Installer.Win32.InnoSetup.2_fbf8aff080 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):No processes have been created.The Installer injects its code into the following process(es):

%original file name%.exe:1928

Mutexes

The following mutexes were created/opened:

__DDrawCheckExclMode____DDrawExclMode__DDrawDriverObjectListMutexDDrawWindowListMutexCTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ShimCacheMutexZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex

File activity

The process %original file name%.exe:1928 makes changes in the file system.

The Installer creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\FR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\iconp[1].png (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001222C2.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\ProgressBar.png (276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00122870.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0012292B.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Pause_Button.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Grey_Button.png (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\DE.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Progress.png (311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Grey_Button_Hover.png (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\bootstrap_17710.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Quick_Specs.png (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1C2ACCFB\04ADD711_stp.EXE.part (3012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1C2ACCFB\04ADD711_stp.EXE (439589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Color_Button.png (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\BG.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Color_Button_Hover.png (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Close.png (562 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\JA.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg-corner.png (1 bytes)

The Installer deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\bootstrap_17710.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001222C2.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0012292B.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00122870.log (0 bytes)

Registry activity

The process %original file name%.exe:1928 makes changes in the system registry.

The Installer creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E C2 72 33 48 89 CD 7E 0A 06 35 85 34 E3 34 04"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
d3899694be017e0ba51825237b3bbe15	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\in1C2ACCFB\04ADD711_stp.EXE

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Installer file.
Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\sponsored.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\FR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\iconp[1].png (787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\001222C2.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\ProgressBar.png (276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00122870.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0012292B.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Pause_Button.png (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Grey_Button.png (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\DE.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Progress.png (311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Grey_Button_Hover.png (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\bootstrap_17710.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\EN.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Quick_Specs.png (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\in1C2ACCFB\04ADD711_stp.EXE.part (3012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Color_Button.png (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\BG.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Color_Button_Hover.png (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Close.png (562 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Resume_Button.png (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\images\Loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\locale\JA.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inH118856235299\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: SecuredDownload
Product Name: Program Setup
Product Version: 1.0.5.a0.1_53762
Legal Copyright: SecuredDownload
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.5.a0.1_53762
File Description: Program Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

Company Name: SecuredDownloadProduct Name: Program SetupProduct Version: 1.0.5.a0.1_53762Legal Copyright: SecuredDownloadLegal Trademarks: Original Filename: Internal Name: File Version: 1.0.5.a0.1_53762File Description: Program Setup Comments: This installation was built with Inno Setup.Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40240	40448	4.66598	523babd3bc84e86d17f91946b91f4019
DATA	45056	592	1024	1.90742	1ee71d84f1c77af85f1f5c278f880572
BSS	49152	3724	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	53248	2384	2560	3.07115	bb5485bf968b970e5ea81292af2acdba
.tls	57344	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	61440	24	512	0.14174	9ba824905bf9c7922b6fc87a38b74366
.reloc	65536	2244	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	69632	11264	11264	3.10346	87a15d8e70d5e677112187b1ecb13245

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://downloadbst.com/assets/iconp.png	136.243.40.69
hxxp://os.dudaran2.com/SecuredDownload/?v=6.0&c=1445015402&t=1193937	54.229.110.27
hxxp://downloadian.com/softwares/14710/ChromeStandaloneSetup29.exe	136.243.43.26
hxxp://downloadian.com/system/softwares/files/000/014/710/original/ChromeStandaloneSetup29.exe	136.243.43.26

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /system/softwares/files/000/014/710/original/ChromeStandaloneSetup29.exe HTTP/1.1

Range: bytes=0-35763831

Accept: */*

Host: downloadian.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Date: Sat, 09 Apr 2016 23:35:01 GMT

Server: Apache/2.4.7 (Ubuntu)

Last-Modified: Fri, 19 Jun 2015 14:02:44 GMT

ETag: "221b678-518df60cb86b8"

Accept-Ranges: bytes

Content-Length: 35763832

Content-Range: bytes 0-35763831/35763832

Keep-Alive: timeout=1, max=400

Connection: Keep-Alive

Content-Type: application/x-msdos-program

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...G...G...G.......G.......G.......G.......G.......G...G..RG.......G.......G...G...G.......G..Rich.G..................PE..L....y.O.................\...>!......[.......p....@...........................!.....XT"...@..................................y..........t.!...........!.x.....!......r...............................................p...............................text....[.......\.................. ..`.rdata..$....p.......`..............@..@.data...\............t..............@....rsrc...t.!.......!..x..............@..@.reloc........!.......!.............@..B........................................................................................................................................................................................................................................................................................................................................3..|$.....j....j.j.H........P..xp@....t,...t ...t..."t...Pt.h.@.......hW.....h.......V.t$....t$....p@...u.^.WP...p@.....t'.t$..t$....p@......v.;.s.N....|O.u.;.r.3...f..f....#._^..D$....@...j.P.t$...Xp@...u..P.t$..D$..x...YY.SUVW3..t.@.W....Q..3.E.:..u<.D$....@W...Pj.V..`p@...t.P.D$.V.4.......YYu.U....Q..E....u.3._^][......H........J........P.R...........@.3...$....Vj......p@.WV.D$.P...q@......p@...t.h.@...c.....$......^3...A.........U...........@.3..E.Vj......p@.WV......P...q@......p@...t.h.@.........

<<< skipped >>>

HEAD /system/softwares/files/000/014/710/original/ChromeStandaloneSetup29.exe HTTP/1.1

Accept: */*

Host: downloadian.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 09 Apr 2016 23:35:01 GMT

Server: Apache/2.4.7 (Ubuntu)

Last-Modified: Fri, 19 Jun 2015 14:02:44 GMT

ETag: "221b678-518df60cb86b8"

Accept-Ranges: bytes

Content-Length: 35763832

Keep-Alive: timeout=1, max=400

Connection: Keep-Alive

Content-Type: application/x-msdos-program

POST /SecuredDownload/?v=6.0&c=1445015402&t=1193937 HTTP/1.1

Accept: */*

Host: os.dudaran2.com

User-Agent: ICAS

Content-Length: 1280

Cache-Control: no-cache

.I..~...$$.......04A"8....`[.....W..(4..L<..1..|..`...}...k.u..&..'...9...'.....F..._y..e.gJ].........>.. .`..?|...}..3.b...P......I.R.26.1.I...

......\fr.......#....e\..]B.E..Y........3.....!..6.R...8...7W.0xe.........5L....k,.3p....b..[PI [.m.gs.A....._..W..u..L..

.#..B...'iX.......1...KcJ&.......ul,!.%.I...."..H7....r..R).,..H.l..NQ.e.~.eG..$..H..Z.:..o.A...>..OhX..h

........q..Q ..f.g.?..........N...4}*o..l.. <.4tX..1O.r....d...@...{I>4..y.ClSQm......q..D..gis...^..i.......E....hC."..FH.t%....1.........M...)._.....{.......B3.~y.......&. _x..T...f^j...>Q......C ...J2@.f.@..~...N......HW...`......$.6..HI>.)..EglT.(....nY...rY.U....l..m. .h.......f. v......S.....|..L...L(I}(.A.....j..K..... .._......d.<Gc:|E..u...\z.n..PX...q.8...,."R..3.zI.6=Rl....... ..E6.@...c.:.S..~.T..../MM..}.....z.VV..WYq..A.G.(.]_Jd3tT..L...

..._Y/.g....Yl.>w.W..J._n9b.6..u...|@.!m[$.......4&.o..~ot.D..IG.........La..W-.s..h

D.UG:...;N[Zb...|Ii...*....6Wwe`..Q..;|.......n.p^C..ma.p..e..<4tJ.G@:.. E/...bv.)f..=.W....~i...I........nyf.m..-.......e"<.........%...1.I!...</...Y....;.).........z..`..G..............}..`W_.}..<k`p"ca.p.b...9......J..h........>U...<~ ..@Bu.

Y.h....I..q..8{.....yuX.pV.....SJ......@]...%.....4.)...?..O...5.;.n....,.....Wi...1 .S ..s..e..h...Pl.F..arc.

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: text/plain

Date: Sat, 09 Apr 2016 23:35:01 GMT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Server: nginx

X-ICSCT-CC: UA

X-ICSCT-CITY: Kharkiv

X-ICSCT-GICSET: global13712a

X-ICSCT-IP: 37.57.16.189

X-ICSCT-SERVER-NAME: ads.slave-131-prod-eu-west-1b-6ec3c8e3

X-ICSCT-TIMESTAMP: 20160409183501505

X-ICSCT-VERSION: 1.3.1

X-ICSCT-XC: 1f3cfb072bc5ded412eb0f20eaa0b3fa349c056a

X-Robots-Tag: none

transfer-encoding: chunked

Connection: keep-alive

1f00.....\.U.\.V...&u.1s.a...x}!.p..$.-.8:&'.|..<..Dr9.do|..2..W*...`:.!..E..p.@....7..A.C.#.}>0O..x..tN...j.s.Nu.|..\..krmoq{6...........=....O..E...:.z..jz.6.J.z#..?..QMiB.w.%&q.".......X)y*..8 .,rF..k...V0)q.....*...o.z:...E.$u..L.. $r..nkjZlu8...D.-......go................{."..t..'.9..H#......E....f.I.8...`....G;n...D.n.d.&A.s_..a.8...l...fD.;%.S.#...._.....x..l\...t5......]...&.........(b._z......b<....[qh....x.._0{..aZ,5.,..!F..:.._A..*..bs.*B.E.aZ/..'$.c,.q.H..................D0.[..z|,..T......SA..v`.....".....c.ZN.....i.....f..3I.g&...s....wm....a#}.i.8...x.......X*.kx.y.d..#}z..(..#..i. ...x.y....&x.......{....=.."...x...tj.k..`/a..az.i..7.k..).x..%..P.z... .4.d.b...9..R.2y.i....cx...x...\...x...$.I.X*..y.i.H7K.j..;x.).(.......(...z...X..#v.............o.8..#u.w.6<..y.i.h....9L.q..Sx....p%.4l....-;T..b>.h......Q/Y....@...{.C.|l6.?x..H..#~.,I.]..*.y.fc..p.>.c...H....................JK........d.........*......s....h...o.#}:.......gb\x... .x....,*...N.M.._.../G%...Rl................z..258.U.l.........K..........k...&.R.......$TE......#.2s~(.................;..7...u.;....q.>.....$....Z...R...]...a..|T.f......{:a...f...{.\...=....x.......P.n.$..qV.P>c.z......O<5...y^=.H.$.............."%.g.-..0..x5.".F..s...._.YHcrqnA....r....%V..M...Z$....;q.\....O..tl4.......A..?........IY..J...^..i......;q.:y.T........G..H.....xj..E.....|$.h.>.....v.S.)...O.N-..6..~*|;."&k.......3..CW..:IXMC.i:.|G....t=jd,..^3.-.....GLP...V.(.,C....#....J.?{.~3....wy."u...b;.....%/......&.4.$...w.9.b...@HSo.

<<< skipped >>>

HEAD /softwares/14710/ChromeStandaloneSetup29.exe HTTP/1.1

Accept: */*

Host: downloadian.com

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0; ICDM 2.1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Found

Date: Sat, 09 Apr 2016 23:35:01 GMT

Server: Apache/2.4.7 (Ubuntu)

Cache-Control: no-cache

X-Request-Id: 1a24d9093edd1bdceb8832b268163e44

X-UA-Compatible: IE=Edge,chrome=1

X-Runtime: 0.010965

X-Powered-By: Phusion Passenger 5.0.10

Transfer-Encoding: chunked

Location: hXXp://downloadian.com/system/softwares/files/000/014/710/original/ChromeStandaloneSetup29.exe

Status: 302 Found

Keep-Alive: timeout=1, max=400

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

GET /assets/iconp.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: downloadbst.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 09 Apr 2016 23:35:01 GMT

Server: Apache/2.4.7 (Ubuntu)

Last-Modified: Thu, 18 Jun 2015 16:46:26 GMT

ETag: "d05-518cd8c6c4277"

Accept-Ranges: bytes

Content-Length: 3333

Keep-Alive: timeout=5, max=1000

Connection: Keep-Alive

Content-Type: image/png

.PNG........IHDR...$...$.............bKGD..............pHYs.................tIME......:.P......IDATX.....].Y...{....}..{./..&q...I.fi(!..BB ..PU.!.....U.|.J-..*.J.D.hB....S...o.m..}<..{..gy.>.x..Tm".J..s......y.MXk..o..I......J..\HOg..zz.4~..s.....3..........J).....s.s.......y...*Q..8. .).s.,,...#.}./-S.T.\....t...._....!2F..{.;.t..}Om....B....7g/].. ...(.x.(~\.........s...k..w..;..Z...^.."I.t..z..w...{F.:}........B..E....)....o{...E......g.RO=~....9.?.:.?=?.B....5D.R,.".......#.=....K.f...--...\.-...7..M17m..?.nx@|.u....*....?..}...a.........7......gfy...yT.H./!...).....3._.. w......>p.c.....kk_\... ..1.....w.u.5....B.V.=......P..3..........l.......f..D=.qma....e=.hY..!.d.@b...$..R..(..T.....2t..l6W.-l..$..F..VkDk.8*Y.RkUk.R.....^n...~!e...#.XQcq......^'...[G...V......b..=4. .w.n.Fe...4..#.C.."B...........2A./.(.Mu ..8]...|q...1...D...pR....C.......bRH.BJ..r....`..$nV.:5.(..PD..........|rt...n..].....4.j...\.......a....x....H<L....q.. ..".......m..l*....4n&%..4..$..gh.{.Qw.4U.- .tQ.m.q...N.p.......GX..`.......M.m^.......5Q...UI...K..DQD.G.i.c$.......dm.....T.x2....c.hm..A.H6<...Yp..#1.&......1(...:Q.c.DkC.Q&M.VK..P."...!...(.W...1..8n.N..2...*.(..b3K.......u.q......c5.(.q.4I...e..#4.*.f..|u.i<..$V.X...A..f...!..j=j.=7..&..j<.i.6cC`.M.X\c0Z... Fa.Xkh.u.I...>>.....w...........5.....'u..mX.JR5. ...7....BK...ND.t.)r.:B`7..1.T... ..(6....&.R.f.pw...w..@....:...1..]@...2.d:...... M.......zcj.{[#...k. .S.....J%.L.p,.....@)%HA.....:.s..3.w..JM.h...,...$..u..Gw....A}qr|Y.ji.(...5.....C.......

<<< skipped >>>

Map

The Installer connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1928:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SUPPRESSMSGBOXES

/PASSWORD=password

Specifies the password to use.

For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.3)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

true

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

1.0.5.a0.1_53762

%original file name%.exe_1928_rwx_00900000_000F7000:

.idata

.edata

P.reloc

P.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

.mlmt

P!*%U

odmbds94.essfJdcVk

].FIR]VCXEF&

JC.xm

dFÃŸJ:

z}.zL

)y*.Guk

S(.aK

.SZyuz"B7=f

?$Vg.Cv

wsiU%c})

Tu<.pbo>

'D.df

.fc*p;

QZc8%SA

.Kv>M

Q.tli

TCp?G2a

%F"#'

weBw

.Nv!Q-

%C/x[

cVtynZ.DQ

C.ddsb

.id&i[S|E4

HkyDt.Npq

C.tJ&

.ZDYVeiE

ha.Qc

H-&.Yr

N"%s*

bg,N.EkH

l@.VJ

.kqvP&

c=QHNNx.UB

sdP]szesqb,@Qm,97w;.Lw7AP

.sf# P

|llux.Sh

.`SP.bf

lVcUaOxH.fp

-U.ZG

v.XZpy

Qsqlc

^EBANRLSFJoin

r

.FR:.&

yt5.wW

KC.WH

.LSEBwWK

U@.qJ

rf.ss

T%f%li

W5?-.Gye

zFH.cC

KEy;sn

.epl%

.eshY

-7272}kS

sY9;@35;63@?.DP

5;7X4<.vj>

SA_E .mY

97Vo,kk0V=WV.cR

?051>8,17

,`2&>?12

)?0.P->X,O-`)H-Ht.Mx[TgK

Hzr.rN

^F4..lc

~vC

nbwku.bxPQ

"_T.yw0

Eky_[\.YC

np`raP.QH

Hg.iYml

.Vn&V

ho[u.EH

pyv.IB

ppSpi-.osd

%F/jTs`

PAVTEU)J.lY:RB2>t.

MKXZH_.Vf&YSV`\^^`:CWGT,B

y9U

fVG].zKYMTMY

ir\mo.Mr]

B.BK5

bIww8f.qgA

5.cz z

n.xkoL&y2

$3%UE

N.pvU=

.SEJ;

.xmy

O={%U

n3^gk%U

8`c-%c

C5E.Wex

j%u( J

k.bBv*

.8..AWTY3`D

tbigztEy.Ht7

;N)W-_,[)2.eT

.sG-d{8

(]Ã€

Dj.RG

)13%uv

Z.Nmd

&:ubsew.KA

!.AfN

%SUIN

C.QQ6!

tnyd.dX

onr)X.jN"2E"

-E.zw

|rqI.Ykb8C

mw.udA

;.OT4

.jB&poo`swje.:)

ATRg .qJXXV5.y,5

TV,X.QVXOIZ]\.d[

TULT3>.QEKM

.IYXHW

SN%u3

x<.xhs>

z[.XmAJyyj

Dg.ct

FKEY

.wpEqri

.SbXSx{

%U(HJ

D,8-XuA.dgwt.ngJ

a,w.fk`

_bk\eab.Lv

U:LXGQa.Cz

g[k8tuyz4-.pw6n

qgh,D.ew2kDCYk2

/.mQ-5

JMolgx.mu

pnnvs-.nsms

ncrtw

=.DK9

.gv7/

.Nr x

P.cbM7

i.oMU

(CW

_S~L

scn%s

%c@I,

1F{.Ng

?.Sj/

m.jJplb

.kx{:

%S.!RE

%2s"9;

04,0 '(4

-e4.QU

Q.md{

REKXEV94.ZVV

uexuhy94.ess

tkrtcs94.ess

tkresz94.ess

zey94.ess

rhm.ess

ksd94.ess

ksduac94.ess

lpdss94.ess

MKVUYX.ZVV

aldm94.ess

xdmlykb.ess

TcrsMCCblcussdmFWZVV.ess

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

GetNamedPipeHandleStateA

GetCPInfo

CloseWindowStation

GenericLoader.dll

; ;$;,;7;

nhmkuftpilnnh

KWindows

8%xHi

nr%D

06wcRt)

.PL0Mf2

b.GT_

.Wljw%b

UIÃ¿

}-.l,.Wf

yF.Wz

a.Ce{

RU%SIO

2.mc)

.Dxh"

).CN0.

6%6X4

)'.Bj

K&?Ã¿

)JcM.aq

D?I

.cJVL

qH.ng

{Ã¸x

}8o

6t.jM

GEz%x

2.hrf

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

I/O error %d

Integer overflow Invalid floating point operation

%original file name%.exe_1928_rwx_00BB0000_0009C000:

.rsrc

~H.Pp

kernel32.dllwGetLo

{_.SCK_LINES/

GI.vr

Keywor

%s[%d]d=

_%di#w

.FDiag

Lz.Ix}

%XV;P

Ha=.hnY`

"%cgk

E(AL("%s",4),"

4'.Yt

.Rx>U

.dD}ohD

#t%D@

hy[I%X

,keysK

P.csy

%XG?;

.Xx%P,

LPC#I%xI/

%F$wm

o[0%F

tLcibD.ZP

I.eeln

.ye/y`F

ToiZc.Xhj

I.cG/

.DZOLdyE

pu.Pt

jguZ$C%c

T,/.Om

%u3,]

T7\webqskv`T-Y

nz-X.EoT

s:.LG

/=xR%U

.ojxQ/

t

leQ_lgdljn-:Pr-30f?.Vf0WQ

ssav.Fp

.[FQ.nw

sLtMuYvT.wh

THttp8hbD

,M.DJ

x.NDhi

.SK@./(Lk

ic6.fA

RI.AT'

.VFEBfAR

oc/K-33?.}M:.jG

mw.ll

,.Ri"ko

%sg}ai

URLs1n/

A6;,.Jid

#gST.tI

.dhs!

.dlpO

.SJ}wF

lO3?:96=>?59:;.ZQ

6?0N2=.Lq

FW]E).rO

30Lk-oo7L

;768>1-80

-[4/>;84

0FQO%SGl

D['-L}

;7.Q,>N-Y,[ T,Tc.Uv`HzR

Tgm.mX

\S2..st

bnfoa.nvQP

]H.if7

Eoi]`^.OI

bh[muQ.PT

Tz.yOrs

.Lb/L}

.Xjc'

pk`a.ET

)hix.CB

hhFhy,.kle

TPipe.y

QWLHEM G.sO@KB4>c.

URNDT].Lw/OFL[^\\[@IAJH-B

wLJ_.gROUHUO

ym^rk.Um_

J B.BR6

nCff1w.jzW

b.vokV/i4

X.hxM

.FEG?'$

,%C;.'

.vri=

IWeb@

%D,33

%xpFRbtW0m#

|%xoDwu

'%s'R

I6E.Adv

o.nBx

.1..WAHO9[Z

1%X)w

-|~.US

cnyzgcEi.Tc0

?X A,]-` 4.dH

*.lJ,e

Zq.KJ

D.Xre

/@anldf.RW

(%.WwX

I.PP5%

cbie.eN

X(kbm N.qX

,E.gf

2

mjC.Oon1I

gZY*rf.aeW

?.YH2

.qB/hkk[lfqd.@

NPIPE_DATA

WHKz).jGNNL6.i-6

HL-N.PLNYCD_^.e`

HMVH9>.PERU

.CONTA

v=.vpF

}g`.NrWGiiq

Zz.tc

.fhEjmy|

.FnNFv

xEXE&0

>$.PG

Z-1,NaW.ezfc.bzG

u-f.wo[

]no^dun.Vx

Z.OO*YpC('

M@VNJPu.Ig~%

z`o1caig2,.hf5b"0cfh

jzp-Z.df4oZIOo4

&.rP,6

GUkszv.ra

hbbxl,.blrl

<.zr3>

.zx0&

udPU

Q.tnU0

~%S@ |

y.kUM

y~%c=H

Ã‡'s

J%Clq,

s*.hw

LGE%dJ

;.Fq&

r.qGhsn

M(.ov

"$ %),'8

$"!(&&$' )

1 0 .'7(2':

/*-( ,'.-!

*/.)*72-7)

,d2.PM

~$P.re

KERNEL32.DLL

advapi32.dll

comctl32.dll

comdlg32.dll

gdi32.dll

mpr.dll

ole32.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

version.dll

HtmlUIInstallerSADLL.dll

%original file name%.exe_1928_rwx_00C51000_00161000:

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

EVariantBadIndexError

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

UrlMon

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeywordH

crSQLWait

%s (%s)

IMM32.DLL

AutoHotkeys

AutoHotkeys8`

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDown8;

OnKeyPress

OnKeyUpD:

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

A`bng`@ikc-4,uUxlxs-4,Ht.HA

Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP

TThreadExecuter

TScanAllWindowsCallBackData

Portuguese

ZkkdDocjn^g-4,o.ye

^ioM-3,iiziGmwItI.cG

\h-2,Jfal\`dgxj-4.DZ

,-\ T,/.Om

hcl.sf

webqskv`T-Y

oj-2,`ac

ak-2,`ob

IN]JVN]K]KJ]B]F^UF@@]\v-2,ujbRBjazsnc^s`lkr-1,`-1,].jl

7Teah P,Ckh`-3,fkgo-2,7*NNYO.uh

1.2.3

THttpTimeOutThread

THttpCallBackShell

Gx-21,\igh]ixyj-42,M.DJ

A`qjz``-0,ZkdkNgij.pc

Kcqjpc`-0,Aaj-1,gEdafa`.pM

Jmvgknm Q,2,,)27,.Pkbjhu-4-.,IV,,8)37,.Spejblx Q,2,,

Ecezcb-4 S,Tmeic6.fA

Bc/K-33,`-1.jG

Jbhblnrefc V,H-0,bv-1,li.AT

Uju-0,c-2 W,Ht-2,h-4.Rq

Ijv-1,h-0,jm Q,Jq-1,n-2,/,.u`l,.lnmw Q,ll`oj`zh`m-2 Q,xjzi`vz Q,kbz`.^l

Q-0,iznjib Q,`u,.tgu-0,qyi-1,ulb.a-F

Ob-4,/dcdzfe, kh-3,`/r-2,jld.vL

V-1,ns-4-.,hx V,lmdeehea,.mdhi Q,hi`onezhdh-2f.a

ebP-3,dLfnda`-4,`yj-4.PL

Retrieved Filename from Url:

) is different than supported (

Urls stored in Chunks Map differ from the ones provided, ignoring the Chunks Map:

Chunks Map contains URLs, but the size is illegal:

New Source created, url:

, httpCode:

, url:

, Url:

, old Url:

, new Url:

Switching suspended Server back to use; Url:

, HttpCode:

TDownloadConnection.Destroy() was called from not authorized thread (

HttpCode:

Unsupported 3xx redirect response, code:

]DKizHi-4,exc-1,Hc`hk-3.GI

L_LCUNTF, KHC.op

0.0.0.0

3?:96=>?59:;.ZQ

6?0N2=.Lq

;768>1-80

cabinet.dll

\fgejnhg,.Dhr,.f-3- ,z`b, -2,gbyz,..8y

Unable to extract the file via CMD, gonna try regular write:

000000000000

Report is too long, data will be lost; RepCnt:

Report seems to be larger than recommended, can happen only on special ocasions; RepCnt:

;7.Q,>N-Y,[ T,Tc.Uv

Reporting failed on first attempt, second attempt is cancelled (finallizing)! HttpRes:

First report attempt failed, going for second! HttpRes:

The report failed! HttpRes:

Report sent, Url:

Y]H.if

d-3,tdcQqdc.Lb

TUninstallExecuter

)hix.CB

Y^`acxziagKphh-01,hy,.kle,.jh, mzhjzmi, afar,.gchk V-C.8

RootKey:

RegDelKey:

ExecuteCmd: key=

KillProcess: key=

: key=

Remaining uninstall instructions after exeution:

ExecuteCmd:

ExecuteCmd: ExitCode:

TPipeServer

TPipeObject

TPipeServerListener

TPipeClientU

Starting default pipe server, PipeName:

isrPipe

Falied to start default pipe server, PipeName:

CJ[hx.Xu

_.Wo*BC-T5p7d.V-b,

Downloading Bundles data from adServer on url:

NAER_[URNDT].Lw

Report main param:

Report Url changed dynamically from:

Exclusive Execution mode is switched to:

Report param

Report param:

Package execution returned bad ExitCode:

Package execution failed, bad ErrorCode:

LJ_.ge

Download request queued, urls:

fxk S,Cym^rk.Um

Starting Report, status:

ole32.dll

olepro32.dll

IWebBrowser

IWebBrowserAppL

IWebBrowser2

TEWBWindowSetResizable

TEWBWindowSetLeft

TEWBWindowSetTop

TEWBWindowSetWidth

TEWBWindowSetHeight

bstrUrlContext

bstrUrl

OnWindowSetResizable

OnWindowSetLeft

OnWindowSetTopX

OnWindowSetWidth

OnWindowSetHeight

grfKeyState

TComTargetExecEvent

CmdGroup

nCmdID

nCmdexecopt

hhctrl.ocx

URLMON.DLL

SHDOCLC.DLL

rcmDefault

rcmDebug

DontExecuteScripts

DontExecuteJava

DontExecuteActiveX

DisableUrlIfEncodingUTF8

EnableUrlIfEncodingUTF8

CheckFontSupportsCodePage

DisableSubmitUrlInUTF8

EnableSubmitUrlInUTF8

lpMsg

PMsg

pguidCmdGroup

TTranslateUrlEvent

pchURLIn

ppchURLOut

CmdID

pszUrl

pszUrlContext

szPassWord

ErrorUrl

OptionKeyPath

OverrideOptionKeyPathD

OnTranslateUrll

OnCommandExecx

'%s' is not supported.

TMsgEvent

TKeyEventEx

Port

Password

poPortrait

OnKeyDown

0.750000

3333333

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(

This object does not support this method (

Unsupported type for Parameter with Index %d

Method call unsuccessful. Object: %s, Method: %s, Exception: %s , Source: %s.

hXXp://

hXXps://

eiOnKeyDown

eiOnKeyPress

eiOnKeyUp

OnKeyUp

Handler with EventID = %s already exists.

Error on IConnectionPoint.Advise

Source don't have connection point for [%s]

JS event callback execute start:

JS event callback execute end:

JS function sync-execution failed with message:

] execution failed with message:

MAPI32.DLL

LeftPopup

not supported

YR-0,xh]izn.cQ

2.1.0.0

This exe was created with an old version of HtmlAppMaker.

-0,cnyzgcEi.Tc

https

Log server Url is invalid:

Sf[.t,T*.lJ,e

Sending Log to the following Url:

Log Http request has failed, res:

Log Url changed to:

MSGALL

irsoMsgDialog

irsoJoinPath

irsoGetCmdLineParam

irsoGetCmdLineCount

irsoGetCmdLineIndexOf

irsoGetCmdLineParamValue

irsoGetCmdLineAll

irsoRegCreateKey

irsoRegCreateKeyTree

irsoRegDeleteKey

irsoIsRegKeyExists

irsoRegListKeyValues

irsoRegListKeyKeys

irsoRegSearchKeyKeys

irsoRegCopyKey

irsoGetRegKeyInfo

irsoHttpGetData

irsoHttpGetDataInThread

irsoLibraryExecuteProc

irsoLibraryExecuteProcW

irsoLibraryExecuteProcWithResult

!irsoLibraryExecuteProcWithResultW

irsoExecute

irsoExecuteDllInProcess

irsoSaveExecuteUsingCMD

irsoIsMutexExists

irsoCreatePipeServer

irsoStopPipeServer

irsoSendDataToPipeServer

irsoSetDebugLogUrl

irsoGetDebugLogUrl

irsoGetWebBrowserHandle

irsoGetCurExeCheckSum

irsoGetExeInjection

TExecArgs@

iubnyybRolkanldf.RW

b-1,[-1,e.Hv

.html

H-4,njBdi-2,o-4,r.vY

-4,fhxXahcxgw.rg

gghYcjrf.ae

jehGbeags.qB

PIPE_DATA

PIPE

LNYCD_^.eP

HMVH9>.PE

-3,1 T-1,`-4,b-4,w37 P,abov=.vN

IE WebBrowser docRendMode:

IE WebBrowser docRendMode is not 7 (

THtmlUIExeAppU

Pipe [

HtmlUIExeApp

Pipe command unknown:

ung`.Nr

HtmlUiExeApp

gbo`dhfm.cV

irsoExecutePackage

irsoReportPackageError

irsoReportPackageSkip

irsoReportPackageQuit

irsoReportPackageSuccess

irsoReportPackageInfo

irsoGetPackageFilenameFromHttp

irsoGetPackageExecExitCode

irsoGetPackageExecResult

irsoGetPackageDwnldUrls

irsoSetPackageRelProgressShare

irsoGetFireFoxEXE

irsoGetIEEXE

irsoGetChromeEXE

irsoGetOperaEXE

irsoGetFireFoxVer

irsoGetChromeVer

irsoGetOperaVer

irsoUninstallAddExeCmd

irsoUninstallAddOpenBrowserCmd

irsoUninstallAddRegistryKey

irsoUninstallExecute

irsoReportStart

irsoReportInfo

irsoSetExclusiveExec

isroSetReportUrl

-11,jycmjaOaahDgvyc-11.Pg

An attempt to download bundle data was denied: adServer domain name must remain the same! Url:

zfc.bz

]no^dun.Vx

\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>

\GCAPMA][.oj

TcUlue.PL

W`mmqzeon,.wvamaff P,4.]

z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1

e-1,f.Cw

-0,ilCcbd.LG

)h-4,k.bR

Failed to execute the Watcher in mode

Watcher was successfuly executed in mode:

Ukszv.ra

[eckbn R-2,a, kgg-4,khbbxl,.blzzjneky R,N[B,,-G.9

FbghLbtaYhe.AU

1.2.1

?456789:;

!"#$%&'()* ,-./0123

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

udPU

Q.tnU0

~%S@ |

y.kUM

y~%c=H

W77>%cxg&

.bCP2

4OÃ¹

Ã‡'s

J%Clq,

(.aHl

s*.hw

LGE%dJ

GetProcessHeap

GetCPInfo

RegQueryInfoKeyA

RegOpenKeyExA

RegFlushKey

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

EnumChildWindows

ActivateKeyboardLayout

GetKeyboardType

"$ %),'8

38000=344

4? 3!0 3!6

&W!%D)*

H.JXA

1 0 .'7(2':

- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)

&)"%&$&'&",,/- '

944(@32%2u8

.PMDF

2222444424

.idata

.edata

P.reloc

P.rsrc

/*-( ,'.-!

*/.)*72-7)

,d2.PM

~$P.re

Attempt to access registry key: "

supported by OS for "HKEY_CURRENT_USER\Software\"; access directly under "HKEY_CURRENT_USER\Software\Wow6432Node".

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Execution AdminMode ADM_DEGRADE is not supported; using ADM_AS_DESKTOP instead. File:

There is no source with range support for connection, picking one without.

None of our requests are passing in Proxy Mode - suspecting inability to download from current server, trying another HEAD request to make sure.

File size seems to be changed from the same source after HEAD request, suspecting rare case of lack of HEAD support - disabling it.

Only HEAD requests are passing in Proxy Mode - unable to work with this server (probably no Range support)

TDownloadAccelerator.Run() was ignored, since another download is currently in progress.

Urls:

Pause request ignored, servers without HTTP Range support will cause download restart.

The source dropped range support.

The source does not have range support - ignored range request.

UnregDLL executed: "

UnregAODLL executed: "

ExecuteCmd: Exe:

Stopping default pipe server

Waiting for all the ongoing reports to complete...

; main package already reported

InstallerName altered after at least one report already sent.

Changing Report URL request was denied due to lack of Privilege Mode.

Installer Report Url changed after at least one report already sent.

Installer Account Name altered after at least one report already sent.

SDT changed after at least one report already sent.

package already reported

Starting execute (NoExecute - skip), exe:

Starting execute, exe:

MSI package detected. switching to synchronous package execution

Execute request queued, exe:

errorUrl

\bin\SubWCRev.exe

Failed to launch htmlUI from the following url:

Log server Url is not provided.

Log Http request has timed out.

Remote mask loading is currently not supported. mask:

Registry entry removed: HtmlUI Browser object's IE7 fallback support is now enabled.

There is a registry hack to prevent HtmlUI Browser object's IE7 fallback - failed to remove it (HKEY_CURRENT_USER).

There is a registry hack to prevent HtmlUI Browser object's IE7 fallback - failed to remove it (HKEY_LOCAL_MACHINE).

Loading in stealth mode, url:

Read form default pipe timed out, can't determine if there's another instance running

Pipe server TIMED OUT , can't determine if there's another instance running. continuing..

CANNOT start default pipe server, possible reason is that another instance of this installer is stuck

Please login as administrator and try again.

Failed to remove the "Zone.Identifier" AltStream

Successfuly removed the "Zone.Identifier" AltStream

Failed to execute a Watcher process.

Watcher found a problem, but can't report - essential report data is missing.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

Alt Clipboard does not support Icons/Menu '%s' is already being used by another form

!Control '%s' has no parent window

Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file %s

Cannot open file %s

Invalid stream format$''%s'' is not a valid component name

Ancestor for '%s' not found

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation!Invalid variant operation ($%.8x)

Variant is not an array5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value"'%s' is not a valid currency value!'%g' is not a valid date and time

'%s' is not a valid GUID value

I/O error %d

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps