Skip to main content

Gen.Variant.Mikey.17205_f813a93cc9


Gen:Variant.Mikey.17205 (B) (Emsisoft), Gen:Variant.Mikey.17205 (AdAware), Trojan.Win32.Swrort.3.FD (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: f813a93cc9d88d18caf833f24384c0b7

SHA1: 7698918605c8e77333dc8fe82bc9208b56d4862d

SHA256: 6d2d566acda63e7708cf39d72ea2becf437e263d66ca8877cc806f582ac1e0b0

SSDeep: 24576:2GlUiqdfScB40gJYgGMRLKZz73VtSqb3 h:NladfS84LCgGMEBke h

Size: 983756 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: no certificate found

Created at: 2015-06-05 21:49:16

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:320
Setup.exe:452

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:

78ec8a3ee6fb41d9611148b90a933eaaWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex

File activity

The process %original file name%.exe:320 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NVCDHR82\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a2B7eLP6Ng\M6m7Vl0h\Setup.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGPAT4R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\INOPCVW3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5GKUFH0P\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 0C 6F CC AA 18 9B B2 71 17 53 D6 CE 4A A9 6E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process Setup.exe:452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]
"setup.exe" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS]
"setup.exe" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"setup.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 7A EB 65 AD 97 78 9F 1F E2 35 86 87 36 4A AB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:320
    Setup.exe:452

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\NVCDHR82\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a2B7eLP6Ng\M6m7Vl0h\Setup.exe (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QXGPAT4R\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\INOPCVW3\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5GKUFH0P\desktop.ini (67 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Install Assistant
Product Name: HD Player
Product Version: 3.0.0.105
Legal Copyright: (c) Install Assistant
Legal Trademarks:
Original Filename: Setup_v3.206.exe
Internal Name: Setup_v3.206.exe
File Version: 3.0.0.105
File Description: HD Player
Comments:
Language: Language Neutral

Company Name: Install AssistantProduct Name: HD Player Product Version: 3.0.0.105Legal Copyright: (c) Install AssistantLegal Trademarks: Original Filename: Setup_v3.206.exeInternal Name: Setup_v3.206.exeFile Version: 3.0.0.105File Description: HD Player Comments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40965882885882884.69314db03a44a1b6be0df4688da13dd9a9e15
.rdata5939201536001536004.174982c3e71abcd9b6f69610b956d3a014fa9
.data7495685360492162.8059d97a37de97a69e2b020227b3224cb4ec
.rsrc8069121757681761285.46255195f2e2e80f749e7dc75fd4fc35166e7
.reloc98304050784512003.9744736c29761b6d520e3daae44cffd0725ca

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 58
0702ce4b38ed6f5bc4ab1a0599c41eb3
ef84949a8f96c8aaf30dc06cf2613cac
cf01a8df723bda5647ebb9b7e086f390
c07bcb73b6da1cb92ae80f3a1c68df8c
a73d22a4ff9e5e99447cbe530704d495
98028c0e8395abda4bbc54f3f9f0b1b7
8b71476006381489d17756e623d71b1a
37f71eb2a47861fdff5615bbe4bd5171
32161c0af38094fa64e3176089430e51
1d7228e2995738e03067d75193e33959
15c50be266618178390e9ac12dabfdca
1339386a8d7635df1bfbcafbe5c74607
fe90e24e3319c22dc21155e7c4e7abb2
29342c4f34d54d90a7ae4beb8903838b
26ad89273ce42160801bdb53a83e5904
faa9019c89db3745f0a6fc68540422ee
e2243ef8ab69486e02f05549d9d2b0c4
bcc90bbc21b59a2be6c49f70044da97a
94a63aabfa7562d1c9e186baea4fe89a
8dfcb55ae5756e456c1977e8bcf01645
7bf15f59b972fc2c636c6cf9592cb0d7
68f1efe2aa68c0949471c4f248c0202f
44382ad2539ef5e3f77c369501838997
04b78907360a5b5cce49449c0aa9b527
0285de746776f92c82abfb637d26136f

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_320:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

eexef

eexef

PSSSSSSh

PSSSSSSh

>.YYu

>.YYu

VWj%S

VWj%S

?%u/F

?%u/F

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

KERNEL32.dll

KERNEL32.dll

&&&&6666????

&&&&6666????

""""****

""""****

2222::::

2222::::

$$$$\\\\

$$$$\\\\

00006666

00006666

####====

####====

function

function

function '%s'

function '%s'

(...tail calls...)

(...tail calls...)

%s:%d:

%s:%d:

%s: %s

%s: %s

stack overflow (%s)

stack overflow (%s)

cannot %s %s: %s

cannot %s %s: %s

%s: %p

%s: %p

name conflict for module '%s'

name conflict for module '%s'

PANIC: unprotected error in call to Lua API (%s)

PANIC: unprotected error in call to Lua API (%s)

version mismatch: app. needs %f, Lua core provides %f

version mismatch: app. needs %f, Lua core provides %f

bad argument #%d to '%s' (%s)

bad argument #%d to '%s' (%s)

calling '%s' on bad self (%s)

calling '%s' on bad self (%s)

bad argument #%d (%s)

bad argument #%d (%s)

%s expected, got %s

%s expected, got %s

@invalid option '%s'

@invalid option '%s'

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

%s:%d: %s

%s:%d: %s

attempt to %s %s '%s' (a %s value)

attempt to %s %s '%s' (a %s value)

attempt to %s a %s value

attempt to %s a %s value

attempt to compare %s with %s

attempt to compare %s with %s

attempt to compare two %s values

attempt to compare two %s values

invalid option '%%%c' to 'lua_pushfstring'

invalid option '%%%c' to 'lua_pushfstring'

attempt to load a %s chunk (mode is '%s')

attempt to load a %s chunk (mode is '%s')

error in __gc metamethod (%s)

error in __gc metamethod (%s)

Ainvalid key to 'next'

Ainvalid key to 'next'

upvaluejoin

upvaluejoin

_HKEY

_HKEY

invalid capture index %%%d

invalid capture index %%%d

missing '[' after '%%f' in pattern

missing '[' after '%%f' in pattern

^$* ?.([%-

^$* ?.([%-

invalid use of '%c' in replacement string

invalid use of '%c' in replacement string

invalid replacement value (a %s)

invalid replacement value (a %s)

\d

\d

invalid option '%%%c' to 'format'

invalid option '%%%c' to 'format'

@field '%s' missing in date table

@field '%s' missing in date table

invalid conversion specifier '%%%s'

invalid conversion specifier '%%%s'

cannot open file '%s' (%s)

cannot open file '%s' (%s)

standard %s file is closed

standard %s file is closed

invalid value (%s) at index %d in table for 'concat'

invalid value (%s) at index %d in table for 'concat'

system error %d

system error %d

no file '%s'

no file '%s'

'package.%s' must be a string

'package.%s' must be a string

error loading module '%s' from file '%s':

error loading module '%s' from file '%s':

luaopen_%s

luaopen_%s

no module '%s' in file '%s'

no module '%s' in file '%s'

no field package.preload['%s']

no field package.preload['%s']

module '%s' not found:%s

module '%s' not found:%s

'package.searchers' must be a table

'package.searchers' must be a table

!\?.dll;!\loadall.dll;.\?.dll

!\?.dll;!\loadall.dll;.\?.dll

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

too many %s (limit is %d)

too many %s (limit is %d)

char(%d)

char(%d)

%s near %s

%s near %s

%s expected

%s expected

too many %s (limit is %d) in %s

too many %s (limit is %d) in %s

function at line %d

function at line %d

%s expected (to close %s at line %d)

%s expected (to close %s at line %d)

at line %d jumps into the scope of local '%s'

at line %d jumps into the scope of local '%s'

no visible label '%s' for at line %d

no visible label '%s' for at line %d

at line %d not inside a loop

at line %d not inside a loop

label '%s' already defined on line %d

label '%s' already defined on line %d

%s: %s precompiled chunk

%s: %s precompiled chunk

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

cmd.exe

cmd.exe

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

?#%X.y

?#%X.y

%S#[k

%S#[k

portuguese-brazilian

portuguese-brazilian

GetProcessWindowStation

GetProcessWindowStation

operator

operator

xml=hXXp://VVV.w3.org/XML/1998/namespace

xml=hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/2000/xmlns/

hXXp://VVV.w3.org/2000/xmlns/

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

bit library self-test failed (%s)

bit library self-test failed (%s)

crash report crypt failed

crash report crypt failed

) on url:

) on url:

CoInternetParseUrl failed (

CoInternetParseUrl failed (

unsupported

unsupported

Unsupported data type

Unsupported data type

lxp `%s' callback is not a function

lxp `%s' callback is not a function

error closing parser: %s

error closing parser: %s

LuaExpat 1.3.0

LuaExpat 1.3.0

requested feature requires XML_DTD support in Expat

requested feature requires XML_DTD support in Expat

unexpected parser state - please send a bug report

unexpected parser state - please send a bug report

POWRPROF.dll

POWRPROF.dll

CoInternetParseUrl

CoInternetParseUrl

URLDownloadToFileW

URLDownloadToFileW

urlmon.dll

urlmon.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

VERSION.dll

VERSION.dll

SHFileOperationW

SHFileOperationW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetCrackUrlW

InternetCrackUrlW

HttpSendRequestW

HttpSendRequestW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpOpenRequestW

HttpOpenRequestW

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

GetProcessHeap

GetProcessHeap

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

ry7reexe?e>7rys

ry7reexe?e>7rys

io.stdout:setvbuf('no')

io.stdout:setvbuf('no')

package.path = ''

package.path = ''

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

package.path=''

package.path=''

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

if r ~= nil then r = ml.tstring(r) end

if r ~= nil then r = ml.tstring(r) end

foundation.encoding

foundation.encoding

foundation._http

foundation._http

foundation.logic

foundation.logic

foundation.misc

foundation.misc

foundation.zip

foundation.zip

join

join

key_exists

key_exists

create_key

create_key

enumerate_subkeys

enumerate_subkeys

enumerate_subkeys_next

enumerate_subkeys_next

enumerate_subkeys_close

enumerate_subkeys_close

delete_key

delete_key

shell_execute_ex

shell_execute_ex

load_exe_resource

load_exe_resource

hsb.gy

hsb.gy

QUvE(^&.yf

QUvE(^&.yf

@^2B%sG

@^2B%sG

0%XZj

0%XZj

CG.Wi

CG.Wi

\%xI2j

\%xI2j

.HztL

.HztL

j&?*@%c

j&?*@%c

W.WPzq=

W.WPzq=

|y%sJz\_=E

|y%sJz\_=E

Fxx$a>9.Yc

Fxx$a>9.Yc

.VFIS

.VFIS

CL%-r}A

CL%-r}A

X O%uPAUz

X O%uPAUz

?,?8?[?~?

?,?8?[?~?

5'5-525?5

5'5-525?5

4%4.4;4@4

4%4.4;4@4

3%3S3[3a3l3v3

3%3S3[3a3l3v3

= =$=(=,=

= =$=(=,=

7(7,70747

7(7,70747

8 8$8(8,8084888

8 8$8(8,8084888

? ?$?(?[?

? ?$?(?[?

4#4'4 4/43474

4#4'4 4/43474

1 11

1 11

=#>5>[>~>

=#>5>[>~>

8Å“9

8Å“9

,=0=4=8=

,=0=4=8=

: :$:(:,:0:4:

: :$:(:,:0:4:

4 4@4`4|4

4 4@4`4|4

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

nKERNEL32.DLL

nKERNEL32.DLL

WUSER32.DLL

WUSER32.DLL

IDispatch error #%d

IDispatch error #%d

" --crash_report="

" --crash_report="

crash_report

crash_report

errorUrl

errorUrl

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

3.0.0.105

3.0.0.105

Setup_v3.206.exe

Setup_v3.206.exe

Setup.exe_452:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

eexef

eexef

PSSSSSSh

PSSSSSSh

>.YYu

>.YYu

VWj%S

VWj%S

?%u/F

?%u/F

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

KERNEL32.dll

KERNEL32.dll

&&&&6666????

&&&&6666????

""""****

""""****

2222::::

2222::::

$$$$\\\\

$$$$\\\\

00006666

00006666

####====

####====

function

function

function '%s'

function '%s'

(...tail calls...)

(...tail calls...)

%s:%d:

%s:%d:

%s: %s

%s: %s

stack overflow (%s)

stack overflow (%s)

cannot %s %s: %s

cannot %s %s: %s

%s: %p

%s: %p

name conflict for module '%s'

name conflict for module '%s'

PANIC: unprotected error in call to Lua API (%s)

PANIC: unprotected error in call to Lua API (%s)

version mismatch: app. needs %f, Lua core provides %f

version mismatch: app. needs %f, Lua core provides %f

bad argument #%d to '%s' (%s)

bad argument #%d to '%s' (%s)

calling '%s' on bad self (%s)

calling '%s' on bad self (%s)

bad argument #%d (%s)

bad argument #%d (%s)

%s expected, got %s

%s expected, got %s

@invalid option '%s'

@invalid option '%s'

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

%s:%d: %s

%s:%d: %s

attempt to %s %s '%s' (a %s value)

attempt to %s %s '%s' (a %s value)

attempt to %s a %s value

attempt to %s a %s value

attempt to compare %s with %s

attempt to compare %s with %s

attempt to compare two %s values

attempt to compare two %s values

invalid option '%%%c' to 'lua_pushfstring'

invalid option '%%%c' to 'lua_pushfstring'

attempt to load a %s chunk (mode is '%s')

attempt to load a %s chunk (mode is '%s')

error in __gc metamethod (%s)

error in __gc metamethod (%s)

Ainvalid key to 'next'

Ainvalid key to 'next'

upvaluejoin

upvaluejoin

_HKEY

_HKEY

invalid capture index %%%d

invalid capture index %%%d

missing '[' after '%%f' in pattern

missing '[' after '%%f' in pattern

^$* ?.([%-

^$* ?.([%-

invalid use of '%c' in replacement string

invalid use of '%c' in replacement string

invalid replacement value (a %s)

invalid replacement value (a %s)

\d

\d

invalid option '%%%c' to 'format'

invalid option '%%%c' to 'format'

@field '%s' missing in date table

@field '%s' missing in date table

invalid conversion specifier '%%%s'

invalid conversion specifier '%%%s'

cannot open file '%s' (%s)

cannot open file '%s' (%s)

standard %s file is closed

standard %s file is closed

invalid value (%s) at index %d in table for 'concat'

invalid value (%s) at index %d in table for 'concat'

system error %d

system error %d

no file '%s'

no file '%s'

'package.%s' must be a string

'package.%s' must be a string

error loading module '%s' from file '%s':

error loading module '%s' from file '%s':

luaopen_%s

luaopen_%s

no module '%s' in file '%s'

no module '%s' in file '%s'

no field package.preload['%s']

no field package.preload['%s']

module '%s' not found:%s

module '%s' not found:%s

'package.searchers' must be a table

'package.searchers' must be a table

!\?.dll;!\loadall.dll;.\?.dll

!\?.dll;!\loadall.dll;.\?.dll

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

too many %s (limit is %d)

too many %s (limit is %d)

char(%d)

char(%d)

%s near %s

%s near %s

%s expected

%s expected

too many %s (limit is %d) in %s

too many %s (limit is %d) in %s

function at line %d

function at line %d

%s expected (to close %s at line %d)

%s expected (to close %s at line %d)

at line %d jumps into the scope of local '%s'

at line %d jumps into the scope of local '%s'

no visible label '%s' for at line %d

no visible label '%s' for at line %d

at line %d not inside a loop

at line %d not inside a loop

label '%s' already defined on line %d

label '%s' already defined on line %d

%s: %s precompiled chunk

%s: %s precompiled chunk

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

cmd.exe

cmd.exe

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

?#%X.y

?#%X.y

%S#[k

%S#[k

portuguese-brazilian

portuguese-brazilian

GetProcessWindowStation

GetProcessWindowStation

operator

operator

xml=hXXp://VVV.w3.org/XML/1998/namespace

xml=hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/2000/xmlns/

hXXp://VVV.w3.org/2000/xmlns/

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

bit library self-test failed (%s)

bit library self-test failed (%s)

crash report crypt failed

crash report crypt failed

) on url:

) on url:

CoInternetParseUrl failed (

CoInternetParseUrl failed (

unsupported

unsupported

Unsupported data type

Unsupported data type

lxp `%s' callback is not a function

lxp `%s' callback is not a function

error closing parser: %s

error closing parser: %s

LuaExpat 1.3.0

LuaExpat 1.3.0

requested feature requires XML_DTD support in Expat

requested feature requires XML_DTD support in Expat

unexpected parser state - please send a bug report

unexpected parser state - please send a bug report

POWRPROF.dll

POWRPROF.dll

CoInternetParseUrl

CoInternetParseUrl

URLDownloadToFileW

URLDownloadToFileW

urlmon.dll

urlmon.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

VERSION.dll

VERSION.dll

SHFileOperationW

SHFileOperationW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetCrackUrlW

InternetCrackUrlW

HttpSendRequestW

HttpSendRequestW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpOpenRequestW

HttpOpenRequestW

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

GetProcessHeap

GetProcessHeap

zcÁ

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\a2B7eLP6Ng\M6m7Vl0h\Setup.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\a2B7eLP6Ng\M6m7Vl0h\Setup.exe

ntdll.dll

ntdll.dll

kernel32.dll

kernel32.dll

psapi.dll

psapi.dll

ry7reexe?e>7rys

ry7reexe?e>7rys

io.stdout:setvbuf('no')

io.stdout:setvbuf('no')

package.path = ''

package.path = ''

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

package.path=''

package.path=''

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

if r ~= nil then r = ml.tstring(r) end

if r ~= nil then r = ml.tstring(r) end

foundation.encoding

foundation.encoding

foundation._http

foundation._http

foundation.logic

foundation.logic

foundation.misc

foundation.misc

foundation.zip

foundation.zip

join

join

key_exists

key_exists

create_key

create_key

enumerate_subkeys

enumerate_subkeys

enumerate_subkeys_next

enumerate_subkeys_next

enumerate_subkeys_close

enumerate_subkeys_close

delete_key

delete_key

shell_execute_ex

shell_execute_ex

load_exe_resource

load_exe_resource

wininet.dll

wininet.dll

HttpSendRequest() failed

HttpSendRequest() failed

hsb.gy

hsb.gy

QUvE(^&.yf

QUvE(^&.yf

@^2B%sG

@^2B%sG

0%XZj

0%XZj

CG.Wi

CG.Wi

\%xI2j

\%xI2j

.HztL

.HztL

j&?*@%c

j&?*@%c

W.WPzq=

W.WPzq=

|y%sJz\_=E

|y%sJz\_=E

Fxx$a>9.Yc

Fxx$a>9.Yc

.VFIS

.VFIS

CL%-r}A

CL%-r}A

X O%uPAUz

X O%uPAUz

?,?8?[?~?

?,?8?[?~?

5'5-525?5

5'5-525?5

4%4.4;4@4

4%4.4;4@4

3%3S3[3a3l3v3

3%3S3[3a3l3v3

= =$=(=,=

= =$=(=,=

7(7,70747

7(7,70747

8 8$8(8,8084888

8 8$8(8,8084888

? ?$?(?[?

? ?$?(?[?

4#4'4 4/43474

4#4'4 4/43474

1 11

1 11

=#>5>[>~>

=#>5>[>~>

8Å“9

8Å“9

,=0=4=8=

,=0=4=8=

: :$:(:,:0:4:

: :$:(:,:0:4:

4 4@4`4|4

4 4@4`4|4

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

nKERNEL32.DLL

nKERNEL32.DLL

WUSER32.DLL

WUSER32.DLL

IDispatch error #%d

IDispatch error #%d

" --crash_report="

" --crash_report="

crash_report

crash_report

errorUrl

errorUrl

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

3.0.0.105

3.0.0.105

Setup_v3.206.exe

Setup_v3.206.exe