0...
hP...j.Q..F.D.^.G.H$..HA
..\..\..EI.Kv(}..A<../a...m..19=od..|W....~... c.......`He.7.o.=.g8L%...ss0&...YF.....$~.!...l.R..=.......b.]
..1...O...w]........
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 03 Nov 2017 04:27:19 GMT
Content-Length: 0
Connection: keep-alive
HTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Fri, 03
 Nov 2017 04:27:19 GMT..Content-Length: 0..Connection: keep-alive..

The Installer connects to the servers at the folowing location(s):

%original file name%.exe_2452:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
.DEFAULT\Control Panel\International
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
shell32.dll
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.5.0)
Inno Setup Messages (5.5.0)
mu2.iu
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
MsgWaitForMultipleObjects
ExitWindowsEx
comctl32.dll
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
3.6.1.5
3.4.4

%original file name%.exe_2452_rwx_01200000_000C9000:

e<K.Su
qv%6x
%X8Xp
JR.ye
z(zq.sp
YiÍ
-.dCdA
Tc%[C.vVH
.ZU/.
X2U3.hE
-h%C&
m5`.SVrB
)ñZc
p.Mn1
]&=%x
i..zj
.Qd"fa
8y.yu
e da%uCJ
\.FHs'
%D#v[
>].gZ;
$n%ui
.vE!W
O.lC\B
g.JF:
.IVrgN
AFH%x
'O8.yl
%2X}%*l}?
.vt-QpN
;.Meb
u.XXByvR
[/d6%U
.wb F
r(.mQ
|R-m}
.Ay>DK
9-u}@
j|%Dk;*Q8G
g%U87
ab%U,
KmjS%%di
apn.Zw
zcrTh
U-{%f
jHc=.BZ62
*V<]%c
%C)syb
MSgR
KcRt
2%XOWX
.NF;}
C8.AH
s.kRi
.DW{)#uSVd
^J%u(
`Kqk!%X-
XP.bHL^
iV.rS
c.VvzS
7ap$%C
l.mUA`v
Sq.Pwr
|&L3%U
'.vYZ
=|.oz
c.nLv
SSh~r
ie%d-

%original file name%.exe_2452_rwx_012D0000_000C8000:

`.XRoM
F~.TG
6RP%F
a.Rwe
2-{}3?@$
.fliq
vU%S%
~qB.Ss
-q`.ka
.RDRVp
n|h>.Fu
..og'
2.jUl-
.RG'LY
F".ueP
@/.fj
F jTe.vAwPK
h&.kS{
aI
hfû
.ZR[;
C1.YT
keyi
Z.NY%
D).Kd
h3O%Ut
9.nb$
Afý
%up'^
.uT"w%
A[P%sd
HK2$m%d
[z0G@[œ
e2.uC
=d.IY
@\\.ob
g.Vd\
/.mGE
.eC;,tvN
uK.eqw6
O.gHS
.IGInD?
8Ds%X
7.BR=
(:%cHS
%D,**
KJx%%f
&c.HA
$kk%u
:.8.PF
.O %D
%DU{3
%xQ"*
.JurBu1
f.CnyC
.EgBen
%SioB
b7l2%d~3
).To2a
/x.tO5
b%DPm
A.HJ9
G#y^!%d
utcP
G.Nf[H|t
Dsql-
/u.wkQ
.xCe 
V.fCb

%original file name%.exe_2452_rwx_01570000_000BC000:

Y3.qS
~CeRT
%f;@A 
Bd)}%C
#[{7-z}o
.Vhf<W
L.zzJ
n.YC`
R.Gz1
|p.Wi
fWPB%d
.OkZV
5 tt#e.Di
q3.JE
aF|
.ZP0{
".iS|9
,~38rf.ju
;L-3J}
o%FUc
.Fr@e
FY5.fb
.yZWJ(
%ueT2X
l%D@&
gL%Doz9
F.hu>
?Z.DZ~YU
%Dr`;
#X%dU
$kl%S'
M%f::
=.vq%~
1R%F-
9%x_z
'!T.mv9
M..Rw
%f~07
Wv%S!
O.JtUg
3%C_I#
N/[-p}
.LrcH
URLRv
9.H%X_
q<.Rh
g.al[
EuDPb
-.eF1h
Vf%fx
^67%cu
<WX.Bm;
H3.UO
%4x4R
1.Pym3
V.jaw
oü'P
dUNÌ

%original file name%.exe_2452_rwx_016F1000_00187000:

kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
UrlMon
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordD?p
crSQLWait
%s (%s)
IMM32.DLL
AutoHotkeys|
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewp
WindowState
OnKeyDown
OnKeyPress
OnKeyUp,
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
A`bng`@ikc-4,uUxlxs-4,Ht.HA
Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP
Portuguese
ZkkdDocjn^g-4,o.ye
^ioM-3,iiziGmwItI.cG
\h-2,Jfal\`dgxj-4.DZ
,-\ T,/.Om
hcl.sf
-24,rqaxvdj*`x,.EQ Q,hep Q ,,BIDWUAT\XGOZUWRKX^Ralvvoxg],,1 R,`migr-2,*fh-1,oaubs R,t`ngs,.(JJKS]B[XPD@^]T]OP]]eduykpdR]mv8>13@efd,, TB-c
webqskv`T-Y
oj-2,`ac<<*kcb.jo
ak-2,`ob<< T,jcb.je
Ufwm`j U,[x`f`saka-0,oqan` U,edmmiogve Q,yd-0 Q,mddmka(vgq`n-0,q(cklff,.lfhzliuka(ggw-0,u P-:.\
A-4,gmqskaj W,CjinlCkcg,.ECOQ@BE\ECG,.mt R,`ks R-2,qwravsgj? W,w-2,mie,.ECOQET]JATIZKW R,gjtvkec,,,.Bnnk> W.],t
IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl
7Teah P,Ckh`-3,fkgo-2,7*NNYO.uh
1.2.3
 P,=3/.sY
Gx-21,\igh]ixyj-42,M.DJ
A`qjz``-0,ZkdkNgij.pc
Kcqjpc`-0,Aaj-1,gEdafa`.pM
Kf`, -1 W,hefc,.cxb`,,juoocbz,,.I,x
Kn` R-1,/-2,`zfoiauk UU,/\`kjgsmk,.miajim/gv(aaq(kkcaaka^.s
Ecezcb-4 S,Tmeic6.fA
CMd86NBJPGb3
Bc/K-33,`-1.jG
Jbhblnrefc V,H-0,bv-1,li.AT
Uju-0,c-2 W,Ht-2,h-4.Rq
Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l
Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F
Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL
V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a
ebP-3,dLfnda`-4,`yj-4.PL
Hetoczb-3,ih W,cziu`m-1,webk W,ocbiioxncb-4- -,,kcnbk,,sc,,ofboik,,cbb,, T.BG
Lfak R,fi,.m-12-.,pl-30,gz-02 R,h-2,k R,yn-2,q`ai R,`a,.R-0,`v-0,)Bafl/ SR,zz-2,rllzkgh,.kgnlkefz-0,)-0,a R,m`yle`of)i-1,md/mw-02,kl-2,/-2,g-0,ykp U,/zppf`e)n`m-2,gkp)GKCM/-1,gxzkq-2,/zm)boil/-2,w-0,j P.j-G
Xbzscbxdn W,Hhfb,.Rc-2,k;* N,z
Lz,--1,`k`-1 U,zenq,.yg`,.kfik,-`k,.yg`,.-3,jwxh-2 U,fl-1 U,lhjk,.ngd`jja,.-3,fkmh/rk,-cd-2,y/q-1,dja,.y` U,jbxkbbna,.d-0- -.,_jvzl-2,qgch U,jbxkbbna,.laa,.dhka-4,fki,-ldmej, .x`
Qj-0,zb-21,gmh(zkj(km-0,a-1,f/latadabk( V,qj-0,zb-21-.,m`2,..cn
Sggwb/cwb/lj W,bmwb/qjr-2,a`t/adwn`ib/mc W,kmricmdcflb, /ddnckk`/vmb/fjpanjfk,,R.r
Naplfaff*ffq*hfkfkc,.*cfkd,.cm-2,`kmkj W,vb-1,bcn,.nq*-2,swie) W.e
Ibav V,DHNB,,-4,jwyh-1,r-4--,nti,--4,g-43,fhk,-fh,,]-2,itt/Kcij VQ -,zhmocc,,y` V-0,b-2,m,,zfrd,--0,ne-3,/ui-4,yc-3-- W,v-3,bmgnav V,bb/Tmchc,,-3,zv-1,b-2,r U.xA
PHgyj`go`Mkma`m-1,exg-1,*^-2,`,, U,(ye-4,(gcbg-1,ah T .,wefma,,i`kx`kv,,lasbdaeh(gw,,k-0,v-3,m`p`q,.mb(-3,vco-1,a-40 P.c?
 R -,/zyxf`l Q,nijha,.jg-0,ky Q-1,bnd-4 P.j K
,.)pz-1,dbc,.vb-2-.,ula,.mb-1,id* P.^ N
Qe-0,ud T-1,cpqkuu T,gaok-1,ce(,.ktwz V,ca,.oo T,Jivjbi``,.kn`k(nA
Yd-00,l U-1,mxpk-02 U,gogj-1,mm),.-0,lwxm-0,v,.-4,`qfg-1,q,.@]Q^([d`ol U-22,yuaz-2 U,yaei,.khp-2,m)aa-4,giaim U-1,mzqoz-2- C,Y
Mfvje-2 S,Io-3 S,haogaj PS,Pazbh,.mkq`ep>,.C.i
 Q ,,On-3,iNgxbf\dvh5,-.xH
Blmiqkghd/zi S,Lfsmd-2 V,Nn-3 V,wgk V,efbc S,f-2 V,``cvojzcov,.blx`jlnjcg/ojqjobzn.n
Bm-2,mirk-1,c`,.hohk`gik,.oj,.Mnq`eu T,Cov>,..i,F
 U.Ie
Cnr S,M`dmkl-3,jaa*Qoamf,.xkp,.-1,ow,.-0,e S,:.y
_yexofebk,.Hc-0,``cmji-3-,,k-33,c-1-,,ocji,,j-1,ca6,..Gg
Iip/Tcr-2,di W,luif-0,bh, /r-3,k5 W.rB
Lc` W-1,g`n-1,ggs,.lqjlgv=,.t,.
\zh-0,lehah,-rz-12,dakhe/\hsyj-4 Q,mnnj/-0,b Q,z-1,h.lZ
 T .-0,b-21,kh2,..Sc
E``aclzfia,..yq
 W ,,oc-1,bgcjhnh1,,.FF
 S .,gx-03,Lckk5,,.Jj
]fm,,-0,kyyl-21,im,.zmgim,,h`l,,y-1,gz`jmh)afi)jajokz,, Q.Cd
AcfhTcph W-4,dh-4,zonson,-dbkc`o V -,hfn,-qkfxb0*.U-\
Scbtvhdxci W-3,c-3,bx V,ba,,reb,,`dki V-3,nvc QW,each-3,ci<,,tht-1,icti V,ebmbhu6 V.BQ
Rok,,uh-03,eb,.hth-31,cc,.-3,giii V,t-01,vh-1,x(.I,v
Kc`bmozegb,.e-0-,,ay-1-,,aj(akag-3,w,, P,o-03,zi`x2,,.IC
Aasliaef U,oga`bapdzkp U,feq U,lagk,.bp`k`,, T.`
]DKizHi-4,exc-1,Hc`hk-3.GI
L_LCUNTF, KHC.op
0.0.0.0
3?:96=>?59:;.ZQ
6?0N2=.Lq
;768>1-80
cabinet.dll
\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y
]bmmdi,,-0,g,,iw-13,ml-1-,,xgm,,jfdi,,yam,,LEH P,/ocbai,,x-2,q,,-3,joy`nz,,-02,axi5(.wC
000000000000
 ;7.Q,>N-Y,[ T,Tc.Uv
Piwapxn`e,,aok`bj R,ci,.deu-2,v,,fzvij-3,v PW-2,goh`f,,fzvij-3,v,,n-2 R,of`aikbgh WV,deion`ntkb` WS ,,Ozv-1,Ukq6 W.b=
Eb-1,tw, -1,bsd-1,s S,jzsff-3,s S,mononj,  S,lanml,.aly,.tfhaig*,.Ow-43,Ufx4 W-3h
Bpzpfkz R,Bz-1,mu2,.aff)v W,nawil,.qh-21,ab(hkkm4 R .-<
JDT,,odki)dt,,-2,bh,,kd`,,obu,,@cJidbuu)h-4,x-0,ldx`bi,, Q,34<DO,. P,)jhegj W,xf,-bt-24,fo-2--,a`hy W,j`ab,,-2,b W,xah W,h`-3,l P,)ls6).BT
Y]H.if
d-3,tdcQqdc.Lb
)hix.CB
Y^`acxziagKphh-01,hy,.kle,.jh, mzhjzmi, afar,.gchk V-C.8
,.Roj-0,a4nN
 W,Irgs,,\okyo4 W.eB
ch_strtup_urls
 R,Kvev,.Xmn-0,k6 R.I]
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizablet
OnWindowSetLeft
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeight\
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath
OnTranslateUrl
OnCommandExec
'%s' is not supported.
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDownX({
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
This object does not support this method (
Unsupported type for Parameter with Index %d
Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.
hXXp://
hXXps://
Icbodfii*zw,.kiskx/N`y-0,fbfjuCkafio-2,).bu
Rfhzlif,.chs,.Hfoobbs,.qoskdc Q,zj W,ukwjh`dsd P  ,).\,u
CJ[hx.Xu
,, S,/kdfcdkh/ymj/dk-10,licj-4- .Zp
Kaxmcangf`h S,M-0,agck-1 S,ko-0,b/h-2,lb,.ng\k-2,uj-1,/la,.zqc4/?.j
NAER_[URNDT].Lw
Baxbjanho`h,,D-0,ahjk-1-,,bo-0,m V,o-0,xcc-4,x V,`` RV.Ja
Mimjihbc,.@ogatbp,.Omik Q-3,a-4,tiwz Q-0,e-2 Q,ha`hi`,.eya,.uc T,b`oo,.nj T,^sergmick Q,Akjd R,L N
ymighko,,h`xihhs,,-0,izc-0,xoh.ED
LJ_.ge
fxk S,Cym^rk.Um
eiOnKeyDown
eiOnKeyPress
eiOnKeyUp
OnKeyDown
OnKeyUp
Handler with EventID = %s already exists.
Error on IConnectionPoint.Advise
Source don't have connection point for [%s]
@jgico,.qi, k-2,ryofr, zmc, gklnmqod`) V,n-1,w<, ^.1
RZ-3,i-1,/ImznQ.Hy
MAPI32.DLL
LeftPopup
Nomfbz S,k-4,kb-1,h,.pkekg-2,akg(yopc,-gm(U^ S,G^,.tayf S-14,gdoh-1 S-1,t-3,f2,--8.h
)bs-1,fu Q-1,hnrkm,  Q,y`si,.dbr-2,h`d,.3 W.\,y
/h-24,`-4,/-4,nd-1,hk Q,/zfyg,-bh-13,njj,-5,-.ZZ
Uh-E}
YR-0,xh]izn.cQ
Ah-1,cif,.znykf W,ua0 W-c G
2.1.0.0
This exe was created with an old version of HtmlAppMaker.
[_FMTZG].mF
WDM.DM
uaixcbzaShz.CP
z-1,o-2,Nl-3,f`a.uz
Ekcffn*-3,l*fkvdib S,b-3,go_C*exeg S-3,bo S,lefoe-2,cmm*-4,qf0*-_X
-0,cnyzgcEi.Tc
R-2,ll`,.age-0,b R,n`ogdzlmi,.cphc U,ah`ck`,.ckkk,  U.b
V-2,h-3,g-2,d`a/ya V-1,h`b/yfc/aaa QSP.hq
https
Hal U,wkysa-1- ,Pvb, lw,.bkrogl`4, [._
Sf[.t,T*.lJ,e
Vco`lhf T,Iif T,qi Q,pmc Q,bjjmkrooc U,Ssh? V,Ae
Fad,,bop,,hkfb*-2,voikp-4,l-0,o`s,.pidz,-.>e
D`zc R,km-2,v-2,gwgk2,.,-bigl P.cm
MSGALL
irsoMsgDialog
irsoJoinPath
irsoGetCmdLineParam
irsoGetCmdLineCount
irsoGetCmdLineIndexOf
irsoGetCmdLineParamValue
irsoGetCmdLineAll
irsoRegCreateKey
irsoRegCreateKeyTree
irsoRegDeleteKey
irsoIsRegKeyExists
irsoRegListKeyValues
irsoRegListKeyKeys
irsoRegSearchKeyKeys
irsoRegCopyKey
irsoGetRegKeyInfo
irsoHttpGetData
irsoHttpGetDataInThread
irsoLibraryExecuteProc
irsoLibraryExecuteProcW
irsoLibraryExecuteProcWithResult
!irsoLibraryExecuteProcWithResultW
irsoExecute
irsoExecuteDllInProcess
irsoSaveExecuteUsingCMD
irsoIsMutexExists
irsoCreatePipeServer
irsoStopPipeServer
irsoSendDataToPipeServer
irsoSetDebugLogUrl
irsoGetDebugLogUrl
irsoGetWebBrowserHandle
irsoGetCurExeCheckSum
irsoGetExeInjection
iubnyybRolkanldf.RW
b-1,[-1,e.Hv
.html
H-4,njBdi-2,o-4,r.vY
\-2,adn,.loy-1,aihzmn)cm-3,aal*, gzyf\mm@-2,IzyGfy-2,odflj*-].d
-4,fhxXahcxgw.rg
gghYcjrf.ae
jehGbeags.qB
PIPE_DATA
PIPE
LNYCD_^.eP
HMVH9>.PE
U`mgtqxw W,`dzu-1,*-1,bhexba0,.OqgbRL*Luj-22,bw*aeooms R,y,.N@=,.adfbedie W,v-43,wjxz W,ly,.ij-2-.,bkklk`n P.e,W
Nombmj T,zg,.`g-0,ofbm,.pfm,.LzebQG(Lva-42,a-1,(afdmmp)-0-.,MK?,.bodbfoke TS,(\aia-2,p-1,q,.s-1,aza,.nombmj*._c
Fxed[E(J-1,c-40,k-3,(glfmkz, -0,(GI?(hmddlmkc,.mdzkmlq,.ha-0,ondmj R-=.I
/,.ghlzvub-3 U,ajb`= S,u.^
-3,1 T-1,`-4,b-4,w37 P,abov=.vN
Hiaokl(wa(-0,bxm(wfm(aag-1,pzzis,.naok2(8-C
Gio`bhi T,mtai, jagjj,.tjrf>, Nk
^ovh,.ei`cghi,.shf`iqc4 V.Q,n
Pno-1,a Q,y,.ehezlcx,.mhyzehik T,t-4,`jodi( V-3,fmu*-3,viikwu*ymjf,.gje-2,a(.e,d
Fas US,MHKUGIPD,, W,fncjdoj W,csaj U,gguvu,.wwnmbvr RW,qigt U,q-1,hfd-2,t U,vgki Q,mhkugipd,.upo`nkfW.\
Oenwfns S,gerwoebf,.bo S,ZNSNGE@WK, rwold S,gx Q,`-0,ysf`-4,mz,.ytm`bod R  ,bl`-4,hm-0,bod PU,1.9
[d-3,k, -3,k-12,h-1-.,_DCKO,-A[_,- R .,hl`)-4--,jk-4,h-1,cbck,.bk,.zch-1,k,,-3-.,oebzfn-4-.,ge-3,zoenk,.yx``bci P  ,na`-4,d`-0,bci PU.iV
KMEBGX, -41,myx(hnjiygx(-1,b-1,m,,xizzn-3 T ,-0,c-04,bndi, -3,mmxcf,,b-4,(xcm-1-,,jbgxciz,,bb-0,xjbki, cn,,-4,da-4- ,ef-44,md`n-3,(ex,,-0,x-3,oc.FC
ung`.Nr
gbo`dhfm.cV
Slqz`-0,vOrHfchg8,.Rlaaom R-1,dzvos-2 RSQ,jm`u`l-0,d)uguam-0,u)c`n-2,jks)pkr-2,c-1,u)va Q,htahm R,bnfr P.]-F
Tktzg-1,sOuOcco`=,.Tktzg-1,s,.u-0,dmckc RV,zuoh-2,aktgii V,mh`r-1,hb V,zh,.rfb,.hkp,.v-1,hmc-2,t,.g`c,.rkuco`fzo``,.rfn-2 V,aik(.ba
Xa-2,vkvzCyEjocj4 R,Legno`,.ve T-1,gypop-3 T,oq*ejocj,./*q-2,gx T,jkn T,`m-3 T,orzvato,.J
irsoExecutePackage
irsoReportPackageError
irsoReportPackageSkip
irsoReportPackageQuit
irsoReportPackageSuccess
irsoReportPackageInfo
irsoGetPackageFilenameFromHttp
irsoGetPackageExecExitCode
irsoGetPackageExecResult
irsoGetPackageDwnldUrls
irsoSetPackageRelProgressShare
irsoGetFireFoxEXE
irsoGetIEEXE
irsoGetChromeEXE
irsoGetOperaEXE
irsoGetFireFoxVer
irsoGetChromeVer
irsoGetOperaVer
irsoUninstallAddExeCmd
irsoUninstallAddOpenBrowserCmd
irsoUninstallAddRegistryKey
irsoUninstallExecute
irsoReportStart
irsoReportInfo
irsoSetExclusiveExec
isroSetReportUrl
-11,jycmjaOaahDgvyc-11.Pg
Iakyhk-1,_goa,,@L/oloakaj/xk,.yiv-2,fcj4/.J_
zfc.bz
]no^dun.Vx
D`khnzhbc,.oby,.gbx`e S.Lh
Og`jeo,.czm-13,elk,,-1,i-1,ma-0-.,jedk,,hmzio-1,kh6(.I-A
Im`jce,.c-1,g-13,cfk,,zc-1,mgq,.jcnk,,-2,c-2-,,dmz,,lm-0,bn8,..I,*
\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>
\GCAPMA][.oj
TcUlue.PL
W`mmqzeon,.wvamaff P,4.]
z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1
e-1,f.Cw
Kh`k-0,dbi/ydk/Zmzlei-1,/oe`n-4,u PQS.gZ
-0,ilCcbd.LG
)h-4,k.bR
Poymok-4-.,po-3-.,t-0,nmb-23,hrbt,.bvhmrzhj W,gc,.jaik=,..hb
Ukszv.ra
[eckbn R-2,a, kgg-4,khbbxl,.blzzjneky R,N[B,,-G.9
FbghLbtaYhe.AU
1.2.1
deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly
inflate 1.2.1 Copyright 1995-2003 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
1iu2.iu
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
\X%xc
%2U9H
%XVt7
]c! .hZ
e'j.TD
/D%fx
4.RX)
.LRm{
3Æ;
V.UWF
.eB;uF
 %xLw
|<.Zk
ls%xx
2s.rwW
GetProcessHeap
GetCPInfo
RegQueryInfoKeyA
RegOpenKeyExA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
GetKeyboardType
"$ %),'8
38000=344
4? 3!0 3!6
H.JXA
1 0 .'7(2':
- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)
&)"%&$&'&",,/- '
944(@32%2u8
.PMDF<7I
2222444424
.idata
.edata
P.reloc
P.rsrc
"?A1%X!
*-( ,'.:
*/.)*72-
#-**(-#,
SOFTWARE\Microsoft\Windows NT\CurrentVersion
errorUrl
\bin\SubWCRev.exe
Please login as administrator and try again.
OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid GUID value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3828

  2. Delete the original Installer file.
  3. Delete or disinfect the following files created/modified by the Installer:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\checkbox.css (190 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\progress-bar.css (506 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\DE.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Color_Button.png (341 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\ProgressBarD.png (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\CS.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\csshover3.htc (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\NL.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\images\progress-bg2.png (978 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\form.bmp.Mask (244 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\004D6587.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Grey_Button_Hover.png (255 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Color_Button_Hover.png (255 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\mainDlm.css (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in0DF01217\32981BAE_stp.EXE (26835 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\ProgressD.png (104 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\button.css (417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\PT.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\SV.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Icon_Generic.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\DA.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\browse.css (337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\IT.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\BGD.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in0DF01217\32981BAE_stp.EXE.part (1242 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\EL.locale (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Close.png (207 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\images\progress-bg.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\TR.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Grey_Button.png (341 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Loader.gif (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\ie6_Dlm_main.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\JA.locale (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Resume_Button.png (718 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\sponsored.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\KO.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\ES.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\FI.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\004D673C.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\bootstrap_36006.html (156 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\FR.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\NO.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\004D675B.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Close_Hover.png (207 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Quick_Specs.png (221 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\ID.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\EN.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\PL.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\images\Pause_Button.png (577 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\ZH.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\locale\DLM\RU.locale (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH507226358249\css\sdk-ui\images\button-bg.png (131 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now