Installer.Win32.InnoSetup.2_358948ff6c – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):No processes have been created.The Installer injects its code into the following process(es):

%original file name%.exe:772

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:772 makes changes in the file system.

The Installer creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\bootstrap_17482.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (3879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1242154493\834030_stp.EXE.part (1523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\PL.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Color_Button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Progress.png (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\text-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB953.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0A8.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\UA.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Close.png (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB991.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Grey_Button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\ProgressBar.png (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Close_Hover.png (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\DE.locale (4 bytes)
%Documents and Settings%\%current user%\Desktop\Continue Media Player Installation.lnk (1 bytes)
%Program Files%\is833625.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Logo.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\FR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\dat\upd.DAT (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\IT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Grey_Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\BG.png (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\main.css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\RU.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\EN.locale (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1242154493\834030_stp.EXE (251679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Color_Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB962.log (8 bytes)

The Installer deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\bootstrap_17482.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB991.log (0 bytes)
%Program Files%\is833625.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB953.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0A8.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB962.log (0 bytes)

Registry activity

The process %original file name%.exe:772 makes changes in the system registry.

The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC CD 99 73 AF 7C 53 7E 0D E4 71 81 1D D4 FC 0B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
8beb1a5bc7ef0e2a2d7eb44b74a2ade7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is1242154493\834030_stp.EXE

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Installer file.
Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\bootstrap_17482.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (3879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1242154493\834030_stp.EXE.part (1523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\PL.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Color_Button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Progress.png (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\text-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB953.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0A8.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\UA.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Close.png (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB991.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Grey_Button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\ProgressBar.png (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Close_Hover.png (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\DE.locale (4 bytes)
%Documents and Settings%\%current user%\Desktop\Continue Media Player Installation.lnk (1 bytes)
%Program Files%\is833625.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Logo.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\FR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\dat\upd.DAT (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\IT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Grey_Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\BG.png (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\main.css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\RU.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\EN.locale (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Color_Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB962.log (8 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments: This installation was built with Inno Setup.
Language: Language Neutral

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: This installation was built with Inno Setup.Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	37732	37888	4.60255	ee388f246260667e0b4dd45d4df25909
DATA	45056	588	1024	1.8986	d5ea23d4ecf110fd2591314cbaa84278
BSS	49152	3720	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	53248	2384	2560	3.07115	bb5485bf968b970e5ea81292af2acdba
.tls	57344	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	61440	24	512	0.14174	9ba824905bf9c7922b6fc87a38b74366
.reloc	65536	2228	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	69632	21228	21504	3.79482	4b1229b62c06d1816aab1b896b5cbf23

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 6
87626977af079b5b4a2441f44a016f40
e7205d4bacfcf5d725bb76223923c9cb
f67a513a3905af821bdc90e042530388
2a9141cb7a957176f3c30a7650cc5f0e
5844018c91be0f2a6c5705cc1297f62a
38d25300df4055f315f3a816f4bc7813

Network Activity

URLs

URL	IP
hxxp://os.vlc-plugin.com/CM_DS/?v=3.0&c=1852028036	52.19.236.195
hxxp://d3qor7nx9zb32s.cloudfront.net/exe/vlc-2.1.0-win32.exe
hxxp://os2.vlc-plugin.com/Aff-AD/?v=3.0&c=1852028036	54.93.97.68
hxxp://static.greatappsdownload.com/exe/vlc-2.1.0-win32.exe	54.192.95.223

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /exe/vlc-2.1.0-win32.exe HTTP/1.1

Range: bytes=22425600-24278648

Accept: */*

Host: static.greatappsdownload.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 1853049

Connection: keep-alive

Date: Wed, 23 Mar 2016 22:12:04 GMT

x-amz-meta-cb-modifiedtime: Mon, 07 Oct 2013 08:46:48 GMT

Last-Modified: Mon, 07 Oct 2013 08:50:26 GMT

ETag: "8beb1a5bc7ef0e2a2d7eb44b74a2ade7"

Accept-Ranges: bytes

Server: AmazonS3

Age: 12

Content-Range: bytes 22425600-24278648/24278649

X-Cache: Hit from cloudfront

Via: 1.1 ecc0c6e7bd06eacf696003aa79e1e25a.cloudfront.net (CloudFront)

X-Amz-Cf-Id: ufqcGsujrHtUafG1eRcZpsSdnnxBpn3-hAK2zjt8x2d1frnodYRrtQ==

...^......o.......p..D....{v...r.b..8.I.6.?@-.......e...F.G..!.....G........%:.Y.@..K.=.2_{..5.....:T..u...aF..C...AC,>.....L.z...K..p4U....0.......<.r.6L..r.L..U.H..i4W....4.z......'..!......<..y......V.-:vxf..=.D....ec..{V;....N=......~.vu'...V.O'.F.$.71~..j........q..Y=W......O.)..[Di.c.........B..?..zx....Zi.....WT...l~.X.rAHc...Dy..o_-.qk.?b......r.`".y.K....N..5..yB]?.2i........r..D.vMP...q..P!..4...0K.V..J....*....x..../n......6.q...7.:^!".\.?..}.|#Z>. t.o....0........S{lq...6.W.G...E.._..D..SYpJ.?..Z.....~......Yq...!.S....G.<._.*e...M....-..|.[...J....hJWO\.0.QC...Y.<.w...L......zJ6.*N.Dr!.6b.K.U......T .Q..(X......is.u..O$*.p........X..........@|#.[......6.=..1ZE[e..F,b.`.*w....o%...QK.z...9r!R.c..%....a..g.].8.$B.{.O."(.^l.w...N.......v.......j.7.H..].W.i...zh.7.......D.........S..IiO....2.......n ........0..C8w(.@.3 ..`@...<b'I.......3.....H.....Zc~.o..*...e.G.s...'....x&h.....A...W....G...._..'k....t...o.1..k..#...........&....ST....9P......1..I ..[.#.?z.....u..j..XC....*.;...........ll...fc&...T.QD..".u/d....H{.~...KU..=cW..>g.'K.....X....."....~9.r..m.e.........87J......S.x...@.....^.c..Q.......J...o..r.[c5 ..:.sN..7.F.....X4...r...0..p!...S....m.....*..e%...G2...@.E.G_...}$?.4hf"7_..9...\..DW._.]....:.;Xp.....].......j.`l......1..........6,.7..~8....E..-.xE...j...).s....kN..........&2.DTP...[.od.........x..fBN.......`d cv..Q..L.4.....C"k$|....Pn.[..o.....m<\.qn......M.y./.%$.V..7hS..:\..._ }.Gj...>..w...U..`.H.<W\Z.D..w.r..../...'.....~.vNK..........y.A.4.1)..DfH

<<< skipped >>>

GET /exe/vlc-2.1.0-win32.exe HTTP/1.1

Range: bytes=0-24278648

Accept: */*

Host: static.greatappsdownload.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 24278649

Connection: keep-alive

Date: Wed, 23 Mar 2016 22:12:03 GMT

x-amz-meta-cb-modifiedtime: Mon, 07 Oct 2013 08:46:48 GMT

Last-Modified: Mon, 07 Oct 2013 08:50:26 GMT

ETag: "8beb1a5bc7ef0e2a2d7eb44b74a2ade7"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 0-24278648/24278649

X-Cache: Miss from cloudfront

Via: 1.1 01aba6a110b5612d129a6b912fa21044.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Wxn6qIbTvJ2BBlY8wnhuwBhk9G_OXQZfaHKmEnqEkc5DPNNGeCqZmw==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..O.....................P......'C............@..........................p................ ..........................................a...........................................................................................................text...D........................... .0`.data...............................@.0..rdata...#.......$..................@.0@.bss..................................0..idata..............................@.0..ndata...P..........................@.0..rsrc....a.......b..................@.0.................................................................................................................................................................................................................................................................................................................................................................................U..WVS.......U..E....t...F.........{B..H...H.......M..E..5H{B..D$...$....B..M..E.....SS...E...$.D$... .B..M..E......M.WW......M.)..M..NT....NP........E.....}...VT........FP..E........}..VP........U.......FT.............}..........E..M...$..|.B..E..R...D$..E..D$...$....B.....<$....B..E..Q.}.;}...Q....~X........F4..$....B...W..........$.E......E......D$.........B.RR.FX..$.D$.....B..5..B.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$..{B.....B...|.......T$...$..QQ.<$....B.S.M..E..D$...$....B.PP1....D

<<< skipped >>>

HEAD /exe/vlc-2.1.0-win32.exe HTTP/1.1

Accept: */*

Host: static.greatappsdownload.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 24278649

Connection: keep-alive

Date: Wed, 23 Mar 2016 22:12:03 GMT

x-amz-meta-cb-modifiedtime: Mon, 07 Oct 2013 08:46:48 GMT

Last-Modified: Mon, 07 Oct 2013 08:50:26 GMT

ETag: "8beb1a5bc7ef0e2a2d7eb44b74a2ade7"

Accept-Ranges: bytes

Server: AmazonS3

X-Cache: Miss from cloudfront

Via: 1.1 9c639fa8cc4e8890b24d42b79b84df74.cloudfront.net (CloudFront)

X-Amz-Cf-Id: pdVic9yeSQHsP915rZSVdPR-WTSWAZ5l-5usqcKfzq6n3NrwXKKRKQ==

GET /exe/vlc-2.1.0-win32.exe HTTP/1.1

Range: bytes=12697600-24278648

Accept: */*

Host: static.greatappsdownload.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Content-Length: 11581049

Connection: keep-alive

Date: Wed, 23 Mar 2016 22:12:04 GMT

x-amz-meta-cb-modifiedtime: Mon, 07 Oct 2013 08:46:48 GMT

Last-Modified: Mon, 07 Oct 2013 08:50:26 GMT

ETag: "8beb1a5bc7ef0e2a2d7eb44b74a2ade7"

Accept-Ranges: bytes

Server: AmazonS3

Content-Range: bytes 12697600-24278648/24278649

X-Cache: Miss from cloudfront

Via: 1.1 22d1c3da7034c9d974fcbde908eb6a50.cloudfront.net (CloudFront)

X-Amz-Cf-Id: UwXyLQLfhvYvIeEUkyAlRJRJTE0TlqULijCZr1P4Cp7bbE8F0Ha8ZQ==

......r.......c.b.T.{.a.Z...........'.*...h.....%..l.`...qN9.<j.5}.#.......<...)......~]...@......./....&.i.N.yK.0.....N6.*g.......G_........u...0ap.^...%..\...T..` .......SnQ....I.....K.9{...."... [.........<."{...... .......i.T.......w.._..g4.i..@;m...%...u.Aw..A..r.Mr`.'.X.f.6...;l.....EF.[...;k...............o.:H]S...,K..e .9Tf.x.v.....Yh.W..m?._.].u..Qc..u...v.b...XQ..n.?.u.....Kl....RL`...n..4..$.....V.0..6.!*..{X. .3.}.u..W.@.!.t..!..o<.....{:...q0.W....a ...'\.....A.U....,[...@#>...o.]B[ .....%Oh.B........_.iWe..h..H..V aTS.lr.j.pd.. .....u..K(D.l.a"...Z...D...v....&V?.=...@\t"A..s.L.g.....u.l.e).AJ9..&.........j......B.@V.l..o7)..h..W....f.!?..!..G...m...."`A4. S..E... ..g.B....J..fX...Lx...D.f......@....~:q...#.TH....D..........^9n.<F...'...f.........V..@...<JT.=...as...G .....l$...'XA.Wh....c.E.....[CM.>..Dd...dW.`.I%....&....I..Q).....9.8b..ND!M.Uq...}..O;gs.....0.O..#W8.S.r.3<.....[...5.L8^.'.].o...p..O~WI...Zl.a.`(.iXL.7..H1j).pH...6...7.H.$......... k.........o.I..w..|.)M$...)5..-.b(.b.Abz ......W.a.)Z.z....<p....m-ReZ..J@.S.R.X3p.Z2...X{....}u...Y...{....j.i<.............*...R...V...903._.......y..\...VDXT...t.6O......!v...?...r.>.?.g.Y5..pj.......4C..4./B......Z9...:.;...'..f..F"h...f..4...T..X^..!>.~l..../\.J..m.'a<.'..@.$......#......`.........H.r;zQ.x....U..Nf.!.V...pe..... .`.u..2..4..=h...`..7..Z..l.:...r&.z).......3.../..q.....?.F............nP..#.Z...#.y?.f|.O....x .8 f..:.V-..z..x8..i.|v..... .........~.T.;^.=..D......f ...N$.Z.vR^hS...Q...|.'Z

<<< skipped >>>

POST /CM_DS/?v=3.0&c=1852028036 HTTP/1.1

Accept: */*

Host: os.vlc-plugin.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 786

Cache-Control: no-cache

0A0CzutC0HtC0QtC0VtC0NtC0NtC0OtC0RtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzuzztAtAzyyCyDtN1L1B0A1Q1H1L1GzutCtN0T0KzuzztAtAyBtAyEtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0S0D0TzutBtDtCyCtDtAtByEtDtDtDzzyEyBzztDyBtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0M0A0C1V0LzutDtDtD0CtBzy0F0DyDyD0A0DtN0P0E1V0M0O0D0Ezu0D0L0LtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CtAyDzzzyyEzz1O1OyC1R1RyCyCtD1PtAyE1SyDtCyEzyyCtAtB1OyCyCtCzz1QyBtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutBzzyBtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutCzyyByEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1H1P1Q1L1T1V1E1I1T2U1P1C

HTTP/1.1 404 Not Found

Content-Type: text/html

Date: Wed, 23 Mar 2016 22:12:02 GMT

Server: nginx

Content-Length: 0

Connection: keep-alive

HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Wed, 23 Mar 2016 22:12:02 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive......

POST /CM_DS/?v=3.0&c=1852028036 HTTP/1.1

Accept: */*

Host: os.vlc-plugin.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 786

Cache-Control: no-cache

0A0CzutC0HtC0QtC0VtC0NtC0NtC0OtC0RtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzuzztAtAzyyCyDtN1L1B0A1Q1H1L1GzutCtN0T0KzuzztAtAyBtAyEtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0S0D0TzutBtDtCyCtDtAtByEtDtDtDzzyEyBzztDyBtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0M0A0C1V0LzutDtDtD0CtBzy0F0DyDyD0A0DtN0P0E1V0M0O0D0Ezu0D0L0LtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CtAyDzzzyyEzz1O1OyC1R1RyCyCtD1PtAyE1SyDtCyEzyyCtAtB1OyCyCtCzz1QyBtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutBzzyBtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutCzyyByEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1H1P1Q1L1T1V1E1I1T2U1P1C

HTTP/1.1 404 Not Found

Content-Type: text/html

Date: Wed, 23 Mar 2016 22:12:25 GMT

Server: nginx

Content-Length: 0

Connection: keep-alive

HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Wed, 23 Mar 2016 22:12:25 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive..

POST /Aff-AD/?v=3.0&c=1852028036 HTTP/1.1

Accept: */*

Host: os2.vlc-plugin.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 786

Cache-Control: no-cache

0A0CzutC0HtC0QtC0VtC0NtC0NtC0OtC0RtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzuzztAtAzyyCyDtN1L1B0A1Q1H1L1GzutCtN0T0KzuzztAtAyBtAyEtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0S0D0TzutBtDtCyCtDtAtByEtDtDtDzzyEyBzztDyBtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0M0A0C1V0LzutDtDtD0CtBzy0F0DyDyD0A0DtN0P0E1V0M0O0D0Ezu0D0L0LtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CtAyDzzzyyEzz1O1OyC1R1RyCyCtD1PtAyE1SyDtCyEzyyCtAtB1OyCyCtCzz1QyBtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutBzzyBtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutCzyyByEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1H1P1Q1L1T1V1E1I1T2U1P1C

HTTP/1.1 404 Not Found

Content-Type: text/html

Date: Wed, 23 Mar 2016 22:12:30 GMT

Server: nginx

Content-Length: 0

Connection: keep-alive

HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Wed, 23 Mar 2016 22:12:30 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive..

Map

The Installer connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_772:

.idata

.rdata

P.reloc

P.rsrc

$h.CB

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.0)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

.uy}"

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

true

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

%original file name%.exe_772_rwx_00900000_000C5000:

.rsrc

6|%x=n~0

kernel32.dllw)

a.aUCNM

l.Tc_It.

Keyw

3%Cp)

r%DnI

.FDiag

Ha=.hnY`

?7E(AL("%s",4),"

#}%c!

u..Qi

4'.Yt

-i.aN&,

keysK

.jw@]

2301654879'

a.thz

Ht.HAG

tLcibD.ZPo

%uhrskNr

*.*2XE

.dwcnh

nmhpjhc03.fcclJLO

1.2.3'

THttpR

pM.DJ?

}.EOtJ

bVsqlz3_

T.lLp|

H.NOr0

,zH-S.Gg

.IV`F

w'|%C

.FJn`

.H.VZ

Mozilla

\O.Rhn

.cjjm0).S"'b

.rdf'.fksd'

fe..js

nt_urlzi`

Q$.Xp'Q

HURL

`_Key=c

Da.Agt&(-

%dnZC

Uix.obk

_%tCp

msGu

|%F~E

.ke;o

M".rv

Cfg.Fw

.LqW]E).rG

I.hlpkI

I.dd\

B.ssrsko-!

Ãd4

[hx.XuRR

HTTP_CbBXR

'ExeChkSum=

'%s' i

tkA.CH

OycC.Ej

2.1.0

%XoUa

8b8%SO

mGOPIPE

j0Ã˜#

.iGF>'

qah`k,.nlvcbqff,-U>o

z`o1caig2,.hf5b

J?.DD@

Wx%cK

W,[%S

_}.PYJe

.ErfjD

,b%F#

z'%uP

mtcp

wv6.Hx

QRB%u

EG%XoW

^.bc;

t.OCO

,p.GO`

EtCp

.dcM4

22]%F

CmDPN1

.cfng

Q?%9U

i>@.qq

9.YLJ

Ii.%c

D.Ke}

7h .Lu

$

.VGj,

WKey#

W-'%X!

.DF'NX\

"$ %),'8

$"!(&&$' )#

/*-( ,'.-!$

CQHR%D

&",,/- '

P.reUG

KERNEL32.DLL

advapi32.dll

comctl32.dll

comdlg32.dll

gdi32.dll

ole32.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

version.dll

wininet.dll

HtmlUIInstallerSADLL.dll

_.yNFn!

0.PY:pS~

J,"

.Rtga"Wtdx"Pwan7

-,567787

%original file name%.exe_772_rwx_009D1000_00170000:

kernel32.dll

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

EVariantBadIndexError

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

UrlMon

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword8

crSQLWait

%s (%s)

IMM32.DLL

AutoHotkeysHb

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewWindowStatetd
OnKeyDown
OnKeyPressP=
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
2301654879
A`bng`@ikc-4,uUxlxs-4,Ht.HA
Vh-0,Cd`jiVhlxwd-0,tLcibD.ZP
TThreadExecuter
TScanAllWindowsCallBackData
Portuguese
i\*.*2XE
i.dwcnhE
nmhpjhc03.fcclJL
i.ulzn1E
1.2.3
THttpTimeOutThread
THttpCallBackShell
Gx-21,\igh]ixyj-42,M.DJ
A`qjz``-0,ZkdkNgij.pc
Kcqjpc`-0,Aaj-1,gEdafa`.pM
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code
sqlite3.dll
ESQLiteException
TSQLiteDatabase
TSQLiteTable
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
select [sql] from sqlite_master where [type] = 'table' and lower(name) = '
Could not prepare SQL statement
SQLite is Busy
https
t%f;u
SOFTWARE\Mozilla\Mozilla Firefox
8SQLit
install.rdf
DoSetChromeHomePage AL=
SELECT value FROM meta WHERE key='Default Search Provider ID'
SELECT short_name FROM keywords WHERE id='
Exception in InstallChromeExtensionRegistry:
manifest.json
UPDATE keywords SET sync_guid='
UPDATE keywords SET instant_url='' WHERE id=
keywords_backup
DROP TABLE keywords_backup
CREATE TABLE keywords_backup AS SELECT * FROM keywords ORDER BY id ASC
autogenerate_keyword ||
SELECT id || short_name || keyword || favicon_url || url || safe_for_autoreplace || originating_url || date_created || usage_count || input_encodings || show_in_default_list || suggest_url || prepopulate_id ||
created_by_policy || instant_url || last_modified || sync_guid
FROM keywords ORDER BY id ASC
RemoveChromeSearchProvider - cannot remove
DELETE from keywords WHERE short_name='
RemoveChromeSearchProvider - exception:
SELECT id FROM keywords WHERE short_name='
Home URL
Amazon.com
eBay.com
Merriam-Webster
Suggest URL
Opera Preferences version 2.0
; Do not edit this file while Opera is running
Key=c
Suggest URL=
Protocol is unsupported
Retrieved Filename from Url:
Restart attempts surpassed the maximum (
hXXp://
New Source created, url:
, httpCode:
, url:
hXXps://
, Url:
, old Url:
, new Url:
Switching suspended Server back to use; Url:
, HttpCode:
TDownloadConnection.Destroy() was called from not authorized thread (
HttpCode:
Unsupported 3xx redirect response, code:
HNetCfg.FwMgr
HNetCfg.FwAuthorizedApplication
]DKizHi-4,exc-1,Hc`hk-3.GI
6?0N2=.Lq
;768>1-80
005345000000
000000000000
000000000010
000000000030
cabinet.dll
Reporting failed on first attempt, second attempt is cancelled (finallizing)! Url:
First report attempt failed, going for second! Url:
The report failed! Url:
Successfull report, Url:
TUninstallExecuter
TUninstallExecuter can be created only once.
RootKey:
RegDelKey:
(FF) TUninstallExecuter.RestoreBrwAddrSearch: OpCode=
(FF) TUninstallExecuter.RestoreBrwSearchProvider: OpCode=
TUninstallExecuter.DoRun: Key=
CJ[hx.Xu
Downloading Bundles data from adServer on url:
BND_HTTP_CODE
&ExeChkSum=
Report main param:
Exclusive Execution mode is switched to:
Report param (pkg:
), exeName:
dwa.Err
dwa.State
dwa.ErrHistory
dwa.MaxSpd
dwa.AvgSpd
dwa.Time
dwa.HttpCode
dwa.PrtclCodeHistory
dwa.ConnCnt
dwa.Opt
dwa.Size
dwa.Progress
dwa.IsProxy
dwa.Restart
dwa.Heur
dwa.IsAcc
dwa.SrcNo
dwa.Url
GENERIC_WINDOWS
NO_JAR_SUPPORT
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser24J
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTop
OnWindowSetWidthDP
OnWindowSetHeight
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath
OnTranslateUrl
OnCommandExec(g
'%s' is not supported.
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown|
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
This object does not support this method (
Unsupported type for Parameter with Index %d
Method call unsuccessful. %s (%s).
eiOnKeyDown
eiOnKeyPress
eiOnKeyUp
OnKeyPress
Handler with EventID = %s already exists.
Error on IConnectionPoint.Advise
Source don't have connection point for [%s]
JS function sync-execution failed with message:
] execution failed with message:
.html
MAPI32.DLL
LeftPopup
TPipeServer
TPipeObject
TPipeServerListener|
TPipeClientU
2.1.0.0
This exe was created with an old version of HtmlAppMaker.
LOG_URL
Log server Url is invalid:
Sending Log to the following Url:
Log Http request has failed, res:
irsoMsgDialog
irsoGetCurExePath
irsoJoinPath
irsoGetCmdLineParam
irsoGetCmdLineCount
irsoGetCmdLineIndexOf
irsoGetCmdLineParamValue
irsoGetCmdLineAll
irsoRegCreateKey
irsoRegCreateKeyTree
irsoRegDeleteKey
irsoIsRegKeyExists
irsoRegListKeyValues
irsoRegListKeyKeys
irsoRegSearchKeyKeys
irsoRegCopyKey
irsoHttpGetData
irsoHttpGetDataInThread
irsoLibraryExecuteProc
irsoLibraryExecuteProcW
irsoLibraryExecuteProcWithResult
!irsoLibraryExecuteProcWithResultW
irsoExecute
irsoIsMutexExists
irsoCreatePipeServer
irsoStopPipeServer
irsoSendDataToPipeServer
irsoGetCurExeCheckSum
irsoSetSQLiteDll
irsoGetSQLiteDll
TExecArgsX
H-4,njBdi-2,o-4,r.vY
iexplore.exe
firefox.exe
chrome.exe
safari.exe
opera.exe
PIPE_DATA
PIPE
THtmlUIExeApp
logurl
irsoExecutePackage
irsoReportPackageError
irsoReportPackageSkip
irsoReportPackageQuit
irsoReportPackageSuccess
irsoReportPackageInfo
irsoGetPackageFilenameFromHttp
irsoGetPackageExecExitCode
irsoGetPackageExecResult
irsoSetPackageRelProgressShare
irsoIsFireFoxInstalled
irsoIsChromeInstalled
irsoIsOperaInstalled
irsoGetFireFoxHomePage
irsoGetChromeHomePage
irsoGetOperaHomePage
irsoSetFireFoxHomePage
irsoSetChromeHomePage
irsoSetOperaHomePage
irsoSetChromeOnStartup
irsoAddChromeUrlToStartupPages
irsoGetFireFoxDefaultSP
irsoGetChromeDefaultSP
irsoGetOperaDefaultSP
irsoAddFireFoxDefaultSPFromXML
irsoAddFireFoxDefaultSP
irsoSetFireFoxAddressBar
irsoAddOperaDefaultSP
irsoAddChromeDefaultSP
irsoGetFireFoxEXE
irsoGetIEEXE
irsoGetChromeEXE
irsoGetOperaEXE
irsoGetFireFoxVer
irsoGetChromeVer
irsoGetOperaVer
irsoLocateSQLite
irsoGetFireFoxCookie
irsoGetChromeCookie
irsoIsFireFoxExtensionInstalled
irsoInstallFireFoxAddon
irsoInstallChromeAddon
irsoUninstallAddExeCmd
irsoUninstallAddOpenBrowserCmd
irsoUninstallAddRegistryKey
irsoUninstallExecute
irsoReportStart
irsoReportInfo
irsoSetExclusiveExec
isroSetReportUrl
An attempt to download bundle data was denied: adServer domain name must remain the same! Url:
Report Url changed dynamically from:
RepUrlChanged
\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>
TcUlue.PL
/UnExeFile:
UnExeFile
z`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L1
1.2.1
inflate 1.2.1 Copyright 1995-2003 Mark Adler
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
Wx%cK
/:%Ul
W,[%S
_}.PYJe
.Bfw%a
%Cj^#
%S7}~
.ErfjD
jx.XC
mtcp
Mtcp
CWh.CWh%CWh CWh?CWh5CWh0CWh
CWh.CWh%CWh CWhCWh,CWh%CWh=CWh5CWh2CWh
CWh%CWh=CWh:CWh3CWh
Rz(%X
t.OCO
,p.GO`
.dcM4
X|]J7%f
i22]%F
CmDPN1
Q?%9U
"li>@.qq
9.YLJ
Ii.Ã…
D.Ke}
7h .Lu
UW4l.WY
KWindows
XisrWindowsEx
YisrUrl
kisrSQLiteTable3
isrSQLite3
isrSQLiteUtils
hisrPipes
HtmlUIExeApp
WaitNamedPipeA
PeekNamedPipe
GetWindowsDirectoryW
GetCPInfo
DisconnectNamedPipe
CreatePipe
CreateNamedPipeA
ConnectNamedPipe
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExA
RegFlushKey
RegEnumKeyW
RegEnumKeyExA
RegDeleteKeyW
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
ShellExecuteExW
ShellExecuteA
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
GetKeyboardType
"$ %),'8
38000=344
&W!%C-7
%/  *(2'-=
1 0 .'7(2':
- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)
&)"%&$&'&",,/- '
SSSHHHK`````````````````q}
#)'%%'%'%
.idata
.edata
P.reloc
P.rsrc
P.reUG
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
http\shell\open\command
PathToExe
mozsqlite3.dll
No sqlite3.dll
cookies.sqlite
"urls_to_restore_on_startup": [ ],
"urls_to_restore_on_startup": [ ]
"urls_to_restore_on_startup": [ ]
GetChromeDefaultSearchProviderFromDb - failed to get spid, returning default!
sqlGetQueryResultEx failed!
Opera\Opera
Opera
\operaprefs.ini
\profile\operaprefs.ini
\profile\opera6.ini
\opera6.ini
Software\Opera Software
locale\en\en.lng
\profile\search.ini
\search.ini
search.ini
\defaults\search.ini
DoRemoveOperaSearchProvider - cannot remove
" was sucessfully removed but references to its HexKey: "
TopResultURLFallback
FaviconURL
FaviconURLFallback
*.txt
.part
TDownloadAccelerator.Run() was ignored, since another download is currently in progress.
Urls:
Pause request ignored, servers without HTTP Range support will cause download restart.
The source dropped range support.
Uninstall\__Uninstall_.exe
Uninstall\uninst.dat
uninst.dat
regsvr32.exe
Waiting for all the ongoing reports to complete...
_EXEXE_
errorUrl
Registry entry removed: HtmlUI Browser object's IE7 fallback support is now enabled.
Failed to launch htmlUI from the following url:
main.html
Log server Url is not provided.
Log Http request has timed out.
Remote mask loading is currently not supported. mask:
Please login as administrator and try again.
Installer Account Name altered after at least one report already sent.
isroSetReportUrl() was ignored due to lack of Privelege Mode.
Installer Report Url changed after at least one report already sent.
.Uninstall\
No help found for %s#No context-sensitive help installed$No topic-based help system installed
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
!Control '%s' has no parent window
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s
Invalid stream format$''%s'' is not a valid component name
Ancestor for '%s' not found
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation!Invalid variant operation ($%.8x)
Variant is not an array5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value"'%s' is not a valid currency value!'%g' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps