Skip to main content

Gen.Variant.Zusy.97960_339ba7657a


Susp_Dropper (Kaspersky), Gen:Variant.Zusy.97960 (B) (Emsisoft), Gen:Variant.Zusy.97960 (AdAware)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 339ba7657a5d27939266a8f81b54d149

SHA1: f31f681993058d10fed73ca7111b0a683debdd1b

SHA256: 45cafcb6244ecac1594e41c2900f4d2e28ffdd36c0af3490e8fa60fee3fbf234

SSDeep: 6144:FIWbEGsxdTGzTb1P6LG/J9hS14sCIFQwaEyUNxYrYBei6CJYYbv:FISEGsx68LG/J9h1sQuxYrQUCJfv

Size: 335776 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-06-30 12:28:36

Analyzed on: WindowsXP SP3 32-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):No processes have been created.The Malware injects its code into the following process(es):

%original file name%.exe:1876

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1876 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bg_app[1].png (3072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-vafplayer.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\base.css (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dfsD.tmp (1789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safe[1].png (1521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loading[1].css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\box[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress.png (4 bytes)
%System%\wbem\Logs\wbemprox.log (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\loading[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1].html (959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\templateDisplays.dfe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\Dockings.dfe (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin.dmc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\doma[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\box.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\secure[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\templateStyle.dfe (45012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\welcome.html (151 bytes)

Registry activity

The process %original file name%.exe:1876 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1404120516"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B E6 EE A8 B5 30 A7 DF 96 E5 4F 46 EE 7A 4B FF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
6a23beb2b76338c8f124532fdd2c652cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\dfsD.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\style.css (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\butpause.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bg_app[1].png (3072 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position4A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3C.css (638 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-vafmusic.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\show.png (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-zipper.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\config.dmc (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-geaudioconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3D.css (539 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\options.html (965 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-printpdf.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\instalando.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\boton.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-vafplayer.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2A.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\base.css (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dfsD.tmp (1789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-gevideoconverter.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position1A.css (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\less.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\safe[1].png (1521 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loading[1].css (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\box[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress.png (4 bytes)
    %System%\wbem\Logs\wbemprox.log (228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check-close.png (243 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\loading[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\close.html (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1].html (959 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\templateDisplays.dfe (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bg_app.png (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\finish.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-olivebrowser.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bullet.gif (58 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\Dockings.dfe (5572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin.dmc (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress_small.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\doma[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\logo-win.jpg (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check.png (398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\box.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\check.jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\more.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\butplay.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-miul.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\percentage-bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\cross.jpg (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\hide.png (160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position3B.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\secure[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\temp\templateStyle.dfe (45012 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\bullet-short.gif (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\position2C.css (578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\group.html (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\boton_xl.jpg (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\progress_small_bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\css\images\screen-ifish.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b9b7c0ef-a281-47dd-a30b-121941311963\bin\exe\welcome.html (151 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40967536642324485.5445973ac987bcca216a0688e98e6bec6a755
.rsrc75776098304962565.081444a72837e114b2fd8d4a4d016dc952cc2
.reloc8560645125120.188401ca001c7c4d67f995b8191dc8eedfef0e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 267
eafe1e39c33971a09a5ec7e13967e527
a980e23295a69541ea9ba7061b0236a7
16abcee7c8a11ccc6835cd58e126b567
e70f76146ae7eca21410c0f793e72da0
06c75fb5e12c07af1e891b2e5188737f
fcdf0ebdb43128be4676080835d01611
ea4aae8bb91b86821dc8e4f6bf5a07a6
c7fe44f457570667ec5ffc0febd573a7
a8d59e7c57cc643c880b891a219247d1
a6b8839f5e994707d1d935a413219419
9eb917fadd5cb47c3b57d68bd6d180b0
7933b30caaadc22967593b6cd97c9dd7
78f685a0d33e4ece1f49ecbb486b2be8
728587b636403782ee1a3585a6f19cdf
55c3ad1e86c8805c4fc383a5d51b1304
4fa6473702766c3cf582f9e36211fe1b
38e39a65dd93a208376898977de6f2e4
dc5275dd539bfb20d8a27712a5205c8f
c9eb95f15a300f7d2f7e55deb35e2c91
a8ad95b8d3fb961b21c27bfd3eba19d1
75b18996b526fef819263b5c0b19af8e
718d4daab904112ade233981410e4d4d
57b43b2e8ac7459e69369aeb23fadb13
2486a52fd4c5ab7a175e14a9c8424ed4
e46501cb21d77a4ba1c27590811a4396
ce57a1672a712b99ce43ab108b824606

Network Activity

URLs

URL IP
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/apiLoading/1026.html
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/box.html
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/loading.css
hxxp://staticrr.tgusrv.com/sdb/doma.js
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/images/bg_app.png
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/images/safe.png
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/images/secure.jpg
hxxp://staticrr.tgusrv.com/Loading/b111f3f2_loading_java-similar/images/loading.gif
hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/api/361/JFileManager/638/1026/English/WW.xml
hxxp://staticrr.tgusrv.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip
hxxp://staticrr.tgusrv.com//Displays/Templates/756e2734_Win_A_Banner-NoLink-DeclineLink-Java.zip
hxxp://staticrr.tgusrv.com//Docking/Docking.zip
hxxp://api.v2.secdls.com/index.php/api/361/JFileManager/638/1026/English/WW.xml54.200.36.178
hxxp://staticrr.cloudbox106.com//Docking/Docking.zip85.12.5.27
hxxp://api.v2.secdls.com/index.php/apiLoading/1026.html54.200.36.178
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/images/bg_app.png85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/loading.css85.12.5.27
hxxp://staticrr.cloudbox106.com//Displays/Templates/756e2734_Win_A_Banner-NoLink-DeclineLink-Java.zip85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/images/secure.jpg85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/images/safe.png85.12.5.27
hxxp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/images/loading.gif85.12.5.27
hxxp://staticrr.paleokits.net/sdb/doma.js185.2.179.74
hxxp://staticrr.cloudbox106.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip85.12.5.27

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Loading/b111f3f2_loading_java-similar/box.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: staticrr.safetydownload.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:19 GMT

Content-Type: text/html

Last-Modified: Wed, 28 May 2014 17:14:38 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Content-Encoding: gzip

3bf.............UMs.6.=[...!..$.:..6..ZV&.ql5a.............v... ).#...A"..o.o?.....&..g.p.$./.7.SB...O..]%W......2._..pe..Zq.....Z8W.3.4M....,Y..=z..7._..c.....Q.:|,....4............,..|H.y0....o1...,9%...dv..T. .Y......X...[-V1.j.@. YW@I.}....c>.....Xp..:x....`L.C*'......P.0.#...")..).,b*...ZJ...Z..`..G.C.....i?O?].....|.mfD...d.2.q'2c..K....P.c6OY.K.~.t...o2.E.h..E...D .[Ls..%*....$....u~..R...N.......:...4....<.....@YG..(. .In1w^G.....{..^v.>.=.QT.N.Af....tk.9...IT..D...(^z.....3..q....~wBvA( ..[,.......\.Y..1<..s...'P..F.X.gE...Z...>...7........xP'.j..t.F.xS..K.N.^.!.........W....K..*...gpuE.._..(...[.7..ZJ...Z...D(.L....D.. .r\E...i)}@...l..4d.............`!.Y.].....,..w..K<..r......>T.K...x...F...[.V.K..w.hq...U............_.{U..E.....@w.U..F}..w.=vo..~.;.n7^...q..i.9...&....C.....O@|C....lz....(...$_. .?(0..Q..#.....@........dLo...:O...1....6bY....i)....J...kg.e...s.....5N[.2).....9n.V7!...M{...B.:?.qL.......ru%ttt4.p?e..&[.....G.-8.....i.......0..HTTP/1.1 200 OK..Server: nginx..Date: Tue, 22 Jul 2014 21:06:19 GMT..Content-Type: text/html..Last-Modified: Wed, 28 May 2014 17:14:38 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Content-Encoding: gzip..3bf.............UMs.6.=[...!..$.:..6..ZV&.ql5a.............v... ).#...A"..o.o?.....&..g.p.$./.7.SB...O..]%W......2._..pe..Zq.....Z8W.3.4M....,Y..=z..7._..c.....Q.:|,....4............,..|H.y0....o1...,9%...dv..T. .Y......X...[-V1.j.@. YW@I.}....c>.....Xp..:x....`L.C*'......P.0.#...")..).,b*...ZJ...Z..`..G.C.....i?O?].....|.mfD

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/loading.css HTTP/1.1

Accept: */*

Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: staticrr.safetydownload.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:20 GMT

Content-Type: text/css

Content-Length: 6234

Last-Modified: Wed, 28 May 2014 17:14:38 GMT

Connection: keep-alive

ETag: "5386197e-185a"

Accept-Ranges: bytes

/* CSS Document */../* CSS LOADING WIN */..article,aside,details,figcaption,figure,..footer,header,hgroup,menu,nav,section {..display:block;..}..p, h5, h4, h3, h2, h1, span, ul, li, form, input, textarea {...margin:0;...padding:0;..}..body {...margin:0 auto;...background-color:#fff;...width:670px;...height:410px;...color:#444;..}..a {...color:#0066cc;..}...clear {...clear:both;..}../*********************//*********************//*********************//*********************//*********************//*********************/...container {...width:670px;...height:410px;...margin:0 auto;...background:#eaeaea;...font-family:Arial, Helvetica, sans-serif;...color:#444;...font-size:13px;..}...header {...width:175px;...height:359px;...padding:0;...background:#eee url("images/bg_app.png") right no-repeat;...border-bottom:1px solid #c4c4c4;...position:relative;...z-index:0;...float:left;...overflow:hidden;..}...header h3 {...font-size:12px;...font-weight:bold;...margin:12px 10px 0 10px;...color:#fff;..}...header pre { font-family:Arial, Helvetica, sans-serif !important;}...header h2 {...font-size:11px;...font-weight:normal;...margin:3px 10px 0 10px;...color:#fff;...width:150px !important;...float:left;...word-wrap: break-word;...font-family:Arial, Helvetica, sans-serif !important;..}...content {...width:485px;...height:349px;...padding:5px;...border-bottom:1px solid #c4c4c4;...float:left;..}...buttons-in {...float: right;...width:150px;..}...buttons {...clear:both;...width:660px;...height:27px;...padding:12px 5px 0;...border-t

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/images/bg_app.png HTTP/1.1

Accept: */*

Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: staticrr.safetydownload.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:20 GMT

Content-Type: image/png

Content-Length: 20761

Last-Modified: Wed, 28 May 2014 17:14:38 GMT

Connection: keep-alive

ETag: "5386197e-5119"

Accept-Ranges: bytes

.PNG........IHDR.............d.......tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:9877AA79DEAB11E3BE9AC4982E4C1D8B" xmpMM:DocumentID="xmp.did:9877AA7ADEAB11E3BE9AC4982E4C1D8B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9877AA77DEAB11E3BE9AC4982E4C1D8B" stRef:documentID="xmp.did:9877AA78DEAB11E3BE9AC4982E4C1D8B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>9.....M.IDATx..}.v...,...Zz.~......ry.D<R....L..]m..}m.")2........W...........#.......@.........=......$.AtJ.f.C.{.hW....y.V...R.L^..K...m@......wi.....t.q3.?^nF..1...4..d..'...U...E.q?........R:.X0.;'.|!..8....w.c<1J?O...v..p.p. ....z.]......?z.......?H#....gB........x..Rl7.U.*.~[......X..BxP....DQ.uU......!...d,....!R..xH..F#..J..)........~0...................U$.;>..U...j.p..(G.....L.. ..TPW......D..........bQ.*.X@H.(.b...}..*.T...0ja.....J...=b.......##K].....>&.....,..=...BA...2.........l...B.O..X.......R,.G.....H.^............:....r...Z).B....B..!..O"..2.(.R.Z2K.....8H.8C.a

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/images/secure.jpg HTTP/1.1

Accept: */*

Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: staticrr.safetydownload.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:20 GMT

Content-Type: image/jpeg

Content-Length: 19602

Last-Modified: Wed, 28 May 2014 17:14:38 GMT

Connection: keep-alive

ETag: "5386197e-4c92"

Accept-Ranges: bytes

......Exif..II*.................Ducky.......Q.....-hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:9877AA7DDEAB11E3BE9AC4982E4C1D8B" xmpMM:DocumentID="xmp.did:9877AA7EDEAB11E3BE9AC4982E4C1D8B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9877AA7BDEAB11E3BE9AC4982E4C1D8B" stRef:documentID="xmp.did:9877AA7CDEAB11E3BE9AC4982E4C1D8B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...................................................................................................................................................:............................................................................................!..1A.Q.".a.2B.s....T.q.#34U...br.c$Dt5...R..S..ì...6...&......................1.!AQa...q..2...."R..B3..#.r....b.....C$..............?..D}.|...@....,......&.3.. .`h.@.a..fA.*..AP..w@.%....Dn.F......1"..P.H`..@......@......@......@......@......P.T&.8.........Y.W{.5UR.u....Z[@ .....n....7..[.[qM.`h......c.#....Ik.A..../v.4........!~..`.lsA...z[_j6&.y.......=.....nM..

<<< skipped >>>

GET /sdb/doma.js HTTP/1.1

Accept: */*

Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: staticrr.paleokits.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:20 GMT

Content-Type: application/x-javascript

Content-Length: 2184

Last-Modified: Wed, 07 Aug 2013 11:37:26 GMT

Connection: keep-alive

ETag: "52023176-888"

Accept-Ranges: bytes

.. //muestra una capa y oculta otra.. function changeVisibility(capamostrar,capaocultar) {.. div = document.getElementById(capamostrar);.. div.style.display = "";.. div = document.getElementById(capaocultar);.. div.style.display = "none";.. }.. // funcion para mostrar u ocultar el progreso de la instalacion separado por ofertas.. function mostrardiv() {.. div = document.getElementById('multipleProgress');.. div.style.display = "";.. div = document.getElementById('ocultar');.. div.style.display = "";.. }.. function cerrar() {.. div = document.getElementById('multipleProgress');.. div.style.display='none';.. div = document.getElementById('ocultar');.. div.style.display='none';.. }.. // funcion para mostrar u ocultar el div de las toolbars instaladas en el finish.html.. function show() {.. div = document.getElementById('alloffers');.. div.style.display = "";.. div = document.getElementById('ocultar');.. div.style.display = "";.. }.. function hide() {.. div = document.getElementById('alloffers');.. div.style.display='none';.. div = document.getElementById('ocultar');.. div.style.display='none';.. }.. //si el usuario no acepta el radiobutton no se habilita el boton de nex.. function acceptDeclineDisablenext().. {.. if(document.getElementById('Raccept').checked) .. {.. document.getElementById('Bnext').disabled = false;.. document.getElementById('Bnext').focus();.. }..

<<< skipped >>>

GET //Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Host: staticrr.cloudbox106.com

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:32 GMT

Content-Type: application/zip

Content-Length: 344899

Last-Modified: Fri, 07 Mar 2014 11:17:00 GMT

Connection: keep-alive

ETag: "5319aaac-54343"

Accept-Ranges: bytes

PK.........YgD..l>9....c......style.css..ko......?....M-G.#q...m...p.-..^...D.... ..w....S")JvrIp-b#.I.3...p.....\....,Z.PZ.......Q..._D.,*.%h.K..a.*..r8......R.s]....<.*T............^.Sx?,QD....A..<._..$.>_..|;<..`........#..!(s...:.....< VC..|].A.6.,.... X,p:u..A.......!.......u...3.}.D...eIVL...9}...j9=;w..-..^,.i0.e.8..... j]..,......,.S.k:....Q...Q1O.....1Jy......y..t...I.rX@.g)*@....J~. F....-.U..,&.P......arr.>%.1..W..........l%..p.W..h.........LJ....<....m..U..........!H..vN`:s........D....{D4..e.i.........%..t...!~\......F..^..Sgt...."...x...<.-.`...t..w..@..8....X.. (."=U.....(....(.....JL-..@...=...W..1.p..2.j..y...rlK.l..{|D....s.%.2....3.\ 'H3.... ......'.....iu....D..D....D!..A.....Q....@..y(`>.3b0?;..1..CW... ..V.W.gd.......R1..2.P.|.......^..p.."...5..L."mF.......R..8...[.PB..#]}F8- .....%E.......F#.D.!....."..:.,.:R\Y...g>...R.u].....B...B....@C./.DP.Zc.....g.d#i.2.A......af.D.4;.@~WW.......&..Srfk.8--.....n..s..b....d).......e..W.d......?l=...5...GG...G......$&..=.......tV.W....p...1........p...xF. ..1..pL.sD....;......._,....3..,....a.....s<.L...<..`.....)9.4...x(...P2...w...e......a....wqIe...6.8.....5..mx.gD.1G.....`.IA...>.X.<.... .~..b..dq..8.^...uN>.d..!...8*.2.W.. .....H.U........7. ...w..D.O_r.W....9....0.F..._..L.........V.VI5Y.s..sZ ]` #%Z..p ..Z .;olx.........M.C..^.....7.......p.....O.6.m.....zd.<..G.,g...Y.j.|..TP...|...d2.r.....K.6......b....vu..|..s.. ... 7.....9'.c..[...sD0C........F..,I..R....IcL._...I ...(ZB....LZ.m.2.....;h

<<< skipped >>>

GET //Displays/Templates/756e2734_Win_A_Banner-NoLink-DeclineLink-Java.zip HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Host: staticrr.cloudbox106.com

Accept-Encoding: gzip, deflate

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:33 GMT

Content-Type: application/zip

Content-Length: 7745

Last-Modified: Thu, 06 Mar 2014 16:11:23 GMT

Connection: keep-alive

ETag: "53189e2b-1e41"

Accept-Ranges: bytes

PK.........F.C.2..............close.html]PAN.0.</..09p }.f.x.G.M.."8U.".=N.E .....L2>.....'..4d.:..p..v...E.n0 .a...^2D.....u>z.Q@..N.q[ryK....].c...)...E.f.F.K.#..e..D@6R.9s..EH..8.a.W........x-KN.S...A.....G.....f.....U.3M...77.~.....fB........Eiw..9t........z.~.PK..........$C~...h...........finish.html.TM..0.=.R.....!...R.I..Jp.".8p....1....4._......j.d%.y..<....#.P`.S%-p.:..'T.1._*.-W2.M..*H.Bi[L:..g^Wa@g\r.../....."9....R4YÜ.4..@Fl.2*.5h${..& .pC..F`....He.....m..kJ.-...R^\.......4Gz...)A.'..VB......~.Gm...O......Z.9..rS....~.;..Q.4....p..,..e..=...H.1K..p.C5/....~...fL.>.......'9.w.B.JXGA.m.k........x. q..N.......~_.[..(P27~.e...jy..^.o....{..~ '..a..m....u=..G.h'..0tj..ja.#....t_...z.3........o/.e..o.7.&Anm.."U.:....9s.......~D.D...2/..vj]...P..t.|.|]o....7..\.6..>...O..: ..^i.:....j%...$.* 5g6O.W.....r../_/.t..cd..N.L`.\....#t9..........s.z|..........d...NF@...q..,...0.~....s.q...l.C..;....%........PK..........ZD...x.....(......group.html.Zm..........}..@wN.4i...n^Z..k$v.~*..h.=.....m~W.A.Y.....].N.8......3#.~x}.uv.nva.]_.}..mc...{....}..'wm. Uw../...M0......q.........nwO......|..._....../...zGf....~6<|h..uA.....arvx..Ww?SW.=.`U.......G.....h..|J_..>......?|.#.qP?._.kn.....G........]g.B....#...}pc.y..c.X..Wy...(........=.....3......}.6.Sk.j...L...<....#/......Q.i..m....}.IY.O!:...^u..(..4.H,W...I,.......Nvt..1.5a.<z.t3...}..?.A.|..W..{.........V...../..n..R/.............?a..Q}O...F.b.......v...O....L8=~..!hG.Q..........R.O;b..S.Psu........GIi.Sx..^D......eo.p..4D.......;.

<<< skipped >>>

GET //Docking/Docking.zip HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Host: staticrr.cloudbox106.com

Accept-Encoding: gzip, deflate

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:33 GMT

Content-Type: application/zip

Content-Length: 37048

Last-Modified: Tue, 26 Nov 2013 13:00:11 GMT

Connection: keep-alive

ETag: "52949b5b-90b8"

Accept-Ranges: bytes

PK........1Q.A..T.............position1A.css.....0.D..W\.n....H.Q... .~@l...Ii"*..k.......9..]..t.jp.../.......6.<7Th...5L....}..E.. ....L.S...........V*...8.;r...,6..r..'.?WC......yX.'c............&.XHA...PK........,g.B^P.]............position2A.css.S.N.0.}n..b.K...m$p^v.j%^...~..............!.RB....c.9s.L~f...[r.....y.x..\.V.7d.-..L..}o.3k.........Dp.....99....x...P)3....(..V........EL..I..B.G.A..{.y........en....<.&.l...[..~.U..'..7..sCC.....O.Z....H.J..G.p;...`.>.....-V ..g6R.......qQ%.Ua....E.7>..o...W.....f..k.L.ME.....cTSF.....s|....#..%....| ..hBv...Lqf(..@.w=...~P$<p.E...y.u..........W.k0[...w.Z......fye.../...&Q.....c.q........1.0.g..ay......|.gI....W.4...GJ...R..e...;.....}b.5.3.^\...A[..O.FX..'5o.%r......F..:....PK.........H.@....Z...........position2B.css.Q.N.0.....D..a..Fp.1B............]....mA......$=.|?=.uF.U.....[ot..~...9Ld.Y.......N.y`~................#.||..j)y.(/..n.....^....45.....\.."..k$. ...0..@C'.$....Q..V.:k&.Z%.U ?.X.-..F..E.Ra.<u..;($g...}.......Ah...)...L.*5.Q0(.M.v.....t`....ho..........d/4.p...A.7.....Ee.$*J...S..r.=.<.... l..%.|!j..6..c"...%:.d.......Hen.[xK...O./....U.}fuV..PK.........lMBjre.....B.......position2C.css.....0....S...bL/....A...P}....h3%....nE.*..Y...}.]..FZ.m7s:.%..0MS...PIm.g....7...U..,VK..}....c..c..-b.g.FS...(.P.x.0.\.?\.'TS...k.2!WG4.....#G%l.. .'.{.....ix...B.}a..m..R.v......(.........,..#E.3'8.._....?...z.PK........VG.@! h.............position3A.css..Qo.0....S.:...-..R.........}..N.f|..k...}6Ic.%.:x;.......TT.l....._..Y._]..r._.x..Ppq.C

<<< skipped >>>

GET /index.php/api/361/JFileManager/638/1026/English/WW.xml HTTP/1.1

Accept-Encoding: gzip, deflate,gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Host: api.v2.secdls.com

Connection: Close

HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Encoding: gzip

Content-Type: text/xml; charset=utf-8

Date: Tue, 22 Jul 2014 21:06:28 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Pragma: no-cache

Server: nginx

Set-Cookie: symfony=jeee4batlhtev1dhn6bhp42dt4; path=/

transfer-encoding: chunked

Connection: Close

f77..............ms......;...fG..s...d....w...f.....5{...$R6S......1....p#...i....&....6B......1$..|V.=k..w..1.......}...L..@..g;...?,..h.......O.lonE...n..S.v..O....._....u{....Ig.......K......_...4......"#.TMS./......Ru..&B.j`...M...........L............?f.F...R.QR.....3R(..*..Q2i.4....K.&IH.5.....d..L.P..i...&P.Y.4..(...l.2.dY.....R..iJ&M.MM.R. ......?.Z......O.gF.-..%~..L...........0\....B t&...XS.>...;.,..%a .-y...........H3...... .W.......[=g..j...Z}.v..wgT......,B2_......`&........AKW5.t...9..=.X.K|....q..=2.9........~w.......h/..Q.W.>.H..0.....s"[....?..n.L.J ..&.i..~..^ ..y.....K ....4.H......%2#!.p.....J..l../g.......[.3...Z}...{..93;.....6..96.vG.O.U..Mu..rN.........y...v...%....c....n=.Y.....O.V...\..u.I.{xx8.b...~....l..[..M.../..Z$..........}...{k.......n...N..?.[MRf@{.7...J.Vw7.......5....U..\^....wO.d2c.%@...q.......Ou.=..EX.$...k.G;O...!M......w>..r....e...|%\N....o.L..-. .....j_...5y.3L_J.......O.4}..v...{K.zV......IA.....Vh.....tXx...@.j.M...I~......}.....S6-*J.~.../}o....b.... ...?."...fj=.}..Abk.@G......R....xn.!.aMi.....W.P1..}..V<...X.^_:?..*......N...x... ...NW..s.._d..._.v<l."...,y.4.Lf.g...F{g.....}.V..V.H...=m4qb......'>!np...2J....S:)..3....?Dp.n......2.CT..M.x..tB...JY..%..hO.f E#.....<I~....<........G..l]!?.6.t......4.Oh&tyA...*|........>.g.O.$q....C.w.}..r..k....yt.x.x...{.b.............O....$M.y?V....<s..M....P|O..*...Z,...........I.~.......AV.$...D...Z.?sg..P|.z>..a.Vi..6b{.......E..4Q...'}.?: ......].t.H.K..M........;...0.e.g..x:.t..$ccz#......x

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/images/safe.png HTTP/1.1

Accept: */*

Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: staticrr.safetydownload.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:20 GMT

Content-Type: image/png

Content-Length: 11629

Last-Modified: Wed, 28 May 2014 17:14:38 GMT

Connection: keep-alive

ETag: "5386197e-2d6d"

Accept-Ranges: bytes

.PNG........IHDR...H...U.............tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:97E89074DEAC11E3BE9AC4982E4C1D8B" xmpMM:DocumentID="xmp.did:97E89075DEAC11E3BE9AC4982E4C1D8B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9877AA7FDEAB11E3BE9AC4982E4C1D8B" stRef:documentID="xmp.did:9877AA80DEAB11E3BE9AC4982E4C1D8B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>3V....).IDATx..|..\W...S.~9JO..J.e%[.mX.l.c...,..Y....vg..f........C.v.,....D'<`.9...-Y.....^...o..:...,..6....;...........i#.c...g..S..w..H.3p.&|.G...a.h4..,....f..m#..... ..q.....8....Q$........'.......>va.F......,..W.(z$..-Q.?.Fal..C.^.l.G.|..54.:.4.V...q...B.S..{..._f.....kk....l.Rix-.>./...=.>......o..#.^M.~.i..2..`.v.h.......a... @.F.<.[....m...a.v.J..V:..I....4.lu<.....g..Z..\....h|)..O..g.`.".x5.....%.l.&.Qu .....Y.....(......S.G.......T...Jy..6........4q..9...L&S...T.eL......I.8f.)T.*.L..w..ua.....\..}.p....yU.j/.U..'.n."...h.i..!p^.....6.....<.....h.a.QB....yB

<<< skipped >>>

GET /Loading/b111f3f2_loading_java-similar/images/loading.gif HTTP/1.1

Accept: */*

Referer: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: staticrr.safetydownload.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 22 Jul 2014 21:06:20 GMT

Content-Type: image/gif

Content-Length: 2932

Last-Modified: Wed, 28 May 2014 17:14:38 GMT

Connection: keep-alive

ETag: "5386197e-b74"

Accept-Ranges: bytes

GIF89a.....{............................................................................DDD..................nnn...............ddd.........bbb.........HHH......$$$(((>>>...LLL...zzzfffjjj..................BBB...666rrr.........000............RRRxxx&&&VVV...^^^.........```...<<<PPP\\\......ZZZ|||..."""...NNNvvvttt...888222hhhFFFXXXJJJ...,,,...444~~~***...@@@......TTTppp lll:::..................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmp:CreateDate="2013-11-27T09:52:07Z" xmp:ModifyDate="2013-11-27T09:56:04" xmp:MetadataDate="2013-11-27T09:56:04" dc:format="image/gif" xmpMM:InstanceID="xmp.iid:2A8B0E7D4F6E11E399F3F86D1245C6F9" xmpMM:DocumentID="xmp.did:2A8B0E7E4F6E11E399F3F86D1245C6F9"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2A8B0E7B4F6E11E399F3F86D1245C6F9" stRef:documentID="xmp.did:2A8B0E7C4F6E11E399F3F86D1245C6F9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........................................................................

<<< skipped >>>

GET /index.php/apiLoading/1026.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: api.v2.secdls.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Content-Type: text/html; charset=utf-8

Date: Tue, 22 Jul 2014 21:06:19 GMT

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Location: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html

Pragma: no-cache

Server: nginx

Set-Cookie: symfony=tb41pntr6gqv6c72q4c50obcr5; path=/

Content-Length: 304

Connection: keep-alive

<html><head><meta http-equiv="refresh" content="0;url=http://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html"/></head></html><html><head><meta http-equiv="refresh" content="0;url=hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html"/></head></html>HTTP/1.1 301 Moved Permanently..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Content-Type: text/html; charset=utf-8..Date: Tue, 22 Jul 2014 21:06:19 GMT..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Location: hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html..Pragma: no-cache..Server: nginx..Set-Cookie: symfony=tb41pntr6gqv6c72q4c50obcr5; path=/..Content-Length: 304..Connection: keep-alive..<html><head><meta http-equiv="refresh" content="0;url=hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html"/></head></html><html><head><meta http-equiv="refresh" content="0;url=hXXp://staticrr.safetydownload.net/Loading/b111f3f2_loading_java-similar/box.html"/></head></html>..

<<< skipped >>>

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1876:

.text

.text

`.rsrc

`.rsrc

.reloc

.reloc

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

U9f1Bpa2C9u46NjSZZD7Rqom7eRtApomywhK8GKRLftCwBJ0P6g5Zq9DU33wIQBnViGJGITtoWwM7W0FF0OEitwhxN0fMoi4NfRnD2wnKJIPxKxdDu5QtgbpS4fFaoxvax9I7W44UphNF4SNnbA9xJPTgzaJX1nwlmOaLZgRAb6e8xUXmCr8Xy8ASpBHVug2cVBspRby0GeYTkeeaoUTY530eh1MLMkH46oQQt3jryyRVqXLSGRpji4skPzXA35nvG4X5yxQuLBAHmeXuq3f45yVb6Fb4gSyCkvpw9Pujb4IuaTRM77y3ju1IcoJS6VoU1VsBHHSqwdknSyt0V8KRLLRNIWAQC0K2WnDpBpeAohHfkOZO4T67lGiqdO3UhbXFCsAF4eyG4jDDdMDAkvzv6CVCWSdLECbgKjhsTUlBLG0lBRy4R5sxdEWCknJzydKUTGBc9NQAj8UzLKaeti4JjNdfxPiFkWcH6fB4qw4do2ofTw0JnFfaeKvU8lWPgPH5Ci4ey9r6FtDs1FTiRXdgW8UvC9uw6ocARKO37CHjImFUhd2DCN7tLAjEyJMzP49qrdLr00lpp4HKD9nzg04trSYvbEYM3t4PE1bBoHlDPFBzztOPG1BAchZLBclVNWWVOiBlrTujkBqbks6SZjfc2DMxbAalvA02SQVq2DxXGsqL0XAigD5DRU3kFejqrSVNhuBwLAYWFqvf74GkRpYhHLh1H6FXB9jloi2oKXLZPn0d7dgRqoJb3NgGnKZP4avFhk0YbsJ3O9CtUd3EZYHnAhrKbwaa854koSXJzZhuLd3HnwnN9jnsz6oGMMbkYCx1sruLT6WgDJvYmhZe75zVpYVsEr7WY6GjPco6cL4dwhZZKztEX6m2cLMEFchC9arGdmitQlG3pKlAtUAOcMn3uvGXWwXEu9CrqTbiu0ij5eTbvin0pLgUwoFs7lHtxcJqh4kJTrulEd8pMEBOi7pT3R4bnSkitYW2FC3B7NgE5tcYvX0UzR35rflCZCnGGoTHkJuu5nuzacKa7Cno3K0QjcVu4N0lTH7RJEOWDGZmxE5pEkExo8M6xcyhYaArxiPDe2BDXBVxUOtGiBQSn04cpS3RL3guzafgzAz1Aq4zuoj4uR9g3tpDrwE3UsJ4drGb9KgRcYr66FRbI8w33aAfUMYd5FhiR9vdRi5ULsefctGWODu46kDGAmuQhGembWBdHeWXBMc0SGzczUC2VlzB3SZ0VErACjaBuaWzj2CuhNY3WsrwelB0x9jYo6b7uMxJG7Rz8cS2Sftq46dDm4v22sZwVY6bqXlFKRZ9bBxhc2pdUYiQxH9fTRPFC9bBoQv9qYVJRsJnhtZacVL7QpOSXgV3btHcz52vGqW6cJ8e8W7z1PCQxeV8cNle1jUeDbxVrc4mpRQlXCZqdzA9CwAp5tvCCb8G0ZlZFv3tjzSqLuNwVWaCSVMhKhZ8RBToSku8q9USGh0dNkNLQ8QQaGXfmeoxF4LLwiAVrlgdUvp2ixLeL7zyctLfsg9jGqS9L1lo2Iayc1c1ivroSgI2QsIdGuClm7HEMpqrlxld6bvlqT77YUBzR0ttsiRHfZmfuHpsNJh6xpiIbM9n7fIlXv0wWDVNaX8Iq468MvNOov8GCKVHpVc9Rpb6B4FkXD5KqKrhPbLMC37Cwu3mRnypV80b2aGRZC0Uzyp2sO2d1tFEEwUwRvFMHl6Tnz4D6CcI6ZcEy8uQHlON0GYG8xjd0kNMzHBuYPhzr6HOuq8TbZewHs2RLxFJs9RVlAe0G922eow38jmRzAbPe8eTSxYC7wofRzdTXoPTWaNW9aaW2yidrmhlxgwvamQh1Mk2dL86jz3eurTSwcKInlXFr2wQ2uSJtF5w0hTqAm42sd0fwN98Mi3aZKKiW2ZmANnOoXXXZmJedBAaeNucFhPgOXPjfeC9Z4e2D6iMIJtKM86yjJdjIXRt7h9AhNRUUJojwHGiERD5XfDP0raFbtBcmV5

U9f1Bpa2C9u46NjSZZD7Rqom7eRtApomywhK8GKRLftCwBJ0P6g5Zq9DU33wIQBnViGJGITtoWwM7W0FF0OEitwhxN0fMoi4NfRnD2wnKJIPxKxdDu5QtgbpS4fFaoxvax9I7W44UphNF4SNnbA9xJPTgzaJX1nwlmOaLZgRAb6e8xUXmCr8Xy8ASpBHVug2cVBspRby0GeYTkeeaoUTY530eh1MLMkH46oQQt3jryyRVqXLSGRpji4skPzXA35nvG4X5yxQuLBAHmeXuq3f45yVb6Fb4gSyCkvpw9Pujb4IuaTRM77y3ju1IcoJS6VoU1VsBHHSqwdknSyt0V8KRLLRNIWAQC0K2WnDpBpeAohHfkOZO4T67lGiqdO3UhbXFCsAF4eyG4jDDdMDAkvzv6CVCWSdLECbgKjhsTUlBLG0lBRy4R5sxdEWCknJzydKUTGBc9NQAj8UzLKaeti4JjNdfxPiFkWcH6fB4qw4do2ofTw0JnFfaeKvU8lWPgPH5Ci4ey9r6FtDs1FTiRXdgW8UvC9uw6ocARKO37CHjImFUhd2DCN7tLAjEyJMzP49qrdLr00lpp4HKD9nzg04trSYvbEYM3t4PE1bBoHlDPFBzztOPG1BAchZLBclVNWWVOiBlrTujkBqbks6SZjfc2DMxbAalvA02SQVq2DxXGsqL0XAigD5DRU3kFejqrSVNhuBwLAYWFqvf74GkRpYhHLh1H6FXB9jloi2oKXLZPn0d7dgRqoJb3NgGnKZP4avFhk0YbsJ3O9CtUd3EZYHnAhrKbwaa854koSXJzZhuLd3HnwnN9jnsz6oGMMbkYCx1sruLT6WgDJvYmhZe75zVpYVsEr7WY6GjPco6cL4dwhZZKztEX6m2cLMEFchC9arGdmitQlG3pKlAtUAOcMn3uvGXWwXEu9CrqTbiu0ij5eTbvin0pLgUwoFs7lHtxcJqh4kJTrulEd8pMEBOi7pT3R4bnSkitYW2FC3B7NgE5tcYvX0UzR35rflCZCnGGoTHkJuu5nuzacKa7Cno3K0QjcVu4N0lTH7RJEOWDGZmxE5pEkExo8M6xcyhYaArxiPDe2BDXBVxUOtGiBQSn04cpS3RL3guzafgzAz1Aq4zuoj4uR9g3tpDrwE3UsJ4drGb9KgRcYr66FRbI8w33aAfUMYd5FhiR9vdRi5ULsefctGWODu46kDGAmuQhGembWBdHeWXBMc0SGzczUC2VlzB3SZ0VErACjaBuaWzj2CuhNY3WsrwelB0x9jYo6b7uMxJG7Rz8cS2Sftq46dDm4v22sZwVY6bqXlFKRZ9bBxhc2pdUYiQxH9fTRPFC9bBoQv9qYVJRsJnhtZacVL7QpOSXgV3btHcz52vGqW6cJ8e8W7z1PCQxeV8cNle1jUeDbxVrc4mpRQlXCZqdzA9CwAp5tvCCb8G0ZlZFv3tjzSqLuNwVWaCSVMhKhZ8RBToSku8q9USGh0dNkNLQ8QQaGXfmeoxF4LLwiAVrlgdUvp2ixLeL7zyctLfsg9jGqS9L1lo2Iayc1c1ivroSgI2QsIdGuClm7HEMpqrlxld6bvlqT77YUBzR0ttsiRHfZmfuHpsNJh6xpiIbM9n7fIlXv0wWDVNaX8Iq468MvNOov8GCKVHpVc9Rpb6B4FkXD5KqKrhPbLMC37Cwu3mRnypV80b2aGRZC0Uzyp2sO2d1tFEEwUwRvFMHl6Tnz4D6CcI6ZcEy8uQHlON0GYG8xjd0kNMzHBuYPhzr6HOuq8TbZewHs2RLxFJs9RVlAe0G922eow38jmRzAbPe8eTSxYC7wofRzdTXoPTWaNW9aaW2yidrmhlxgwvamQh1Mk2dL86jz3eurTSwcKInlXFr2wQ2uSJtF5w0hTqAm42sd0fwN98Mi3aZKKiW2ZmANnOoXXXZmJedBAaeNucFhPgOXPjfeC9Z4e2D6iMIJtKM86yjJdjIXRt7h9AhNRUUJojwHGiERD5XfDP0raFbtBcmV5

lhYJZM6PHMrgApFIqW1jEbge0o8Ios8cjZq4QKSSAFpSr9dTcRRRIOUjaUTLOyBpOp6K9L2PeiS8WxW1koGGLqDFeh360hdcd9ebJx2nVemUBSd6w4AAnzDO74IKfkCRDNAPRibkJYmc0kLd4X9TWreYPNLPYsiLMFqXsypn2p0ymBXWsFPslS4mIL9dGvvrQLzv4XUG3VAH3tJdJG1tKYluKpEoXEWNJkbl9sWRIhQoNOPhWESrPp5zc54bGZwz8W8TsydqUjUDi7Q6KwBtWE8toLjdxVlTUrp1P5ZyABHFUJRp4xC4sskoRU6SEFqhiFHXXB4jXvTjPqEtLWuxFHzmbIZ3kEhbSJIpb4CCDtg7JbJAqNgSl2MKfvWoLa8snSAgRorRt14mACN9oXPGhu67XpeQ58R23KJ4y8yVFVhIIgW2LsrRGjgJdCoajTp68J8QdV4py4bwnyzQDmfMQ9wTEa06UxMVFkK8ifYZybsMiUwPcIH61iDEarWGH4EoZgfZXYrwK536Q5rmmLROGF7sepwaO2LvqU0whOP1Zwn5pGXf9Ku6n0SuiWVICrRRtHQ6e4eH5ZYjrbdHBraeIPizAgfP29OUQmzJGyxAYdnxIMSkVOwg0ZAFzp6ZLJj2iQiDew9yPMRonDzXy54nNH30V3krBHYo3uo2DogzO7Aoimr5ZjBPP5pLWsRkbryqOr7wGKjKCAtSzflGk9bGrnUPxPmrsXWxiBkZUBgVPEq2l4bOSxvbq18AGs81y2rON6K75vWS3q1W71DCNHI4CVhrCTtBCpwW3RU5LZL3DCb5jNTVRe3VzGH52rkvjVX3tQzvWHmchpIacHUuBbddIMLwkYduOpUROiMCoy8j10Oj8G2uH04hSUuRfcl8E2y1F0w4LrFqENfmQGzUTzZAzxF8LqLWTKEy4j26j8KQ85XxzTZcJYrsqoINvqFuQSH4jRsGNDLVYiBDKiJ2AIn5tliQLpL3Cpapy3nRAszgZroiJ0UGh4lCDqtIrG36xssUNL0VvDFaasFup4mgDhwLEq3cmC8a8F1H8EE7a9lOzlBlV9twuWDp5RpwSYI3EEbFA7vUAogD6SlsPTzlKP45scXThRT83NKaP0RtzJNHyPR0R2xvxLapXKrncUY1TadRcejYcgWbbwGMv7bpuxKrNunfJDqPVWXxL9XNTIsrZ8nAdO1e3p2XyahQpwQCLIIPXQitcvAvzl0SNFnI7FmGSAJvIDlmDb4Vi8N7fKRHYGxmjydUjiEfwc7wgXUIkn1yqfKP2pCxYORlcxljAAdva7tL6z8Ed32N97ZpJQ2erttNMXfcd9S6b5jTXkimSnoyYFDuN0fUPezQOP8jt5Bek6MeYfCyIPvee4ZhtVyn47r7FDfhl82WVkn1ql5emLNiift7kC4gmpuFM6zgesp9MruZJmgaK0hNE3B2OiN6GcP6sGnuWZ93vOF1VEx7v3FwhQbTFGB6PtDJLyHd9WoV0nr0xJhkvpnQ6OwzAQGUm1XsnGfDKLFi2jf4qJC12dsUd7MaJn646U0sYeet9zmTUfYWJBi0nP2iIcpq3e4xOKlhtWfmFi2D1I98i0BhfgQrLSSH8n36w69jz50y4CXJWt7aeDtpsEeyIbdPTxIS8waJW7LxHKS9sHerVSDF4OO12LKx2kOG3eKAtxog26RRVefb7V4b4dXuSiRkXzUwjVE0xVG1DLUuUM73DCA65Hyi1iKrq1gB4Q4WCgxzJFzf51NMcjcv9YBLwv9plpLMFszeSkBxeawzitnaE7pgYUCfosAghhnuX7O4UZk0qby1OsXITm4egfMqGW6GLWDQOcGs5vpWSP6lsFE7zkBX7yfSuxx82NpDISnMWENx6hvBjA8br9hAvQTq7Y7H8r4eADNKAcOeRBeNmBCtr6wJUrjV8UDRtQLjQsPS7OeX2LMN1XljDG6aOGvNUinPJ7Ua0474VUvN1JRiOF3lItnWTKEj6b7ZAyn41MX60ryS

lhYJZM6PHMrgApFIqW1jEbge0o8Ios8cjZq4QKSSAFpSr9dTcRRRIOUjaUTLOyBpOp6K9L2PeiS8WxW1koGGLqDFeh360hdcd9ebJx2nVemUBSd6w4AAnzDO74IKfkCRDNAPRibkJYmc0kLd4X9TWreYPNLPYsiLMFqXsypn2p0ymBXWsFPslS4mIL9dGvvrQLzv4XUG3VAH3tJdJG1tKYluKpEoXEWNJkbl9sWRIhQoNOPhWESrPp5zc54bGZwz8W8TsydqUjUDi7Q6KwBtWE8toLjdxVlTUrp1P5ZyABHFUJRp4xC4sskoRU6SEFqhiFHXXB4jXvTjPqEtLWuxFHzmbIZ3kEhbSJIpb4CCDtg7JbJAqNgSl2MKfvWoLa8snSAgRorRt14mACN9oXPGhu67XpeQ58R23KJ4y8yVFVhIIgW2LsrRGjgJdCoajTp68J8QdV4py4bwnyzQDmfMQ9wTEa06UxMVFkK8ifYZybsMiUwPcIH61iDEarWGH4EoZgfZXYrwK536Q5rmmLROGF7sepwaO2LvqU0whOP1Zwn5pGXf9Ku6n0SuiWVICrRRtHQ6e4eH5ZYjrbdHBraeIPizAgfP29OUQmzJGyxAYdnxIMSkVOwg0ZAFzp6ZLJj2iQiDew9yPMRonDzXy54nNH30V3krBHYo3uo2DogzO7Aoimr5ZjBPP5pLWsRkbryqOr7wGKjKCAtSzflGk9bGrnUPxPmrsXWxiBkZUBgVPEq2l4bOSxvbq18AGs81y2rON6K75vWS3q1W71DCNHI4CVhrCTtBCpwW3RU5LZL3DCb5jNTVRe3VzGH52rkvjVX3tQzvWHmchpIacHUuBbddIMLwkYduOpUROiMCoy8j10Oj8G2uH04hSUuRfcl8E2y1F0w4LrFqENfmQGzUTzZAzxF8LqLWTKEy4j26j8KQ85XxzTZcJYrsqoINvqFuQSH4jRsGNDLVYiBDKiJ2AIn5tliQLpL3Cpapy3nRAszgZroiJ0UGh4lCDqtIrG36xssUNL0VvDFaasFup4mgDhwLEq3cmC8a8F1H8EE7a9lOzlBlV9twuWDp5RpwSYI3EEbFA7vUAogD6SlsPTzlKP45scXThRT83NKaP0RtzJNHyPR0R2xvxLapXKrncUY1TadRcejYcgWbbwGMv7bpuxKrNunfJDqPVWXxL9XNTIsrZ8nAdO1e3p2XyahQpwQCLIIPXQitcvAvzl0SNFnI7FmGSAJvIDlmDb4Vi8N7fKRHYGxmjydUjiEfwc7wgXUIkn1yqfKP2pCxYORlcxljAAdva7tL6z8Ed32N97ZpJQ2erttNMXfcd9S6b5jTXkimSnoyYFDuN0fUPezQOP8jt5Bek6MeYfCyIPvee4ZhtVyn47r7FDfhl82WVkn1ql5emLNiift7kC4gmpuFM6zgesp9MruZJmgaK0hNE3B2OiN6GcP6sGnuWZ93vOF1VEx7v3FwhQbTFGB6PtDJLyHd9WoV0nr0xJhkvpnQ6OwzAQGUm1XsnGfDKLFi2jf4qJC12dsUd7MaJn646U0sYeet9zmTUfYWJBi0nP2iIcpq3e4xOKlhtWfmFi2D1I98i0BhfgQrLSSH8n36w69jz50y4CXJWt7aeDtpsEeyIbdPTxIS8waJW7LxHKS9sHerVSDF4OO12LKx2kOG3eKAtxog26RRVefb7V4b4dXuSiRkXzUwjVE0xVG1DLUuUM73DCA65Hyi1iKrq1gB4Q4WCgxzJFzf51NMcjcv9YBLwv9plpLMFszeSkBxeawzitnaE7pgYUCfosAghhnuX7O4UZk0qby1OsXITm4egfMqGW6GLWDQOcGs5vpWSP6lsFE7zkBX7yfSuxx82NpDISnMWENx6hvBjA8br9hAvQTq7Y7H8r4eADNKAcOeRBeNmBCtr6wJUrjV8UDRtQLjQsPS7OeX2LMN1XljDG6aOGvNUinPJ7Ua0474VUvN1JRiOF3lItnWTKEj6b7ZAyn41MX60ryS

LuGGfibLOhACEzycTXhNtlwk8ij1HBuwBa0az78YLwyBL0OSoNgq6b4A7wI69jdnXebDJyNVZtc7W5JiEAN3udAzgAcdzbZCslOH8Chq53JaHK9PZvYOOavBXjaY9kJV5OcQNjVyHCIX0Z2XFZd99QgWg9wZCsrUtXf3ItcPKzhmCIL7qmsjhJWpHpJNX66okXDcU9omC3ekTxoe9BBVs7AZtk00cr6os3xcHXRRR837fETlYivGHGPoLrdDSlyl7020alHlUTdudDTZBOc35zQVniBqUn8GJSaoM3lMLkWXkvzO2D1trmMNRsMPw9dRmcKwpoFqh2NIvhHyGAFiHkOi9YkTuUL9ORShVdzO8KlzJdrKVoi5E4jcyBxAeV6xrN3OyzNDb1k78pJ5KlyzbONgaovZkUzHrb33lQmHQK9qcqIUxB6UbJMP4GPLx7cQA3TfXnM481SAOweTQLBSXOGSyn8OaLjTIs0iHC6kZcVj0lbHC54VGUBRoR1WlOf5LQjpMRGpHr3KMAEOpFHLytewbiSmiA4Gcdz42OIfCVDo10fYnmHPhDHsMXnE8ughwxHIaKWL7BjNZZEkd4853pyJHzcexIUaQh9VvOy8LbyBQNbmTdV4RhEsOa0qC4jZKD5QK4ZXuBKtGZw3xZutWZtIMRhvXhGR1I0mSuMZn8JqHkVZO63MJZcVkwd2yEA8hp4USYfvpMItFhPL6iIwUgRpjpLlv34EuZeizyjhMmz0X0R4eJvp6dobHPKDm39vRe9PdGlH8BUIQ0BsHRhWIOHqLcKUXQ4S7jOlgUnJEtnn3HJ3OZ6nx2GzX6prb5MhBdkuJzFaxqgQFOJlic5AKyifMoyjF6IIRfWZwptou6ZhWZ3ixdi89lGc5fRubvEBRH9z46eAaOrs2su0ThloaLuQ9xFcj3ugDyuCWc91fUx7QOLKkKAqs10yMP9HAbrhukZD71eRhujpow9vV52IDdYLI60gcBAeDqNFYhMsSKuNa3LS8jR3WoCpMu6mkYtE5H6BG5s3T1VPxON5jvShcdvYiQt8HLV4r0SC7kmc1Xk4DX27RacYfmB1mitZMtwhg0yG6k89jQpowJ0quPAhJ3oId6aVth0Y4q1F8zSHTHCXOm3WEyXKnQ9nPR7d004fM8BgRur473xcAB40dnr5tpLnqO0rCOQ2MxkQVWfkg2Nut7XnzNDOATSWbhVW6j0MbXxb9rdktIUJpoH962oMcjRk1t8impOB3tjd9LIhJtu18jGWJV0e5oJ1gnkQs58d3tP5fDautgdTYZlSWlJAoVK5v4FdrSGbjrKlqpcrZYI3QpgGQfWsSER2f3pUdvZXlTjBoWacmKNznQogX8xl6nsPJSgw9snE9US7gOr4eTgi1rPyPj7e7N07GhAKCKFAW4eMzbjOjzEjrtDNvl3IGmRLYCdDLF7TmOdPwtCjsvBUSl9nOWprQ63KmDX67QcNCU7MpXrbTUqlU73NDZYZqPcqVDC2PS7G2f72085AXpkp42pVTA4NtkqokiQWAXUsviqREN3GvWv27xRY5nUpXtmRZTSRsi99E24WLHqfGxsHZyrWB10mdFFb5I1V5lomwFgpNlMY8R3wYqdQxsj7PL0ophYEvVx37GxlTCgL6ED1CAlnUQxxKFBVO29GxiDnu9zs2275lIbkh8WY6KUOy9sBeMG1CKoXbqHCLLCOhFjM3erci2NmQ97ODeQwvPj0zLgkjNJFciylAeEHqCVXgP9G3cuH4fsBwtmr8g2EsijHLVnzJjg34vTUMJrgtcK606Zh1mIkbgPGC6hd6BIhlXVq1R75tP61PuuxXMR57pOSDG2XFEK1CYXUKqgfhsPwjY0hMTpuUNk5jdWuYjzYeey1HKWHFMXPJrIOQUlVoqhY8C7hPSauqNNianUHfWVSu8vUX9TkukX2pBsQFLisZlc7JdgP47vBNaS9gnuQ9Z9fZU3I4dcDNC3j5xlU3epwZvpoTsKsrCt9l7hY

LuGGfibLOhACEzycTXhNtlwk8ij1HBuwBa0az78YLwyBL0OSoNgq6b4A7wI69jdnXebDJyNVZtc7W5JiEAN3udAzgAcdzbZCslOH8Chq53JaHK9PZvYOOavBXjaY9kJV5OcQNjVyHCIX0Z2XFZd99QgWg9wZCsrUtXf3ItcPKzhmCIL7qmsjhJWpHpJNX66okXDcU9omC3ekTxoe9BBVs7AZtk00cr6os3xcHXRRR837fETlYivGHGPoLrdDSlyl7020alHlUTdudDTZBOc35zQVniBqUn8GJSaoM3lMLkWXkvzO2D1trmMNRsMPw9dRmcKwpoFqh2NIvhHyGAFiHkOi9YkTuUL9ORShVdzO8KlzJdrKVoi5E4jcyBxAeV6xrN3OyzNDb1k78pJ5KlyzbONgaovZkUzHrb33lQmHQK9qcqIUxB6UbJMP4GPLx7cQA3TfXnM481SAOweTQLBSXOGSyn8OaLjTIs0iHC6kZcVj0lbHC54VGUBRoR1WlOf5LQjpMRGpHr3KMAEOpFHLytewbiSmiA4Gcdz42OIfCVDo10fYnmHPhDHsMXnE8ughwxHIaKWL7BjNZZEkd4853pyJHzcexIUaQh9VvOy8LbyBQNbmTdV4RhEsOa0qC4jZKD5QK4ZXuBKtGZw3xZutWZtIMRhvXhGR1I0mSuMZn8JqHkVZO63MJZcVkwd2yEA8hp4USYfvpMItFhPL6iIwUgRpjpLlv34EuZeizyjhMmz0X0R4eJvp6dobHPKDm39vRe9PdGlH8BUIQ0BsHRhWIOHqLcKUXQ4S7jOlgUnJEtnn3HJ3OZ6nx2GzX6prb5MhBdkuJzFaxqgQFOJlic5AKyifMoyjF6IIRfWZwptou6ZhWZ3ixdi89lGc5fRubvEBRH9z46eAaOrs2su0ThloaLuQ9xFcj3ugDyuCWc91fUx7QOLKkKAqs10yMP9HAbrhukZD71eRhujpow9vV52IDdYLI60gcBAeDqNFYhMsSKuNa3LS8jR3WoCpMu6mkYtE5H6BG5s3T1VPxON5jvShcdvYiQt8HLV4r0SC7kmc1Xk4DX27RacYfmB1mitZMtwhg0yG6k89jQpowJ0quPAhJ3oId6aVth0Y4q1F8zSHTHCXOm3WEyXKnQ9nPR7d004fM8BgRur473xcAB40dnr5tpLnqO0rCOQ2MxkQVWfkg2Nut7XnzNDOATSWbhVW6j0MbXxb9rdktIUJpoH962oMcjRk1t8impOB3tjd9LIhJtu18jGWJV0e5oJ1gnkQs58d3tP5fDautgdTYZlSWlJAoVK5v4FdrSGbjrKlqpcrZYI3QpgGQfWsSER2f3pUdvZXlTjBoWacmKNznQogX8xl6nsPJSgw9snE9US7gOr4eTgi1rPyPj7e7N07GhAKCKFAW4eMzbjOjzEjrtDNvl3IGmRLYCdDLF7TmOdPwtCjsvBUSl9nOWprQ63KmDX67QcNCU7MpXrbTUqlU73NDZYZqPcqVDC2PS7G2f72085AXpkp42pVTA4NtkqokiQWAXUsviqREN3GvWv27xRY5nUpXtmRZTSRsi99E24WLHqfGxsHZyrWB10mdFFb5I1V5lomwFgpNlMY8R3wYqdQxsj7PL0ophYEvVx37GxlTCgL6ED1CAlnUQxxKFBVO29GxiDnu9zs2275lIbkh8WY6KUOy9sBeMG1CKoXbqHCLLCOhFjM3erci2NmQ97ODeQwvPj0zLgkjNJFciylAeEHqCVXgP9G3cuH4fsBwtmr8g2EsijHLVnzJjg34vTUMJrgtcK606Zh1mIkbgPGC6hd6BIhlXVq1R75tP61PuuxXMR57pOSDG2XFEK1CYXUKqgfhsPwjY0hMTpuUNk5jdWuYjzYeey1HKWHFMXPJrIOQUlVoqhY8C7hPSauqNNianUHfWVSu8vUX9TkukX2pBsQFLisZlc7JdgP47vBNaS9gnuQ9Z9fZU3I4dcDNC3j5xlU3epwZvpoTsKsrCt9l7hY

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

operator

operator

ADVAPI32.DLL

ADVAPI32.DLL

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

portuguese-brazilian

portuguese-brazilian

KERNEL32.dll

KERNEL32.dll

RegOpenKeyExW

RegOpenKeyExW

ADVAPI32.dll

ADVAPI32.dll

OLEAUT32.dll

OLEAUT32.dll

mscoree.dll

mscoree.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

JQpRxmAGvMD9V8POG6llIXOxIwzbRYadqHl2HMZmdvnOsukS95EPnvwWb2ibXyYHMASoWWh3g8hnJafnlRcVtvZ5kz1ODYzPGQb1VVfSHQbl9jNn95sZ7e3z4e706msQTeqzMdWvZBS7R5vzL2kQX1mbzD8RYoWvyvC42oL6i79Fv6S9SIpdcL211oaiffGLPxIwDAGw6LxLi03e4LWTtkN036EAfdqm4bPGyuIJV9nJz85lFcAXbsDMe2kj5ep2ukRhlwPJdn8u6eB4bs4cMDlLIcBFkyNQUvoorYaiw1TYxNHeHIKzEkpnEX2FmZCrqAlALhBpzadf1NaxKWP4QGh6uPjurjcIXJW7CgDAhvaEgkw0XF5AkHLUtpg57g7q7Fsr1c5DsoXvGNZk6srxxOcafUmNAG423Q7hq3GAedYR4gjoKbb9eKI9jSN5tJV2ic1W4T5cW0suZuf8L8dzF5Xsh77IpKhEs6I1pwu0f8nnrokYNOuuOqshQ4inX69kfnR1YPzfwqqaNMRsoteGdgvZeDrmjINgsGlE03R5h2iy9sDemZ8E1Dg922Xuxm5YMkRhBmCuMiyl86ZW9n9uJjoZ4zKj3hffhk5gtjyOpi8GCllgL7wsmOSBA7lEgPKyzinbdqOnNSmUNa9ToEH6VW3DBEQw83HKHKgt7kcvtiODB8Xz8CpMhNMNpUJJhZKgYOIQy33EBJ8qoT7wMShRygJVJspVU7i54mW6NwVbgUueNepEPsnzR2SRfXgfNiTEAdvb6aTp7gLOVEhEcUgBTSncEf1ZqPx8vWjVa38j7thPuGY0LV2aJ2qAAgg9AF9olGz7RUTvvpD6LK1KTc4aYRvDGTv4X8SBt3EYh1i0bHOtytYZoFqyL9zEl5A7zZHwGcMSth3Tr6aAgVkOPLKt9jFybAFb7Tr87ak90qFupWuB62GOmSfVXyMVN3P2L1VIPcDgKkYygpenYeCj31ZoNGkIyzv6KMSxaWW4yAdcI4bkvlb0qLSxZHQ0G3ZCBMKyCuKOCCbcIQLen2NLxVLgeriU3anwvPR5tNSaKxxYKQYi5LNOqoePbEuklZVCoPQ39PVJjMaayXGyNgPO5GVbSE3bOFFPEXq96tzCuCFp1wzq9Ixf9be0YhZs2BY0YP2efqztRmtDbFkwfMcgiAQDSzlYEgK2OOAmDulSjdxWRKZs7DmpOGKtbXAUa0TF0oHNxwQBbx8FZ0v3SlZipLUmhJ5EUtgujDdn8F98B1UqHeDlBGbZaKqoDuGYBlQRrOwwXi5mm1Qy1EPcfUcorrtIqKunUmtuJKMKCW5IsYTzrlB7dhjxtqxhmdHbpAEY4Lv4rY5SqplnTv6fjwjNc6atmExyp4s2t5EQ0HPolBgeeky1hC23q0V8KbRXi0EiVwS3fn7PjvmhotUDcQScSkkGqXA3CwMt08P0D7LnxxQ9ZvBtNKiCiBALmlMsWdmWS2qpO4aeeEPuDkR5wgp2oklyIeOsvtBuNiDFpWMKB2BXejjo8va6huIgZHHWRa96sOnM2Yd8lnvMth9PJADCaOhtKwPRpZ2A3EFA6GwkrcV385WSI2nrHG5OH3cFivTvu5TZCYQ9o58zKc31h593KpB5ND0VavH9ovWZqs0BuXZHNDkkrWnhCvXDubf87492x9loqdLYfHIWz4sksQEniAH3IsEon1EAY7jOs64nSk6VYaWtuojHDIK0AePOXBEMtHxThvUvxoTtBK6xLpGg5F10WMXytf9qQuBqMcm8EXkpYryZirdH4xRYPH7FHvbrpDMgiPVIdHLhi3OmM5HlDnniiwg1WoZrTDIakakeJOWS0fcdrbLWTU3VLh6KEiFDMRtPuOcMUDMZBEsdtdKUMdH9JXyddJJAjsfiWwSN99bqhethhFDQfUFfnHQvw04PvVnPq3CXVoOeHIlUh1dum61og25r2P2uiDRQfAKndP50fBHPv6oFXKCy48Jx7l5fwt6e0EPQrZrGbajPvp56

JQpRxmAGvMD9V8POG6llIXOxIwzbRYadqHl2HMZmdvnOsukS95EPnvwWb2ibXyYHMASoWWh3g8hnJafnlRcVtvZ5kz1ODYzPGQb1VVfSHQbl9jNn95sZ7e3z4e706msQTeqzMdWvZBS7R5vzL2kQX1mbzD8RYoWvyvC42oL6i79Fv6S9SIpdcL211oaiffGLPxIwDAGw6LxLi03e4LWTtkN036EAfdqm4bPGyuIJV9nJz85lFcAXbsDMe2kj5ep2ukRhlwPJdn8u6eB4bs4cMDlLIcBFkyNQUvoorYaiw1TYxNHeHIKzEkpnEX2FmZCrqAlALhBpzadf1NaxKWP4QGh6uPjurjcIXJW7CgDAhvaEgkw0XF5AkHLUtpg57g7q7Fsr1c5DsoXvGNZk6srxxOcafUmNAG423Q7hq3GAedYR4gjoKbb9eKI9jSN5tJV2ic1W4T5cW0suZuf8L8dzF5Xsh77IpKhEs6I1pwu0f8nnrokYNOuuOqshQ4inX69kfnR1YPzfwqqaNMRsoteGdgvZeDrmjINgsGlE03R5h2iy9sDemZ8E1Dg922Xuxm5YMkRhBmCuMiyl86ZW9n9uJjoZ4zKj3hffhk5gtjyOpi8GCllgL7wsmOSBA7lEgPKyzinbdqOnNSmUNa9ToEH6VW3DBEQw83HKHKgt7kcvtiODB8Xz8CpMhNMNpUJJhZKgYOIQy33EBJ8qoT7wMShRygJVJspVU7i54mW6NwVbgUueNepEPsnzR2SRfXgfNiTEAdvb6aTp7gLOVEhEcUgBTSncEf1ZqPx8vWjVa38j7thPuGY0LV2aJ2qAAgg9AF9olGz7RUTvvpD6LK1KTc4aYRvDGTv4X8SBt3EYh1i0bHOtytYZoFqyL9zEl5A7zZHwGcMSth3Tr6aAgVkOPLKt9jFybAFb7Tr87ak90qFupWuB62GOmSfVXyMVN3P2L1VIPcDgKkYygpenYeCj31ZoNGkIyzv6KMSxaWW4yAdcI4bkvlb0qLSxZHQ0G3ZCBMKyCuKOCCbcIQLen2NLxVLgeriU3anwvPR5tNSaKxxYKQYi5LNOqoePbEuklZVCoPQ39PVJjMaayXGyNgPO5GVbSE3bOFFPEXq96tzCuCFp1wzq9Ixf9be0YhZs2BY0YP2efqztRmtDbFkwfMcgiAQDSzlYEgK2OOAmDulSjdxWRKZs7DmpOGKtbXAUa0TF0oHNxwQBbx8FZ0v3SlZipLUmhJ5EUtgujDdn8F98B1UqHeDlBGbZaKqoDuGYBlQRrOwwXi5mm1Qy1EPcfUcorrtIqKunUmtuJKMKCW5IsYTzrlB7dhjxtqxhmdHbpAEY4Lv4rY5SqplnTv6fjwjNc6atmExyp4s2t5EQ0HPolBgeeky1hC23q0V8KbRXi0EiVwS3fn7PjvmhotUDcQScSkkGqXA3CwMt08P0D7LnxxQ9ZvBtNKiCiBALmlMsWdmWS2qpO4aeeEPuDkR5wgp2oklyIeOsvtBuNiDFpWMKB2BXejjo8va6huIgZHHWRa96sOnM2Yd8lnvMth9PJADCaOhtKwPRpZ2A3EFA6GwkrcV385WSI2nrHG5OH3cFivTvu5TZCYQ9o58zKc31h593KpB5ND0VavH9ovWZqs0BuXZHNDkkrWnhCvXDubf87492x9loqdLYfHIWz4sksQEniAH3IsEon1EAY7jOs64nSk6VYaWtuojHDIK0AePOXBEMtHxThvUvxoTtBK6xLpGg5F10WMXytf9qQuBqMcm8EXkpYryZirdH4xRYPH7FHvbrpDMgiPVIdHLhi3OmM5HlDnniiwg1WoZrTDIakakeJOWS0fcdrbLWTU3VLh6KEiFDMRtPuOcMUDMZBEsdtdKUMdH9JXyddJJAjsfiWwSN99bqhethhFDQfUFfnHQvw04PvVnPq3CXVoOeHIlUh1dum61og25r2P2uiDRQfAKndP50fBHPv6oFXKCy48Jx7l5fwt6e0EPQrZrGbajPvp56

@.reloc

@.reloc

X l.dlT

X l.dlT

v2.0.50727

v2.0.50727

TheHostV.dll

TheHostV.dll

System.Reflection

System.Reflection

.cctor

.cctor

kernel32.dll

kernel32.dll

System.Threading

System.Threading

.ctor

.ctor

System.IO

System.IO

System.Collections.Generic

System.Collections.Generic

orderCmd

orderCmd

isChromeInstalled

isChromeInstalled

OperatingSystem

OperatingSystem

Firefox

Firefox

Chrome

Chrome

System.Xml

System.Xml

System.Collections

System.Collections

urllist

urllist

get_Urls

get_Urls

System.Globalization

System.Globalization

Urls

Urls

System.Windows.Forms

System.Windows.Forms

WebBrowser

WebBrowser

mappurl

mappurl

System.ComponentModel

System.ComponentModel

System.Collections.Specialized

System.Collections.Specialized

System.Windows.Forms.Layout

System.Windows.Forms.Layout

System.Text.RegularExpressions

System.Text.RegularExpressions

WebClient

WebClient

System.Net

System.Net

IWebProxy

IWebProxy

System.Text

System.Text

System.Drawing

System.Drawing

RemoteProcess.Controls

RemoteProcess.Controls

webBrowser1

webBrowser1

get_Url

get_Url

set_Url

set_Url

user32.dll

user32.dll

ISupportInitialize

ISupportInitialize

instalarEXE

instalarEXE

System.Diagnostics

System.Diagnostics

WebRequest

WebRequest

HttpWebRequest

HttpWebRequest

WebResponse

WebResponse

WebHeaderCollection

WebHeaderCollection

HttpStatusCode

HttpStatusCode

HttpWebResponse

HttpWebResponse

displayUrl

displayUrl

appUrl

appUrl

appUrlNotNormalized

appUrlNotNormalized

silentreport

silentreport

reporturl

reporturl

policyUrl

policyUrl

uninstallurl

uninstallurl

ADWurl

ADWurl

AddUninstallUrls

AddUninstallUrls

IsValidUrl

IsValidUrl

RegistryKey

RegistryKey

Microsoft.Win32

Microsoft.Win32

System.Security.Principal

System.Security.Principal

checkkey

checkkey

get_Checkkey

get_Checkkey

set_Checkkey

set_Checkkey

Checkkey

Checkkey

RegKey

RegKey

NoRegKey

NoRegKey

RemotoProces.Properties

RemotoProces.Properties

System.Configuration

System.Configuration

KERNEL32.DLL

KERNEL32.DLL

lpKeyName

lpKeyName

dictionaryurl

dictionaryurl

appurl

appurl

ProcessWindowStyle

ProcessWindowStyle

FindExecutableA

FindExecutableA

FindExecutable

FindExecutable

shell32.dll

shell32.dll

urlConfig

urlConfig

templateUrl

templateUrl

dockungUrl

dockungUrl

GratitudeUrl

GratitudeUrl

AbortedUrl

AbortedUrl

SilentAbortUrl

SilentAbortUrl

domainurl

domainurl

WebmasterId

WebmasterId

System.Management

System.Management

WindowsIdentity

WindowsIdentity

WindowsPrincipal

WindowsPrincipal

WindowsBuiltInRole

WindowsBuiltInRole

CreateSubKey

CreateSubKey

EnumerateSubKeys

EnumerateSubKeys

WOW64_32Key

WOW64_32Key

WOW64_64Key

WOW64_64Key

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

RegOpenKeyEx

RegOpenKeyEx

Advapi32.dll

Advapi32.dll

hKey

hKey

lpSubKey

lpSubKey

RegCloseKey

RegCloseKey

advapi32.dll

advapi32.dll

GetRegKey64

GetRegKey64

inKeyName

inKeyName

GetRegKey32

GetRegKey32

in32or64key

in32or64key

StaticRegkey

StaticRegkey

Getkey

Getkey

RegistryKeys

RegistryKeys

ScreenOperations

ScreenOperations

HijoInstalado

HijoInstalado

HttpRequestHeader

HttpRequestHeader

urlLoading

urlLoading

xmlUrl

xmlUrl

trackUrl

trackUrl

staticUrl

staticUrl

keyword

keyword

get_UrlLoading

get_UrlLoading

set_UrlLoading

set_UrlLoading

get_XmlUrl

get_XmlUrl

set_XmlUrl

set_XmlUrl

get_TrackUrl

get_TrackUrl

set_TrackUrl

set_TrackUrl

get_StaticUrl

get_StaticUrl

set_StaticUrl

set_StaticUrl

get_Keyword

get_Keyword

set_Keyword

set_Keyword

UrlLoading

UrlLoading

XmlUrl

XmlUrl

TrackUrl

TrackUrl

StaticUrl

StaticUrl

Keyword

Keyword

ExtendedWebClient

ExtendedWebClient

GetWebRequest

GetWebRequest

user32.DLL

user32.DLL

wMsg

wMsg

WebBrowserDocumentCompletedEventArgs

WebBrowserDocumentCompletedEventArgs

wbMain_PreviewKeyDown

wbMain_PreviewKeyDown

PreviewKeyDownEventArgs

PreviewKeyDownEventArgs

Keys

Keys

FormWindowState

FormWindowState

WebBrowserReadyState

WebBrowserReadyState

System.Net.Configuration

System.Net.Configuration

Microsoft.mshtml

Microsoft.mshtml

Trackingurls

Trackingurls

graphiteUrl

graphiteUrl

lastXmlurl

lastXmlurl

uninstallurls

uninstallurls

checkurls

checkurls

get_GraphiteUrl

get_GraphiteUrl

set_GraphiteUrl

set_GraphiteUrl

get_LastXmlurl

get_LastXmlurl

set_LastXmlurl

set_LastXmlurl

keystring

keystring

generateUrl

generateUrl

openUrl

openUrl

sendByUDP

sendByUDP

port

port

webtrack

webtrack

System.Security.Cryptography

System.Security.Cryptography

System.Net.Sockets

System.Net.Sockets

GraphiteUrl

GraphiteUrl

LastXmlurl

LastXmlurl

urlXML

urlXML

urlStatic

urlStatic

urlTracker

urlTracker

DownloadUrl

DownloadUrl

_downloadUrls

_downloadUrls

urls

urls

System.IO.Compression

System.IO.Compression

InvalidOperationException

InvalidOperationException

apiurl

apiurl

get_Apiurl

get_Apiurl

set_Apiurl

set_Apiurl

Apiurl

Apiurl

{B5A74BFD-C62B-4AB3-8413-5D0E6C4D2AFC}

{B5A74BFD-C62B-4AB3-8413-5D0E6C4D2AFC}

System.Resources

System.Resources

System.Runtime.CompilerServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Runtime.InteropServices

System.CodeDom.Compiler

System.CodeDom.Compiler

RemoteProcess.Contact.resources

RemoteProcess.Contact.resources

RemoteProcess.Controls.Banner.resources

RemoteProcess.Controls.Banner.resources

RemoteProcess.Controls.Form1.resources

RemoteProcess.Controls.Form1.resources

RemoteProcess.Debug.resources

RemoteProcess.Debug.resources

RemoteProcess.MainForm.resources

RemoteProcess.MainForm.resources

Join

Join

set_UseShellExecute

set_UseShellExecute

get_DefaultWebProxy

get_DefaultWebProxy

OpenSubKey

OpenSubKey

GetSubKeyNames

GetSubKeyNames

set_WindowStyle

set_WindowStyle

WebException

WebException

set_WindowState

set_WindowState

set_WebBrowserShortcutsEnabled

set_WebBrowserShortcutsEnabled

WebBrowserDocumentCompletedEventHandler

WebBrowserDocumentCompletedEventHandler

PreviewKeyDownEventHandler

PreviewKeyDownEventHandler

add_PreviewKeyDown

add_PreviewKeyDown

set_IsInputKey

set_IsInputKey

get_KeyCode

get_KeyCode

get_WindowState

get_WindowState

get_ExecutablePath

get_ExecutablePath

set_TransparencyKey

set_TransparencyKey

set_AllowWebBrowserDrop

set_AllowWebBrowserDrop

set_IsWebBrowserContextMenuEnabled

set_IsWebBrowserContextMenuEnabled

set_Key

set_Key

get_Key

get_Key

ConfuserEx v0.1.0-21-g8d974cf

ConfuserEx v0.1.0-21-g8d974cf

7.7.6.7

7.7.6.7

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

11.0.0.0

11.0.0.0

...LXXX

...LXXX

4!%s)

4!%s)

w.AOd(

w.AOd(

r].oz~

r].oz~

-v..vw// !

-v..vw// !

8~

8~

8~

8~

8~

8~

?=

?=

'$&$ .,,-#

'$&$ .,,-#

(CS`)?Nj(>Lp(>LuŸx

(CS`)?Nj(>Lp(>LuŸx

%sy5|l

%sy5|l

rv2.0.50727

rv2.0.50727

v4.0.30319

v4.0.30319

RemoteProcess.Program

RemoteProcess.Program

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dfsD.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dfsD.tmp

c:\%original file name%.exe

c:\%original file name%.exe

%original file name%.exe_1876_rwx_00401000_000B8000:

vSSSh

vSSSh

FTPjK

FTPjK

FtPj;

FtPj;

C.PjRV

C.PjRV

U9f1Bpa2C9u46NjSZZD7Rqom7eRtApomywhK8GKRLftCwBJ0P6g5Zq9DU33wIQBnViGJGITtoWwM7W0FF0OEitwhxN0fMoi4NfRnD2wnKJIPxKxdDu5QtgbpS4fFaoxvax9I7W44UphNF4SNnbA9xJPTgzaJX1nwlmOaLZgRAb6e8xUXmCr8Xy8ASpBHVug2cVBspRby0GeYTkeeaoUTY530eh1MLMkH46oQQt3jryyRVqXLSGRpji4skPzXA35nvG4X5yxQuLBAHmeXuq3f45yVb6Fb4gSyCkvpw9Pujb4IuaTRM77y3ju1IcoJS6VoU1VsBHHSqwdknSyt0V8KRLLRNIWAQC0K2WnDpBpeAohHfkOZO4T67lGiqdO3UhbXFCsAF4eyG4jDDdMDAkvzv6CVCWSdLECbgKjhsTUlBLG0lBRy4R5sxdEWCknJzydKUTGBc9NQAj8UzLKaeti4JjNdfxPiFkWcH6fB4qw4do2ofTw0JnFfaeKvU8lWPgPH5Ci4ey9r6FtDs1FTiRXdgW8UvC9uw6ocARKO37CHjImFUhd2DCN7tLAjEyJMzP49qrdLr00lpp4HKD9nzg04trSYvbEYM3t4PE1bBoHlDPFBzztOPG1BAchZLBclVNWWVOiBlrTujkBqbks6SZjfc2DMxbAalvA02SQVq2DxXGsqL0XAigD5DRU3kFejqrSVNhuBwLAYWFqvf74GkRpYhHLh1H6FXB9jloi2oKXLZPn0d7dgRqoJb3NgGnKZP4avFhk0YbsJ3O9CtUd3EZYHnAhrKbwaa854koSXJzZhuLd3HnwnN9jnsz6oGMMbkYCx1sruLT6WgDJvYmhZe75zVpYVsEr7WY6GjPco6cL4dwhZZKztEX6m2cLMEFchC9arGdmitQlG3pKlAtUAOcMn3uvGXWwXEu9CrqTbiu0ij5eTbvin0pLgUwoFs7lHtxcJqh4kJTrulEd8pMEBOi7pT3R4bnSkitYW2FC3B7NgE5tcYvX0UzR35rflCZCnGGoTHkJuu5nuzacKa7Cno3K0QjcVu4N0lTH7RJEOWDGZmxE5pEkExo8M6xcyhYaArxiPDe2BDXBVxUOtGiBQSn04cpS3RL3guzafgzAz1Aq4zuoj4uR9g3tpDrwE3UsJ4drGb9KgRcYr66FRbI8w33aAfUMYd5FhiR9vdRi5ULsefctGWODu46kDGAmuQhGembWBdHeWXBMc0SGzczUC2VlzB3SZ0VErACjaBuaWzj2CuhNY3WsrwelB0x9jYo6b7uMxJG7Rz8cS2Sftq46dDm4v22sZwVY6bqXlFKRZ9bBxhc2pdUYiQxH9fTRPFC9bBoQv9qYVJRsJnhtZacVL7QpOSXgV3btHcz52vGqW6cJ8e8W7z1PCQxeV8cNle1jUeDbxVrc4mpRQlXCZqdzA9CwAp5tvCCb8G0ZlZFv3tjzSqLuNwVWaCSVMhKhZ8RBToSku8q9USGh0dNkNLQ8QQaGXfmeoxF4LLwiAVrlgdUvp2ixLeL7zyctLfsg9jGqS9L1lo2Iayc1c1ivroSgI2QsIdGuClm7HEMpqrlxld6bvlqT77YUBzR0ttsiRHfZmfuHpsNJh6xpiIbM9n7fIlXv0wWDVNaX8Iq468MvNOov8GCKVHpVc9Rpb6B4FkXD5KqKrhPbLMC37Cwu3mRnypV80b2aGRZC0Uzyp2sO2d1tFEEwUwRvFMHl6Tnz4D6CcI6ZcEy8uQHlON0GYG8xjd0kNMzHBuYPhzr6HOuq8TbZewHs2RLxFJs9RVlAe0G922eow38jmRzAbPe8eTSxYC7wofRzdTXoPTWaNW9aaW2yidrmhlxgwvamQh1Mk2dL86jz3eurTSwcKInlXFr2wQ2uSJtF5w0hTqAm42sd0fwN98Mi3aZKKiW2ZmANnOoXXXZmJedBAaeNucFhPgOXPjfeC9Z4e2D6iMIJtKM86yjJdjIXRt7h9AhNRUUJojwHGiERD5XfDP0raFbtBcmV5

U9f1Bpa2C9u46NjSZZD7Rqom7eRtApomywhK8GKRLftCwBJ0P6g5Zq9DU33wIQBnViGJGITtoWwM7W0FF0OEitwhxN0fMoi4NfRnD2wnKJIPxKxdDu5QtgbpS4fFaoxvax9I7W44UphNF4SNnbA9xJPTgzaJX1nwlmOaLZgRAb6e8xUXmCr8Xy8ASpBHVug2cVBspRby0GeYTkeeaoUTY530eh1MLMkH46oQQt3jryyRVqXLSGRpji4skPzXA35nvG4X5yxQuLBAHmeXuq3f45yVb6Fb4gSyCkvpw9Pujb4IuaTRM77y3ju1IcoJS6VoU1VsBHHSqwdknSyt0V8KRLLRNIWAQC0K2WnDpBpeAohHfkOZO4T67lGiqdO3UhbXFCsAF4eyG4jDDdMDAkvzv6CVCWSdLECbgKjhsTUlBLG0lBRy4R5sxdEWCknJzydKUTGBc9NQAj8UzLKaeti4JjNdfxPiFkWcH6fB4qw4do2ofTw0JnFfaeKvU8lWPgPH5Ci4ey9r6FtDs1FTiRXdgW8UvC9uw6ocARKO37CHjImFUhd2DCN7tLAjEyJMzP49qrdLr00lpp4HKD9nzg04trSYvbEYM3t4PE1bBoHlDPFBzztOPG1BAchZLBclVNWWVOiBlrTujkBqbks6SZjfc2DMxbAalvA02SQVq2DxXGsqL0XAigD5DRU3kFejqrSVNhuBwLAYWFqvf74GkRpYhHLh1H6FXB9jloi2oKXLZPn0d7dgRqoJb3NgGnKZP4avFhk0YbsJ3O9CtUd3EZYHnAhrKbwaa854koSXJzZhuLd3HnwnN9jnsz6oGMMbkYCx1sruLT6WgDJvYmhZe75zVpYVsEr7WY6GjPco6cL4dwhZZKztEX6m2cLMEFchC9arGdmitQlG3pKlAtUAOcMn3uvGXWwXEu9CrqTbiu0ij5eTbvin0pLgUwoFs7lHtxcJqh4kJTrulEd8pMEBOi7pT3R4bnSkitYW2FC3B7NgE5tcYvX0UzR35rflCZCnGGoTHkJuu5nuzacKa7Cno3K0QjcVu4N0lTH7RJEOWDGZmxE5pEkExo8M6xcyhYaArxiPDe2BDXBVxUOtGiBQSn04cpS3RL3guzafgzAz1Aq4zuoj4uR9g3tpDrwE3UsJ4drGb9KgRcYr66FRbI8w33aAfUMYd5FhiR9vdRi5ULsefctGWODu46kDGAmuQhGembWBdHeWXBMc0SGzczUC2VlzB3SZ0VErACjaBuaWzj2CuhNY3WsrwelB0x9jYo6b7uMxJG7Rz8cS2Sftq46dDm4v22sZwVY6bqXlFKRZ9bBxhc2pdUYiQxH9fTRPFC9bBoQv9qYVJRsJnhtZacVL7QpOSXgV3btHcz52vGqW6cJ8e8W7z1PCQxeV8cNle1jUeDbxVrc4mpRQlXCZqdzA9CwAp5tvCCb8G0ZlZFv3tjzSqLuNwVWaCSVMhKhZ8RBToSku8q9USGh0dNkNLQ8QQaGXfmeoxF4LLwiAVrlgdUvp2ixLeL7zyctLfsg9jGqS9L1lo2Iayc1c1ivroSgI2QsIdGuClm7HEMpqrlxld6bvlqT77YUBzR0ttsiRHfZmfuHpsNJh6xpiIbM9n7fIlXv0wWDVNaX8Iq468MvNOov8GCKVHpVc9Rpb6B4FkXD5KqKrhPbLMC37Cwu3mRnypV80b2aGRZC0Uzyp2sO2d1tFEEwUwRvFMHl6Tnz4D6CcI6ZcEy8uQHlON0GYG8xjd0kNMzHBuYPhzr6HOuq8TbZewHs2RLxFJs9RVlAe0G922eow38jmRzAbPe8eTSxYC7wofRzdTXoPTWaNW9aaW2yidrmhlxgwvamQh1Mk2dL86jz3eurTSwcKInlXFr2wQ2uSJtF5w0hTqAm42sd0fwN98Mi3aZKKiW2ZmANnOoXXXZmJedBAaeNucFhPgOXPjfeC9Z4e2D6iMIJtKM86yjJdjIXRt7h9AhNRUUJojwHGiERD5XfDP0raFbtBcmV5

lhYJZM6PHMrgApFIqW1jEbge0o8Ios8cjZq4QKSSAFpSr9dTcRRRIOUjaUTLOyBpOp6K9L2PeiS8WxW1koGGLqDFeh360hdcd9ebJx2nVemUBSd6w4AAnzDO74IKfkCRDNAPRibkJYmc0kLd4X9TWreYPNLPYsiLMFqXsypn2p0ymBXWsFPslS4mIL9dGvvrQLzv4XUG3VAH3tJdJG1tKYluKpEoXEWNJkbl9sWRIhQoNOPhWESrPp5zc54bGZwz8W8TsydqUjUDi7Q6KwBtWE8toLjdxVlTUrp1P5ZyABHFUJRp4xC4sskoRU6SEFqhiFHXXB4jXvTjPqEtLWuxFHzmbIZ3kEhbSJIpb4CCDtg7JbJAqNgSl2MKfvWoLa8snSAgRorRt14mACN9oXPGhu67XpeQ58R23KJ4y8yVFVhIIgW2LsrRGjgJdCoajTp68J8QdV4py4bwnyzQDmfMQ9wTEa06UxMVFkK8ifYZybsMiUwPcIH61iDEarWGH4EoZgfZXYrwK536Q5rmmLROGF7sepwaO2LvqU0whOP1Zwn5pGXf9Ku6n0SuiWVICrRRtHQ6e4eH5ZYjrbdHBraeIPizAgfP29OUQmzJGyxAYdnxIMSkVOwg0ZAFzp6ZLJj2iQiDew9yPMRonDzXy54nNH30V3krBHYo3uo2DogzO7Aoimr5ZjBPP5pLWsRkbryqOr7wGKjKCAtSzflGk9bGrnUPxPmrsXWxiBkZUBgVPEq2l4bOSxvbq18AGs81y2rON6K75vWS3q1W71DCNHI4CVhrCTtBCpwW3RU5LZL3DCb5jNTVRe3VzGH52rkvjVX3tQzvWHmchpIacHUuBbddIMLwkYduOpUROiMCoy8j10Oj8G2uH04hSUuRfcl8E2y1F0w4LrFqENfmQGzUTzZAzxF8LqLWTKEy4j26j8KQ85XxzTZcJYrsqoINvqFuQSH4jRsGNDLVYiBDKiJ2AIn5tliQLpL3Cpapy3nRAszgZroiJ0UGh4lCDqtIrG36xssUNL0VvDFaasFup4mgDhwLEq3cmC8a8F1H8EE7a9lOzlBlV9twuWDp5RpwSYI3EEbFA7vUAogD6SlsPTzlKP45scXThRT83NKaP0RtzJNHyPR0R2xvxLapXKrncUY1TadRcejYcgWbbwGMv7bpuxKrNunfJDqPVWXxL9XNTIsrZ8nAdO1e3p2XyahQpwQCLIIPXQitcvAvzl0SNFnI7FmGSAJvIDlmDb4Vi8N7fKRHYGxmjydUjiEfwc7wgXUIkn1yqfKP2pCxYORlcxljAAdva7tL6z8Ed32N97ZpJQ2erttNMXfcd9S6b5jTXkimSnoyYFDuN0fUPezQOP8jt5Bek6MeYfCyIPvee4ZhtVyn47r7FDfhl82WVkn1ql5emLNiift7kC4gmpuFM6zgesp9MruZJmgaK0hNE3B2OiN6GcP6sGnuWZ93vOF1VEx7v3FwhQbTFGB6PtDJLyHd9WoV0nr0xJhkvpnQ6OwzAQGUm1XsnGfDKLFi2jf4qJC12dsUd7MaJn646U0sYeet9zmTUfYWJBi0nP2iIcpq3e4xOKlhtWfmFi2D1I98i0BhfgQrLSSH8n36w69jz50y4CXJWt7aeDtpsEeyIbdPTxIS8waJW7LxHKS9sHerVSDF4OO12LKx2kOG3eKAtxog26RRVefb7V4b4dXuSiRkXzUwjVE0xVG1DLUuUM73DCA65Hyi1iKrq1gB4Q4WCgxzJFzf51NMcjcv9YBLwv9plpLMFszeSkBxeawzitnaE7pgYUCfosAghhnuX7O4UZk0qby1OsXITm4egfMqGW6GLWDQOcGs5vpWSP6lsFE7zkBX7yfSuxx82NpDISnMWENx6hvBjA8br9hAvQTq7Y7H8r4eADNKAcOeRBeNmBCtr6wJUrjV8UDRtQLjQsPS7OeX2LMN1XljDG6aOGvNUinPJ7Ua0474VUvN1JRiOF3lItnWTKEj6b7ZAyn41MX60ryS

lhYJZM6PHMrgApFIqW1jEbge0o8Ios8cjZq4QKSSAFpSr9dTcRRRIOUjaUTLOyBpOp6K9L2PeiS8WxW1koGGLqDFeh360hdcd9ebJx2nVemUBSd6w4AAnzDO74IKfkCRDNAPRibkJYmc0kLd4X9TWreYPNLPYsiLMFqXsypn2p0ymBXWsFPslS4mIL9dGvvrQLzv4XUG3VAH3tJdJG1tKYluKpEoXEWNJkbl9sWRIhQoNOPhWESrPp5zc54bGZwz8W8TsydqUjUDi7Q6KwBtWE8toLjdxVlTUrp1P5ZyABHFUJRp4xC4sskoRU6SEFqhiFHXXB4jXvTjPqEtLWuxFHzmbIZ3kEhbSJIpb4CCDtg7JbJAqNgSl2MKfvWoLa8snSAgRorRt14mACN9oXPGhu67XpeQ58R23KJ4y8yVFVhIIgW2LsrRGjgJdCoajTp68J8QdV4py4bwnyzQDmfMQ9wTEa06UxMVFkK8ifYZybsMiUwPcIH61iDEarWGH4EoZgfZXYrwK536Q5rmmLROGF7sepwaO2LvqU0whOP1Zwn5pGXf9Ku6n0SuiWVICrRRtHQ6e4eH5ZYjrbdHBraeIPizAgfP29OUQmzJGyxAYdnxIMSkVOwg0ZAFzp6ZLJj2iQiDew9yPMRonDzXy54nNH30V3krBHYo3uo2DogzO7Aoimr5ZjBPP5pLWsRkbryqOr7wGKjKCAtSzflGk9bGrnUPxPmrsXWxiBkZUBgVPEq2l4bOSxvbq18AGs81y2rON6K75vWS3q1W71DCNHI4CVhrCTtBCpwW3RU5LZL3DCb5jNTVRe3VzGH52rkvjVX3tQzvWHmchpIacHUuBbddIMLwkYduOpUROiMCoy8j10Oj8G2uH04hSUuRfcl8E2y1F0w4LrFqENfmQGzUTzZAzxF8LqLWTKEy4j26j8KQ85XxzTZcJYrsqoINvqFuQSH4jRsGNDLVYiBDKiJ2AIn5tliQLpL3Cpapy3nRAszgZroiJ0UGh4lCDqtIrG36xssUNL0VvDFaasFup4mgDhwLEq3cmC8a8F1H8EE7a9lOzlBlV9twuWDp5RpwSYI3EEbFA7vUAogD6SlsPTzlKP45scXThRT83NKaP0RtzJNHyPR0R2xvxLapXKrncUY1TadRcejYcgWbbwGMv7bpuxKrNunfJDqPVWXxL9XNTIsrZ8nAdO1e3p2XyahQpwQCLIIPXQitcvAvzl0SNFnI7FmGSAJvIDlmDb4Vi8N7fKRHYGxmjydUjiEfwc7wgXUIkn1yqfKP2pCxYORlcxljAAdva7tL6z8Ed32N97ZpJQ2erttNMXfcd9S6b5jTXkimSnoyYFDuN0fUPezQOP8jt5Bek6MeYfCyIPvee4ZhtVyn47r7FDfhl82WVkn1ql5emLNiift7kC4gmpuFM6zgesp9MruZJmgaK0hNE3B2OiN6GcP6sGnuWZ93vOF1VEx7v3FwhQbTFGB6PtDJLyHd9WoV0nr0xJhkvpnQ6OwzAQGUm1XsnGfDKLFi2jf4qJC12dsUd7MaJn646U0sYeet9zmTUfYWJBi0nP2iIcpq3e4xOKlhtWfmFi2D1I98i0BhfgQrLSSH8n36w69jz50y4CXJWt7aeDtpsEeyIbdPTxIS8waJW7LxHKS9sHerVSDF4OO12LKx2kOG3eKAtxog26RRVefb7V4b4dXuSiRkXzUwjVE0xVG1DLUuUM73DCA65Hyi1iKrq1gB4Q4WCgxzJFzf51NMcjcv9YBLwv9plpLMFszeSkBxeawzitnaE7pgYUCfosAghhnuX7O4UZk0qby1OsXITm4egfMqGW6GLWDQOcGs5vpWSP6lsFE7zkBX7yfSuxx82NpDISnMWENx6hvBjA8br9hAvQTq7Y7H8r4eADNKAcOeRBeNmBCtr6wJUrjV8UDRtQLjQsPS7OeX2LMN1XljDG6aOGvNUinPJ7Ua0474VUvN1JRiOF3lItnWTKEj6b7ZAyn41MX60ryS

LuGGfibLOhACEzycTXhNtlwk8ij1HBuwBa0az78YLwyBL0OSoNgq6b4A7wI69jdnXebDJyNVZtc7W5JiEAN3udAzgAcdzbZCslOH8Chq53JaHK9PZvYOOavBXjaY9kJV5OcQNjVyHCIX0Z2XFZd99QgWg9wZCsrUtXf3ItcPKzhmCIL7qmsjhJWpHpJNX66okXDcU9omC3ekTxoe9BBVs7AZtk00cr6os3xcHXRRR837fETlYivGHGPoLrdDSlyl7020alHlUTdudDTZBOc35zQVniBqUn8GJSaoM3lMLkWXkvzO2D1trmMNRsMPw9dRmcKwpoFqh2NIvhHyGAFiHkOi9YkTuUL9ORShVdzO8KlzJdrKVoi5E4jcyBxAeV6xrN3OyzNDb1k78pJ5KlyzbONgaovZkUzHrb33lQmHQK9qcqIUxB6UbJMP4GPLx7cQA3TfXnM481SAOweTQLBSXOGSyn8OaLjTIs0iHC6kZcVj0lbHC54VGUBRoR1WlOf5LQjpMRGpHr3KMAEOpFHLytewbiSmiA4Gcdz42OIfCVDo10fYnmHPhDHsMXnE8ughwxHIaKWL7BjNZZEkd4853pyJHzcexIUaQh9VvOy8LbyBQNbmTdV4RhEsOa0qC4jZKD5QK4ZXuBKtGZw3xZutWZtIMRhvXhGR1I0mSuMZn8JqHkVZO63MJZcVkwd2yEA8hp4USYfvpMItFhPL6iIwUgRpjpLlv34EuZeizyjhMmz0X0R4eJvp6dobHPKDm39vRe9PdGlH8BUIQ0BsHRhWIOHqLcKUXQ4S7jOlgUnJEtnn3HJ3OZ6nx2GzX6prb5MhBdkuJzFaxqgQFOJlic5AKyifMoyjF6IIRfWZwptou6ZhWZ3ixdi89lGc5fRubvEBRH9z46eAaOrs2su0ThloaLuQ9xFcj3ugDyuCWc91fUx7QOLKkKAqs10yMP9HAbrhukZD71eRhujpow9vV52IDdYLI60gcBAeDqNFYhMsSKuNa3LS8jR3WoCpMu6mkYtE5H6BG5s3T1VPxON5jvShcdvYiQt8HLV4r0SC7kmc1Xk4DX27RacYfmB1mitZMtwhg0yG6k89jQpowJ0quPAhJ3oId6aVth0Y4q1F8zSHTHCXOm3WEyXKnQ9nPR7d004fM8BgRur473xcAB40dnr5tpLnqO0rCOQ2MxkQVWfkg2Nut7XnzNDOATSWbhVW6j0MbXxb9rdktIUJpoH962oMcjRk1t8impOB3tjd9LIhJtu18jGWJV0e5oJ1gnkQs58d3tP5fDautgdTYZlSWlJAoVK5v4FdrSGbjrKlqpcrZYI3QpgGQfWsSER2f3pUdvZXlTjBoWacmKNznQogX8xl6nsPJSgw9snE9US7gOr4eTgi1rPyPj7e7N07GhAKCKFAW4eMzbjOjzEjrtDNvl3IGmRLYCdDLF7TmOdPwtCjsvBUSl9nOWprQ63KmDX67QcNCU7MpXrbTUqlU73NDZYZqPcqVDC2PS7G2f72085AXpkp42pVTA4NtkqokiQWAXUsviqREN3GvWv27xRY5nUpXtmRZTSRsi99E24WLHqfGxsHZyrWB10mdFFb5I1V5lomwFgpNlMY8R3wYqdQxsj7PL0ophYEvVx37GxlTCgL6ED1CAlnUQxxKFBVO29GxiDnu9zs2275lIbkh8WY6KUOy9sBeMG1CKoXbqHCLLCOhFjM3erci2NmQ97ODeQwvPj0zLgkjNJFciylAeEHqCVXgP9G3cuH4fsBwtmr8g2EsijHLVnzJjg34vTUMJrgtcK606Zh1mIkbgPGC6hd6BIhlXVq1R75tP61PuuxXMR57pOSDG2XFEK1CYXUKqgfhsPwjY0hMTpuUNk5jdWuYjzYeey1HKWHFMXPJrIOQUlVoqhY8C7hPSauqNNianUHfWVSu8vUX9TkukX2pBsQFLisZlc7JdgP47vBNaS9gnuQ9Z9fZU3I4dcDNC3j5xlU3epwZvpoTsKsrCt9l7hY

LuGGfibLOhACEzycTXhNtlwk8ij1HBuwBa0az78YLwyBL0OSoNgq6b4A7wI69jdnXebDJyNVZtc7W5JiEAN3udAzgAcdzbZCslOH8Chq53JaHK9PZvYOOavBXjaY9kJV5OcQNjVyHCIX0Z2XFZd99QgWg9wZCsrUtXf3ItcPKzhmCIL7qmsjhJWpHpJNX66okXDcU9omC3ekTxoe9BBVs7AZtk00cr6os3xcHXRRR837fETlYivGHGPoLrdDSlyl7020alHlUTdudDTZBOc35zQVniBqUn8GJSaoM3lMLkWXkvzO2D1trmMNRsMPw9dRmcKwpoFqh2NIvhHyGAFiHkOi9YkTuUL9ORShVdzO8KlzJdrKVoi5E4jcyBxAeV6xrN3OyzNDb1k78pJ5KlyzbONgaovZkUzHrb33lQmHQK9qcqIUxB6UbJMP4GPLx7cQA3TfXnM481SAOweTQLBSXOGSyn8OaLjTIs0iHC6kZcVj0lbHC54VGUBRoR1WlOf5LQjpMRGpHr3KMAEOpFHLytewbiSmiA4Gcdz42OIfCVDo10fYnmHPhDHsMXnE8ughwxHIaKWL7BjNZZEkd4853pyJHzcexIUaQh9VvOy8LbyBQNbmTdV4RhEsOa0qC4jZKD5QK4ZXuBKtGZw3xZutWZtIMRhvXhGR1I0mSuMZn8JqHkVZO63MJZcVkwd2yEA8hp4USYfvpMItFhPL6iIwUgRpjpLlv34EuZeizyjhMmz0X0R4eJvp6dobHPKDm39vRe9PdGlH8BUIQ0BsHRhWIOHqLcKUXQ4S7jOlgUnJEtnn3HJ3OZ6nx2GzX6prb5MhBdkuJzFaxqgQFOJlic5AKyifMoyjF6IIRfWZwptou6ZhWZ3ixdi89lGc5fRubvEBRH9z46eAaOrs2su0ThloaLuQ9xFcj3ugDyuCWc91fUx7QOLKkKAqs10yMP9HAbrhukZD71eRhujpow9vV52IDdYLI60gcBAeDqNFYhMsSKuNa3LS8jR3WoCpMu6mkYtE5H6BG5s3T1VPxON5jvShcdvYiQt8HLV4r0SC7kmc1Xk4DX27RacYfmB1mitZMtwhg0yG6k89jQpowJ0quPAhJ3oId6aVth0Y4q1F8zSHTHCXOm3WEyXKnQ9nPR7d004fM8BgRur473xcAB40dnr5tpLnqO0rCOQ2MxkQVWfkg2Nut7XnzNDOATSWbhVW6j0MbXxb9rdktIUJpoH962oMcjRk1t8impOB3tjd9LIhJtu18jGWJV0e5oJ1gnkQs58d3tP5fDautgdTYZlSWlJAoVK5v4FdrSGbjrKlqpcrZYI3QpgGQfWsSER2f3pUdvZXlTjBoWacmKNznQogX8xl6nsPJSgw9snE9US7gOr4eTgi1rPyPj7e7N07GhAKCKFAW4eMzbjOjzEjrtDNvl3IGmRLYCdDLF7TmOdPwtCjsvBUSl9nOWprQ63KmDX67QcNCU7MpXrbTUqlU73NDZYZqPcqVDC2PS7G2f72085AXpkp42pVTA4NtkqokiQWAXUsviqREN3GvWv27xRY5nUpXtmRZTSRsi99E24WLHqfGxsHZyrWB10mdFFb5I1V5lomwFgpNlMY8R3wYqdQxsj7PL0ophYEvVx37GxlTCgL6ED1CAlnUQxxKFBVO29GxiDnu9zs2275lIbkh8WY6KUOy9sBeMG1CKoXbqHCLLCOhFjM3erci2NmQ97ODeQwvPj0zLgkjNJFciylAeEHqCVXgP9G3cuH4fsBwtmr8g2EsijHLVnzJjg34vTUMJrgtcK606Zh1mIkbgPGC6hd6BIhlXVq1R75tP61PuuxXMR57pOSDG2XFEK1CYXUKqgfhsPwjY0hMTpuUNk5jdWuYjzYeey1HKWHFMXPJrIOQUlVoqhY8C7hPSauqNNianUHfWVSu8vUX9TkukX2pBsQFLisZlc7JdgP47vBNaS9gnuQ9Z9fZU3I4dcDNC3j5xlU3epwZvpoTsKsrCt9l7hY

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

operator

operator

ADVAPI32.DLL

ADVAPI32.DLL

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

portuguese-brazilian

portuguese-brazilian

KERNEL32.dll

KERNEL32.dll

RegOpenKeyExW

RegOpenKeyExW

ADVAPI32.dll

ADVAPI32.dll

OLEAUT32.dll

OLEAUT32.dll

mscoree.dll

mscoree.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

JQpRxmAGvMD9V8POG6llIXOxIwzbRYadqHl2HMZmdvnOsukS95EPnvwWb2ibXyYHMASoWWh3g8hnJafnlRcVtvZ5kz1ODYzPGQb1VVfSHQbl9jNn95sZ7e3z4e706msQTeqzMdWvZBS7R5vzL2kQX1mbzD8RYoWvyvC42oL6i79Fv6S9SIpdcL211oaiffGLPxIwDAGw6LxLi03e4LWTtkN036EAfdqm4bPGyuIJV9nJz85lFcAXbsDMe2kj5ep2ukRhlwPJdn8u6eB4bs4cMDlLIcBFkyNQUvoorYaiw1TYxNHeHIKzEkpnEX2FmZCrqAlALhBpzadf1NaxKWP4QGh6uPjurjcIXJW7CgDAhvaEgkw0XF5AkHLUtpg57g7q7Fsr1c5DsoXvGNZk6srxxOcafUmNAG423Q7hq3GAedYR4gjoKbb9eKI9jSN5tJV2ic1W4T5cW0suZuf8L8dzF5Xsh77IpKhEs6I1pwu0f8nnrokYNOuuOqshQ4inX69kfnR1YPzfwqqaNMRsoteGdgvZeDrmjINgsGlE03R5h2iy9sDemZ8E1Dg922Xuxm5YMkRhBmCuMiyl86ZW9n9uJjoZ4zKj3hffhk5gtjyOpi8GCllgL7wsmOSBA7lEgPKyzinbdqOnNSmUNa9ToEH6VW3DBEQw83HKHKgt7kcvtiODB8Xz8CpMhNMNpUJJhZKgYOIQy33EBJ8qoT7wMShRygJVJspVU7i54mW6NwVbgUueNepEPsnzR2SRfXgfNiTEAdvb6aTp7gLOVEhEcUgBTSncEf1ZqPx8vWjVa38j7thPuGY0LV2aJ2qAAgg9AF9olGz7RUTvvpD6LK1KTc4aYRvDGTv4X8SBt3EYh1i0bHOtytYZoFqyL9zEl5A7zZHwGcMSth3Tr6aAgVkOPLKt9jFybAFb7Tr87ak90qFupWuB62GOmSfVXyMVN3P2L1VIPcDgKkYygpenYeCj31ZoNGkIyzv6KMSxaWW4yAdcI4bkvlb0qLSxZHQ0G3ZCBMKyCuKOCCbcIQLen2NLxVLgeriU3anwvPR5tNSaKxxYKQYi5LNOqoePbEuklZVCoPQ39PVJjMaayXGyNgPO5GVbSE3bOFFPEXq96tzCuCFp1wzq9Ixf9be0YhZs2BY0YP2efqztRmtDbFkwfMcgiAQDSzlYEgK2OOAmDulSjdxWRKZs7DmpOGKtbXAUa0TF0oHNxwQBbx8FZ0v3SlZipLUmhJ5EUtgujDdn8F98B1UqHeDlBGbZaKqoDuGYBlQRrOwwXi5mm1Qy1EPcfUcorrtIqKunUmtuJKMKCW5IsYTzrlB7dhjxtqxhmdHbpAEY4Lv4rY5SqplnTv6fjwjNc6atmExyp4s2t5EQ0HPolBgeeky1hC23q0V8KbRXi0EiVwS3fn7PjvmhotUDcQScSkkGqXA3CwMt08P0D7LnxxQ9ZvBtNKiCiBALmlMsWdmWS2qpO4aeeEPuDkR5wgp2oklyIeOsvtBuNiDFpWMKB2BXejjo8va6huIgZHHWRa96sOnM2Yd8lnvMth9PJADCaOhtKwPRpZ2A3EFA6GwkrcV385WSI2nrHG5OH3cFivTvu5TZCYQ9o58zKc31h593KpB5ND0VavH9ovWZqs0BuXZHNDkkrWnhCvXDubf87492x9loqdLYfHIWz4sksQEniAH3IsEon1EAY7jOs64nSk6VYaWtuojHDIK0AePOXBEMtHxThvUvxoTtBK6xLpGg5F10WMXytf9qQuBqMcm8EXkpYryZirdH4xRYPH7FHvbrpDMgiPVIdHLhi3OmM5HlDnniiwg1WoZrTDIakakeJOWS0fcdrbLWTU3VLh6KEiFDMRtPuOcMUDMZBEsdtdKUMdH9JXyddJJAjsfiWwSN99bqhethhFDQfUFfnHQvw04PvVnPq3CXVoOeHIlUh1dum61og25r2P2uiDRQfAKndP50fBHPv6oFXKCy48Jx7l5fwt6e0EPQrZrGbajPvp56

JQpRxmAGvMD9V8POG6llIXOxIwzbRYadqHl2HMZmdvnOsukS95EPnvwWb2ibXyYHMASoWWh3g8hnJafnlRcVtvZ5kz1ODYzPGQb1VVfSHQbl9jNn95sZ7e3z4e706msQTeqzMdWvZBS7R5vzL2kQX1mbzD8RYoWvyvC42oL6i79Fv6S9SIpdcL211oaiffGLPxIwDAGw6LxLi03e4LWTtkN036EAfdqm4bPGyuIJV9nJz85lFcAXbsDMe2kj5ep2ukRhlwPJdn8u6eB4bs4cMDlLIcBFkyNQUvoorYaiw1TYxNHeHIKzEkpnEX2FmZCrqAlALhBpzadf1NaxKWP4QGh6uPjurjcIXJW7CgDAhvaEgkw0XF5AkHLUtpg57g7q7Fsr1c5DsoXvGNZk6srxxOcafUmNAG423Q7hq3GAedYR4gjoKbb9eKI9jSN5tJV2ic1W4T5cW0suZuf8L8dzF5Xsh77IpKhEs6I1pwu0f8nnrokYNOuuOqshQ4inX69kfnR1YPzfwqqaNMRsoteGdgvZeDrmjINgsGlE03R5h2iy9sDemZ8E1Dg922Xuxm5YMkRhBmCuMiyl86ZW9n9uJjoZ4zKj3hffhk5gtjyOpi8GCllgL7wsmOSBA7lEgPKyzinbdqOnNSmUNa9ToEH6VW3DBEQw83HKHKgt7kcvtiODB8Xz8CpMhNMNpUJJhZKgYOIQy33EBJ8qoT7wMShRygJVJspVU7i54mW6NwVbgUueNepEPsnzR2SRfXgfNiTEAdvb6aTp7gLOVEhEcUgBTSncEf1ZqPx8vWjVa38j7thPuGY0LV2aJ2qAAgg9AF9olGz7RUTvvpD6LK1KTc4aYRvDGTv4X8SBt3EYh1i0bHOtytYZoFqyL9zEl5A7zZHwGcMSth3Tr6aAgVkOPLKt9jFybAFb7Tr87ak90qFupWuB62GOmSfVXyMVN3P2L1VIPcDgKkYygpenYeCj31ZoNGkIyzv6KMSxaWW4yAdcI4bkvlb0qLSxZHQ0G3ZCBMKyCuKOCCbcIQLen2NLxVLgeriU3anwvPR5tNSaKxxYKQYi5LNOqoePbEuklZVCoPQ39PVJjMaayXGyNgPO5GVbSE3bOFFPEXq96tzCuCFp1wzq9Ixf9be0YhZs2BY0YP2efqztRmtDbFkwfMcgiAQDSzlYEgK2OOAmDulSjdxWRKZs7DmpOGKtbXAUa0TF0oHNxwQBbx8FZ0v3SlZipLUmhJ5EUtgujDdn8F98B1UqHeDlBGbZaKqoDuGYBlQRrOwwXi5mm1Qy1EPcfUcorrtIqKunUmtuJKMKCW5IsYTzrlB7dhjxtqxhmdHbpAEY4Lv4rY5SqplnTv6fjwjNc6atmExyp4s2t5EQ0HPolBgeeky1hC23q0V8KbRXi0EiVwS3fn7PjvmhotUDcQScSkkGqXA3CwMt08P0D7LnxxQ9ZvBtNKiCiBALmlMsWdmWS2qpO4aeeEPuDkR5wgp2oklyIeOsvtBuNiDFpWMKB2BXejjo8va6huIgZHHWRa96sOnM2Yd8lnvMth9PJADCaOhtKwPRpZ2A3EFA6GwkrcV385WSI2nrHG5OH3cFivTvu5TZCYQ9o58zKc31h593KpB5ND0VavH9ovWZqs0BuXZHNDkkrWnhCvXDubf87492x9loqdLYfHIWz4sksQEniAH3IsEon1EAY7jOs64nSk6VYaWtuojHDIK0AePOXBEMtHxThvUvxoTtBK6xLpGg5F10WMXytf9qQuBqMcm8EXkpYryZirdH4xRYPH7FHvbrpDMgiPVIdHLhi3OmM5HlDnniiwg1WoZrTDIakakeJOWS0fcdrbLWTU3VLh6KEiFDMRtPuOcMUDMZBEsdtdKUMdH9JXyddJJAjsfiWwSN99bqhethhFDQfUFfnHQvw04PvVnPq3CXVoOeHIlUh1dum61og25r2P2uiDRQfAKndP50fBHPv6oFXKCy48Jx7l5fwt6e0EPQrZrGbajPvp56

.text

.text

`.rsrc

`.rsrc

@.reloc

@.reloc

X l.dlT

X l.dlT

v2.0.50727

v2.0.50727

TheHostV.dll

TheHostV.dll

System.Reflection

System.Reflection

.cctor

.cctor

kernel32.dll

kernel32.dll

System.Threading

System.Threading

.ctor

.ctor

System.IO

System.IO

System.Collections.Generic

System.Collections.Generic

orderCmd

orderCmd

isChromeInstalled

isChromeInstalled

OperatingSystem

OperatingSystem

Firefox

Firefox

Chrome

Chrome

System.Xml

System.Xml

System.Collections

System.Collections

urllist

urllist

get_Urls

get_Urls

System.Globalization

System.Globalization

Urls

Urls

System.Windows.Forms

System.Windows.Forms

WebBrowser

WebBrowser

mappurl

mappurl

System.ComponentModel

System.ComponentModel

System.Collections.Specialized

System.Collections.Specialized

System.Windows.Forms.Layout

System.Windows.Forms.Layout

System.Text.RegularExpressions

System.Text.RegularExpressions

WebClient

WebClient

System.Net

System.Net

IWebProxy

IWebProxy

System.Text

System.Text

System.Drawing

System.Drawing

RemoteProcess.Controls

RemoteProcess.Controls

webBrowser1

webBrowser1

get_Url

get_Url

set_Url

set_Url

user32.dll

user32.dll

ISupportInitialize

ISupportInitialize

instalarEXE

instalarEXE

System.Diagnostics

System.Diagnostics

WebRequest

WebRequest

HttpWebRequest

HttpWebRequest

WebResponse

WebResponse

WebHeaderCollection

WebHeaderCollection

HttpStatusCode

HttpStatusCode

HttpWebResponse

HttpWebResponse

displayUrl

displayUrl

appUrl

appUrl

appUrlNotNormalized

appUrlNotNormalized

silentreport

silentreport

reporturl

reporturl

policyUrl

policyUrl

uninstallurl

uninstallurl

ADWurl

ADWurl

AddUninstallUrls

AddUninstallUrls

IsValidUrl

IsValidUrl

RegistryKey

RegistryKey

Microsoft.Win32

Microsoft.Win32

System.Security.Principal

System.Security.Principal

checkkey

checkkey

get_Checkkey

get_Checkkey

set_Checkkey

set_Checkkey

Checkkey

Checkkey

RegKey

RegKey

NoRegKey

NoRegKey

RemotoProces.Properties

RemotoProces.Properties

System.Configuration

System.Configuration

KERNEL32.DLL

KERNEL32.DLL

lpKeyName

lpKeyName

dictionaryurl

dictionaryurl

appurl

appurl

ProcessWindowStyle

ProcessWindowStyle

FindExecutableA

FindExecutableA

FindExecutable

FindExecutable

shell32.dll

shell32.dll

urlConfig

urlConfig

templateUrl

templateUrl

dockungUrl

dockungUrl

GratitudeUrl

GratitudeUrl

AbortedUrl

AbortedUrl

SilentAbortUrl

SilentAbortUrl

domainurl

domainurl

WebmasterId

WebmasterId

System.Management

System.Management

WindowsIdentity

WindowsIdentity

WindowsPrincipal

WindowsPrincipal

WindowsBuiltInRole

WindowsBuiltInRole

CreateSubKey

CreateSubKey

EnumerateSubKeys

EnumerateSubKeys

WOW64_32Key

WOW64_32Key

WOW64_64Key

WOW64_64Key

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

RegOpenKeyEx

RegOpenKeyEx

Advapi32.dll

Advapi32.dll

hKey

hKey

lpSubKey

lpSubKey

RegCloseKey

RegCloseKey

advapi32.dll

advapi32.dll

GetRegKey64

GetRegKey64

inKeyName

inKeyName

GetRegKey32

GetRegKey32

in32or64key

in32or64key

StaticRegkey

StaticRegkey

Getkey

Getkey

RegistryKeys

RegistryKeys

ScreenOperations

ScreenOperations

HijoInstalado

HijoInstalado

HttpRequestHeader

HttpRequestHeader

urlLoading

urlLoading

xmlUrl

xmlUrl

trackUrl

trackUrl

staticUrl

staticUrl

keyword

keyword

get_UrlLoading

get_UrlLoading

set_UrlLoading

set_UrlLoading

get_XmlUrl

get_XmlUrl

set_XmlUrl

set_XmlUrl

get_TrackUrl

get_TrackUrl

set_TrackUrl

set_TrackUrl

get_StaticUrl

get_StaticUrl

set_StaticUrl

set_StaticUrl

get_Keyword

get_Keyword

set_Keyword

set_Keyword

UrlLoading

UrlLoading

XmlUrl

XmlUrl

TrackUrl

TrackUrl

StaticUrl

StaticUrl

Keyword

Keyword

ExtendedWebClient

ExtendedWebClient

GetWebRequest

GetWebRequest

user32.DLL

user32.DLL

wMsg

wMsg

WebBrowserDocumentCompletedEventArgs

WebBrowserDocumentCompletedEventArgs

wbMain_PreviewKeyDown

wbMain_PreviewKeyDown

PreviewKeyDownEventArgs

PreviewKeyDownEventArgs

Keys

Keys

FormWindowState

FormWindowState

WebBrowserReadyState

WebBrowserReadyState

System.Net.Configuration

System.Net.Configuration

Microsoft.mshtml

Microsoft.mshtml

Trackingurls

Trackingurls

graphiteUrl

graphiteUrl

lastXmlurl

lastXmlurl

uninstallurls

uninstallurls

checkurls

checkurls

get_GraphiteUrl

get_GraphiteUrl

set_GraphiteUrl

set_GraphiteUrl

get_LastXmlurl

get_LastXmlurl

set_LastXmlurl

set_LastXmlurl

keystring

keystring

generateUrl

generateUrl

openUrl

openUrl

sendByUDP

sendByUDP

port

port

webtrack

webtrack

System.Security.Cryptography

System.Security.Cryptography

System.Net.Sockets

System.Net.Sockets

GraphiteUrl

GraphiteUrl

LastXmlurl

LastXmlurl

urlXML

urlXML

urlStatic

urlStatic

urlTracker

urlTracker

DownloadUrl

DownloadUrl

_downloadUrls

_downloadUrls

urls

urls

System.IO.Compression

System.IO.Compression

InvalidOperationException

InvalidOperationException

apiurl

apiurl

get_Apiurl

get_Apiurl

set_Apiurl

set_Apiurl

Apiurl

Apiurl

{B5A74BFD-C62B-4AB3-8413-5D0E6C4D2AFC}

{B5A74BFD-C62B-4AB3-8413-5D0E6C4D2AFC}

System.Resources

System.Resources

System.Runtime.CompilerServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Runtime.InteropServices

System.CodeDom.Compiler

System.CodeDom.Compiler

RemoteProcess.Contact.resources

RemoteProcess.Contact.resources

RemoteProcess.Controls.Banner.resources

RemoteProcess.Controls.Banner.resources

RemoteProcess.Controls.Form1.resources

RemoteProcess.Controls.Form1.resources

RemoteProcess.Debug.resources

RemoteProcess.Debug.resources

RemoteProcess.MainForm.resources

RemoteProcess.MainForm.resources

Join

Join

set_UseShellExecute

set_UseShellExecute

get_DefaultWebProxy

get_DefaultWebProxy

OpenSubKey

OpenSubKey

GetSubKeyNames

GetSubKeyNames

set_WindowStyle

set_WindowStyle

WebException

WebException

set_WindowState

set_WindowState

set_WebBrowserShortcutsEnabled

set_WebBrowserShortcutsEnabled

WebBrowserDocumentCompletedEventHandler

WebBrowserDocumentCompletedEventHandler

PreviewKeyDownEventHandler

PreviewKeyDownEventHandler

add_PreviewKeyDown

add_PreviewKeyDown

set_IsInputKey

set_IsInputKey

get_KeyCode

get_KeyCode

get_WindowState

get_WindowState

get_ExecutablePath

get_ExecutablePath

set_TransparencyKey

set_TransparencyKey

set_AllowWebBrowserDrop

set_AllowWebBrowserDrop

set_IsWebBrowserContextMenuEnabled

set_IsWebBrowserContextMenuEnabled

set_Key

set_Key

get_Key

get_Key

ConfuserEx v0.1.0-21-g8d974cf

ConfuserEx v0.1.0-21-g8d974cf

7.7.6.7

7.7.6.7

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

11.0.0.0

11.0.0.0

...LXXX

...LXXX

rv2.0.50727

rv2.0.50727

v4.0.30319

v4.0.30319

RemoteProcess.Program

RemoteProcess.Program

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dfsD.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dfsD.tmp

c:\%original file name%.exe

c:\%original file name%.exe

%original file name%.exe_1876_rwx_004CF000_00002000:

(CS`)?Nj(>Lp(>LuŸx

(CS`)?Nj(>Lp(>LuŸx

kernel32.dll

kernel32.dll

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

OLEAUT32.dll

OLEAUT32.dll

mscoree.dll

mscoree.dll

%sy5|l

%sy5|l

%original file name%.exe_1876_rwx_00AA2000_00009000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dfsD.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dfsD.tmp

%original file name%.exe_1876_rwx_02EDB000_00001000:

v2.0.50727

v2.0.50727

%original file name%.exe_1876_rwx_02F15000_00001000:

ntdll.dll

ntdll.dll

%original file name%.exe_1876_rwx_032B0000_00010000:

l.dlf

l.dlf