Gen.Variant.Application.Bundler.Jaik.5699_a371cd1d3e

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Setup.exe:392
%original file name%.exe:1972

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:

23f1833664d3b658b5782dd014c9dd98WininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex

File activity

The process %original file name%.exe:1972 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a2Xdc7Q7nH\Wc6wlCSd\Setup.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process Setup.exe:392 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 39 59 5E C2 EB D4 E8 10 93 A3 8C 89 18 45 D9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]
"setup.exe" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS]
"setup.exe" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"setup.exe" = "0"

The process %original file name%.exe:1972 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 3E 46 83 9A 96 CC E4 AD 4C 6F 09 18 AB 0D F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   Setup.exe:392
   %original file name%.exe:1972

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\a2Xdc7Q7nH\Wc6wlCSd\Setup.exe (5873 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Download Manager, LLC
Product Name: MalwareBytes
Product Version: 3.0.0.73
Legal Copyright: (c) Download Manager, LLC
Legal Trademarks:
Original Filename: malwarebytes.exe
Internal Name: malwarebytes.exe
File Version: 3.0.0.73
File Description: MalwareBytes
Comments:
Language: Language Neutral

Company Name: Download Manager, LLCProduct Name: MalwareBytes Product Version: 3.0.0.73Legal Copyright: (c) Download Manager, LLCLegal Trademarks: Original Filename: malwarebytes.exeInternal Name: malwarebytes.exeFile Version: 3.0.0.73File Description: MalwareBytes Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	482304	482304	4.71958	149e63c29ec0099730256a183b8a8192
.rdata	487424	139264	139264	4.24437	7215344e9f07d64c89d0d49bd82f18f8
.data	626688	53124	9216	2.8472	54b9106d6a0751971f1712f70e4330c4
.rsrc	679936	170436	170496	5.44521	99762b78b5313795d5633b65967029fb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 14
7110d4223f11285cee1bac3fc4254832
ab5b5fde76ae0ce01e5a356371ecaa40
aa040b3d62dc94777a8f66fbe284722d
54965ec29ab51ff912de20ee306eb641
417046fb1a8695cd97dbb7c50acecfc4
204dc6cae13f40143a0c09caa4fb9ac2
7facd8628e317e9eba49af4acff2975c
8099e58a87d7af8ff17f2329c537da66
41dab257a87128e0d85021292c1e5f06
ab3fea929e598e33187ce5c734913bdb
5b9a3fc8049384e760541c830919a748
32ad4003622f045ec4749b2db9ab1209
549854fa805525b65136fad66c11d074
389dfd9a5f54de94beba8a6ab57c9b44

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1972:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

PSSSSSSh

PSSSSSSh

>.YYu

>.YYu

VWj%S

VWj%S

?%u/F

?%u/F

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

&&&&6666????

&&&&6666????

""""****

""""****

2222::::

2222::::

$$$$\\\\

$$$$\\\\

00006666

00006666

####====

####====

function

function

function '%s'

function '%s'

(...tail calls...)

(...tail calls...)

%s:%d:

%s:%d:

%s: %s

%s: %s

stack overflow (%s)

stack overflow (%s)

cannot %s %s: %s

cannot %s %s: %s

%s: %p

%s: %p

name conflict for module '%s'

name conflict for module '%s'

PANIC: unprotected error in call to Lua API (%s)

PANIC: unprotected error in call to Lua API (%s)

version mismatch: app. needs %f, Lua core provides %f

version mismatch: app. needs %f, Lua core provides %f

bad argument #%d to '%s' (%s)

bad argument #%d to '%s' (%s)

calling '%s' on bad self (%s)

calling '%s' on bad self (%s)

bad argument #%d (%s)

bad argument #%d (%s)

%s expected, got %s

%s expected, got %s

@invalid option '%s'

@invalid option '%s'

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

%s:%d: %s

%s:%d: %s

attempt to %s %s '%s' (a %s value)

attempt to %s %s '%s' (a %s value)

attempt to %s a %s value

attempt to %s a %s value

attempt to compare %s with %s

attempt to compare %s with %s

attempt to compare two %s values

attempt to compare two %s values

invalid option '%%%c' to 'lua_pushfstring'

invalid option '%%%c' to 'lua_pushfstring'

attempt to load a %s chunk (mode is '%s')

attempt to load a %s chunk (mode is '%s')

error in __gc metamethod (%s)

error in __gc metamethod (%s)

Ainvalid key to 'next'

Ainvalid key to 'next'

upvaluejoin

upvaluejoin

_HKEY

_HKEY

invalid capture index %%%d

invalid capture index %%%d

missing '[' after '%%f' in pattern

missing '[' after '%%f' in pattern

^$* ?.([%-

^$* ?.([%-

invalid use of '%c' in replacement string

invalid use of '%c' in replacement string

invalid replacement value (a %s)

invalid replacement value (a %s)

\d

\d

invalid option '%%%c' to 'format'

invalid option '%%%c' to 'format'

@field '%s' missing in date table

@field '%s' missing in date table

invalid conversion specifier '%%%s'

invalid conversion specifier '%%%s'

cannot open file '%s' (%s)

cannot open file '%s' (%s)

standard %s file is closed

standard %s file is closed

invalid value (%s) at index %d in table for 'concat'

invalid value (%s) at index %d in table for 'concat'

system error %d

system error %d

no file '%s'

no file '%s'

'package.%s' must be a string

'package.%s' must be a string

error loading module '%s' from file '%s':

error loading module '%s' from file '%s':

luaopen_%s

luaopen_%s

no module '%s' in file '%s'

no module '%s' in file '%s'

no field package.preload['%s']

no field package.preload['%s']

module '%s' not found:%s

module '%s' not found:%s

'package.searchers' must be a table

'package.searchers' must be a table

!\?.dll;!\loadall.dll;.\?.dll

!\?.dll;!\loadall.dll;.\?.dll

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

too many %s (limit is %d)

too many %s (limit is %d)

char(%d)

char(%d)

%s near %s

%s near %s

%s expected

%s expected

too many %s (limit is %d) in %s

too many %s (limit is %d) in %s

function at line %d

function at line %d

%s expected (to close %s at line %d)

%s expected (to close %s at line %d)

at line %d jumps into the scope of local '%s'

at line %d jumps into the scope of local '%s'

no visible label '%s' for at line %d

no visible label '%s' for at line %d

at line %d not inside a loop

at line %d not inside a loop

label '%s' already defined on line %d

label '%s' already defined on line %d

%s: %s precompiled chunk

%s: %s precompiled chunk

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

cmd.exe

cmd.exe

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

?#%X.y

?#%X.y

%S#[k

%S#[k

portuguese-brazilian

portuguese-brazilian

GetProcessWindowStation

GetProcessWindowStation

operator

operator

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

bit library self-test failed (%s)

bit library self-test failed (%s)

crash report crypt failed

crash report crypt failed

) on url:

) on url:

CoInternetParseUrl failed (

CoInternetParseUrl failed (

unsupported

unsupported

Unsupported data type

Unsupported data type

POWRPROF.dll

POWRPROF.dll

CoInternetParseUrl

CoInternetParseUrl

URLDownloadToFileW

URLDownloadToFileW

urlmon.dll

urlmon.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

VERSION.dll

VERSION.dll

SHFileOperationW

SHFileOperationW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetCrackUrlW

InternetCrackUrlW

HttpSendRequestW

HttpSendRequestW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpOpenRequestW

HttpOpenRequestW

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

GetProcessHeap

GetProcessHeap

zcÁ

zcÁ

.?AVlast_error_t@stl@http@@

.?AVlast_error_t@stl@http@@

c:\%original file name%.exe

c:\%original file name%.exe

io.stdout:setvbuf('no')

io.stdout:setvbuf('no')

package.path = ''

package.path = ''

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

package.path=''

package.path=''

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

if r ~= nil then r = ml.tstring(r) end

if r ~= nil then r = ml.tstring(r) end

foundation.encoding

foundation.encoding

foundation._http

foundation._http

foundation.logic

foundation.logic

foundation.misc

foundation.misc

foundation.zip

foundation.zip

join

join

key_exists

key_exists

create_key

create_key

enumerate_subkeys

enumerate_subkeys

enumerate_subkeys_next

enumerate_subkeys_next

enumerate_subkeys_close

enumerate_subkeys_close

shell_execute_ex

shell_execute_ex

load_exe_resource

load_exe_resource

y.XDMo

y.XDMo

.Pg213

.Pg213

.FS5A

.FS5A

"

"

%0So?r

%0So?r

}.Zmy

}.Zmy

.tY]Z

.tY]Z

yw%sN

yw%sN

.iK=

.iK=

F%xudn3

F%xudn3

nTcP^)

nTcP^)

S"CMD

S"CMD

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

nKERNEL32.DLL

nKERNEL32.DLL

WUSER32.DLL

WUSER32.DLL

IDispatch error #%d

IDispatch error #%d

" --crash_report="

" --crash_report="

crash_report

crash_report

errorUrl

errorUrl

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

3.0.0.73

3.0.0.73

malwarebytes.exe

malwarebytes.exe

Setup.exe_392:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

PSSSSSSh

PSSSSSSh

>.YYu

>.YYu

VWj%S

VWj%S

?%u/F

?%u/F

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

&&&&6666????

&&&&6666????

""""****

""""****

2222::::

2222::::

$$$$\\\\

$$$$\\\\

00006666

00006666

####====

####====

function

function

function '%s'

function '%s'

(...tail calls...)

(...tail calls...)

%s:%d:

%s:%d:

%s: %s

%s: %s

stack overflow (%s)

stack overflow (%s)

cannot %s %s: %s

cannot %s %s: %s

%s: %p

%s: %p

name conflict for module '%s'

name conflict for module '%s'

PANIC: unprotected error in call to Lua API (%s)

PANIC: unprotected error in call to Lua API (%s)

version mismatch: app. needs %f, Lua core provides %f

version mismatch: app. needs %f, Lua core provides %f

bad argument #%d to '%s' (%s)

bad argument #%d to '%s' (%s)

calling '%s' on bad self (%s)

calling '%s' on bad self (%s)

bad argument #%d (%s)

bad argument #%d (%s)

%s expected, got %s

%s expected, got %s

@invalid option '%s'

@invalid option '%s'

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

%s:%d: %s

%s:%d: %s

attempt to %s %s '%s' (a %s value)

attempt to %s %s '%s' (a %s value)

attempt to %s a %s value

attempt to %s a %s value

attempt to compare %s with %s

attempt to compare %s with %s

attempt to compare two %s values

attempt to compare two %s values

invalid option '%%%c' to 'lua_pushfstring'

invalid option '%%%c' to 'lua_pushfstring'

attempt to load a %s chunk (mode is '%s')

attempt to load a %s chunk (mode is '%s')

error in __gc metamethod (%s)

error in __gc metamethod (%s)

Ainvalid key to 'next'

Ainvalid key to 'next'

upvaluejoin

upvaluejoin

_HKEY

_HKEY

invalid capture index %%%d

invalid capture index %%%d

missing '[' after '%%f' in pattern

missing '[' after '%%f' in pattern

^$* ?.([%-

^$* ?.([%-

invalid use of '%c' in replacement string

invalid use of '%c' in replacement string

invalid replacement value (a %s)

invalid replacement value (a %s)

\d

\d

invalid option '%%%c' to 'format'

invalid option '%%%c' to 'format'

@field '%s' missing in date table

@field '%s' missing in date table

invalid conversion specifier '%%%s'

invalid conversion specifier '%%%s'

cannot open file '%s' (%s)

cannot open file '%s' (%s)

standard %s file is closed

standard %s file is closed

invalid value (%s) at index %d in table for 'concat'

invalid value (%s) at index %d in table for 'concat'

system error %d

system error %d

no file '%s'

no file '%s'

'package.%s' must be a string

'package.%s' must be a string

error loading module '%s' from file '%s':

error loading module '%s' from file '%s':

luaopen_%s

luaopen_%s

no module '%s' in file '%s'

no module '%s' in file '%s'

no field package.preload['%s']

no field package.preload['%s']

module '%s' not found:%s

module '%s' not found:%s

'package.searchers' must be a table

'package.searchers' must be a table

!\?.dll;!\loadall.dll;.\?.dll

!\?.dll;!\loadall.dll;.\?.dll

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

too many %s (limit is %d)

too many %s (limit is %d)

char(%d)

char(%d)

%s near %s

%s near %s

%s expected

%s expected

too many %s (limit is %d) in %s

too many %s (limit is %d) in %s

function at line %d

function at line %d

%s expected (to close %s at line %d)

%s expected (to close %s at line %d)

at line %d jumps into the scope of local '%s'

at line %d jumps into the scope of local '%s'

no visible label '%s' for at line %d

no visible label '%s' for at line %d

at line %d not inside a loop

at line %d not inside a loop

label '%s' already defined on line %d

label '%s' already defined on line %d

%s: %s precompiled chunk

%s: %s precompiled chunk

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

cmd.exe

cmd.exe

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

?#%X.y

?#%X.y

%S#[k

%S#[k

portuguese-brazilian

portuguese-brazilian

GetProcessWindowStation

GetProcessWindowStation

operator

operator

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

bit library self-test failed (%s)

bit library self-test failed (%s)

crash report crypt failed

crash report crypt failed

) on url:

) on url:

CoInternetParseUrl failed (

CoInternetParseUrl failed (

unsupported

unsupported

Unsupported data type

Unsupported data type

POWRPROF.dll

POWRPROF.dll

CoInternetParseUrl

CoInternetParseUrl

URLDownloadToFileW

URLDownloadToFileW

urlmon.dll

urlmon.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

VERSION.dll

VERSION.dll

SHFileOperationW

SHFileOperationW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetCrackUrlW

InternetCrackUrlW

HttpSendRequestW

HttpSendRequestW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpOpenRequestW

HttpOpenRequestW

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

GetProcessHeap

GetProcessHeap

zcÁ

zcÁ

.?AVlast_error_t@stl@http@@

.?AVlast_error_t@stl@http@@

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\a2Xdc7Q7nH\Wc6wlCSd\Setup.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\a2Xdc7Q7nH\Wc6wlCSd\Setup.exe

io.stdout:setvbuf('no')

io.stdout:setvbuf('no')

package.path = ''

package.path = ''

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

package.path=''

package.path=''

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

if r ~= nil then r = ml.tstring(r) end

if r ~= nil then r = ml.tstring(r) end

foundation.encoding

foundation.encoding

foundation._http

foundation._http

foundation.logic

foundation.logic

foundation.misc

foundation.misc

foundation.zip

foundation.zip

join

join

key_exists

key_exists

create_key

create_key

enumerate_subkeys

enumerate_subkeys

enumerate_subkeys_next

enumerate_subkeys_next

enumerate_subkeys_close

enumerate_subkeys_close

shell_execute_ex

shell_execute_ex

load_exe_resource

load_exe_resource

y.XDMo

y.XDMo

.Pg213

.Pg213

.FS5A

.FS5A

"

"

%0So?r

%0So?r

}.Zmy

}.Zmy

.tY]Z

.tY]Z

yw%sN

yw%sN

.iK=

.iK=

F%xudn3

F%xudn3

nTcP^)

nTcP^)

S"CMD

S"CMD

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

nKERNEL32.DLL

nKERNEL32.DLL

WUSER32.DLL

WUSER32.DLL

IDispatch error #%d

IDispatch error #%d

" --crash_report="

" --crash_report="

crash_report

crash_report

errorUrl

errorUrl

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

3.0.0.73

3.0.0.73

malwarebytes.exe

malwarebytes.exe

%original file name%.exe_1644:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

PSSSSSSh

PSSSSSSh

>.YYu

>.YYu

VWj%S

VWj%S

?%u/F

?%u/F

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

&&&&6666????

&&&&6666????

""""****

""""****

2222::::

2222::::

$$$$\\\\

$$$$\\\\

00006666

00006666

####====

####====

function

function

function '%s'

function '%s'

(...tail calls...)

(...tail calls...)

%s:%d:

%s:%d:

%s: %s

%s: %s

stack overflow (%s)

stack overflow (%s)

cannot %s %s: %s

cannot %s %s: %s

%s: %p

%s: %p

name conflict for module '%s'

name conflict for module '%s'

PANIC: unprotected error in call to Lua API (%s)

PANIC: unprotected error in call to Lua API (%s)

version mismatch: app. needs %f, Lua core provides %f

version mismatch: app. needs %f, Lua core provides %f

bad argument #%d to '%s' (%s)

bad argument #%d to '%s' (%s)

calling '%s' on bad self (%s)

calling '%s' on bad self (%s)

bad argument #%d (%s)

bad argument #%d (%s)

%s expected, got %s

%s expected, got %s

@invalid option '%s'

@invalid option '%s'

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

%s:%d: %s

%s:%d: %s

attempt to %s %s '%s' (a %s value)

attempt to %s %s '%s' (a %s value)

attempt to %s a %s value

attempt to %s a %s value

attempt to compare %s with %s

attempt to compare %s with %s

attempt to compare two %s values

attempt to compare two %s values

invalid option '%%%c' to 'lua_pushfstring'

invalid option '%%%c' to 'lua_pushfstring'

attempt to load a %s chunk (mode is '%s')

attempt to load a %s chunk (mode is '%s')

error in __gc metamethod (%s)

error in __gc metamethod (%s)

Ainvalid key to 'next'

Ainvalid key to 'next'

upvaluejoin

upvaluejoin

_HKEY

_HKEY

invalid capture index %%%d

invalid capture index %%%d

missing '[' after '%%f' in pattern

missing '[' after '%%f' in pattern

^$* ?.([%-

^$* ?.([%-

invalid use of '%c' in replacement string

invalid use of '%c' in replacement string

invalid replacement value (a %s)

invalid replacement value (a %s)

\d

\d

invalid option '%%%c' to 'format'

invalid option '%%%c' to 'format'

@field '%s' missing in date table

@field '%s' missing in date table

invalid conversion specifier '%%%s'

invalid conversion specifier '%%%s'

cannot open file '%s' (%s)

cannot open file '%s' (%s)

standard %s file is closed

standard %s file is closed

invalid value (%s) at index %d in table for 'concat'

invalid value (%s) at index %d in table for 'concat'

system error %d

system error %d

no file '%s'

no file '%s'

'package.%s' must be a string

'package.%s' must be a string

error loading module '%s' from file '%s':

error loading module '%s' from file '%s':

luaopen_%s

luaopen_%s

no module '%s' in file '%s'

no module '%s' in file '%s'

no field package.preload['%s']

no field package.preload['%s']

module '%s' not found:%s

module '%s' not found:%s

'package.searchers' must be a table

'package.searchers' must be a table

!\?.dll;!\loadall.dll;.\?.dll

!\?.dll;!\loadall.dll;.\?.dll

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

too many %s (limit is %d)

too many %s (limit is %d)

char(%d)

char(%d)

%s near %s

%s near %s

%s expected

%s expected

too many %s (limit is %d) in %s

too many %s (limit is %d) in %s

function at line %d

function at line %d

%s expected (to close %s at line %d)

%s expected (to close %s at line %d)

at line %d jumps into the scope of local '%s'

at line %d jumps into the scope of local '%s'

no visible label '%s' for at line %d

no visible label '%s' for at line %d

at line %d not inside a loop

at line %d not inside a loop

label '%s' already defined on line %d

label '%s' already defined on line %d

%s: %s precompiled chunk

%s: %s precompiled chunk

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

cmd.exe

cmd.exe

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

?#%X.y

?#%X.y

%S#[k

%S#[k

portuguese-brazilian

portuguese-brazilian

GetProcessWindowStation

GetProcessWindowStation

operator

operator

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

bit library self-test failed (%s)

bit library self-test failed (%s)

crash report crypt failed

crash report crypt failed

) on url:

) on url:

CoInternetParseUrl failed (

CoInternetParseUrl failed (

unsupported

unsupported

Unsupported data type

Unsupported data type

POWRPROF.dll

POWRPROF.dll

CoInternetParseUrl

CoInternetParseUrl

URLDownloadToFileW

URLDownloadToFileW

urlmon.dll

urlmon.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

VERSION.dll

VERSION.dll

SHFileOperationW

SHFileOperationW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetCrackUrlW

InternetCrackUrlW

HttpSendRequestW

HttpSendRequestW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpOpenRequestW

HttpOpenRequestW

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

GetProcessHeap

GetProcessHeap

zcÁ

zcÁ

.?AVlast_error_t@stl@http@@

.?AVlast_error_t@stl@http@@

c:\%original file name%.exe

c:\%original file name%.exe

io.stdout:setvbuf('no')

io.stdout:setvbuf('no')

package.path = ''

package.path = ''

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

package.path=''

package.path=''

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

if r ~= nil then r = ml.tstring(r) end

if r ~= nil then r = ml.tstring(r) end

foundation.encoding

foundation.encoding

foundation._http

foundation._http

foundation.logic

foundation.logic

foundation.misc

foundation.misc

foundation.zip

foundation.zip

join

join

key_exists

key_exists

create_key

create_key

enumerate_subkeys

enumerate_subkeys

enumerate_subkeys_next

enumerate_subkeys_next

enumerate_subkeys_close

enumerate_subkeys_close

shell_execute_ex

shell_execute_ex

load_exe_resource

load_exe_resource

y.XDMo

y.XDMo

.Pg213

.Pg213

.FS5A

.FS5A

"

"

%0So?r

%0So?r

}.Zmy

}.Zmy

.tY]Z

.tY]Z

yw%sN

yw%sN

.iK=

.iK=

F%xudn3

F%xudn3

nTcP^)

nTcP^)

S"CMD

S"CMD

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

nKERNEL32.DLL

nKERNEL32.DLL

WUSER32.DLL

WUSER32.DLL

IDispatch error #%d

IDispatch error #%d

" --crash_report="

" --crash_report="

crash_report

crash_report

errorUrl

errorUrl

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

3.0.0.73

3.0.0.73

malwarebytes.exe

malwarebytes.exe

Setup.exe_640:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

PSSSSSSh

PSSSSSSh

>.YYu

>.YYu

VWj%S

VWj%S

?%u/F

?%u/F

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

&&&&6666????

&&&&6666????

""""****

""""****

2222::::

2222::::

$$$$\\\\

$$$$\\\\

00006666

00006666

####====

####====

function

function

function '%s'

function '%s'

(...tail calls...)

(...tail calls...)

%s:%d:

%s:%d:

%s: %s

%s: %s

stack overflow (%s)

stack overflow (%s)

cannot %s %s: %s

cannot %s %s: %s

%s: %p

%s: %p

name conflict for module '%s'

name conflict for module '%s'

PANIC: unprotected error in call to Lua API (%s)

PANIC: unprotected error in call to Lua API (%s)

version mismatch: app. needs %f, Lua core provides %f

version mismatch: app. needs %f, Lua core provides %f

bad argument #%d to '%s' (%s)

bad argument #%d to '%s' (%s)

calling '%s' on bad self (%s)

calling '%s' on bad self (%s)

bad argument #%d (%s)

bad argument #%d (%s)

%s expected, got %s

%s expected, got %s

@invalid option '%s'

@invalid option '%s'

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

%s:%d: %s

%s:%d: %s

attempt to %s %s '%s' (a %s value)

attempt to %s %s '%s' (a %s value)

attempt to %s a %s value

attempt to %s a %s value

attempt to compare %s with %s

attempt to compare %s with %s

attempt to compare two %s values

attempt to compare two %s values

invalid option '%%%c' to 'lua_pushfstring'

invalid option '%%%c' to 'lua_pushfstring'

attempt to load a %s chunk (mode is '%s')

attempt to load a %s chunk (mode is '%s')

error in __gc metamethod (%s)

error in __gc metamethod (%s)

Ainvalid key to 'next'

Ainvalid key to 'next'

upvaluejoin

upvaluejoin

_HKEY

_HKEY

invalid capture index %%%d

invalid capture index %%%d

missing '[' after '%%f' in pattern

missing '[' after '%%f' in pattern

^$* ?.([%-

^$* ?.([%-

invalid use of '%c' in replacement string

invalid use of '%c' in replacement string

invalid replacement value (a %s)

invalid replacement value (a %s)

\d

\d

invalid option '%%%c' to 'format'

invalid option '%%%c' to 'format'

@field '%s' missing in date table

@field '%s' missing in date table

invalid conversion specifier '%%%s'

invalid conversion specifier '%%%s'

cannot open file '%s' (%s)

cannot open file '%s' (%s)

standard %s file is closed

standard %s file is closed

invalid value (%s) at index %d in table for 'concat'

invalid value (%s) at index %d in table for 'concat'

system error %d

system error %d

no file '%s'

no file '%s'

'package.%s' must be a string

'package.%s' must be a string

error loading module '%s' from file '%s':

error loading module '%s' from file '%s':

luaopen_%s

luaopen_%s

no module '%s' in file '%s'

no module '%s' in file '%s'

no field package.preload['%s']

no field package.preload['%s']

module '%s' not found:%s

module '%s' not found:%s

'package.searchers' must be a table

'package.searchers' must be a table

!\?.dll;!\loadall.dll;.\?.dll

!\?.dll;!\loadall.dll;.\?.dll

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua

too many %s (limit is %d)

too many %s (limit is %d)

char(%d)

char(%d)

%s near %s

%s near %s

%s expected

%s expected

too many %s (limit is %d) in %s

too many %s (limit is %d) in %s

function at line %d

function at line %d

%s expected (to close %s at line %d)

%s expected (to close %s at line %d)

at line %d jumps into the scope of local '%s'

at line %d jumps into the scope of local '%s'

no visible label '%s' for at line %d

no visible label '%s' for at line %d

at line %d not inside a loop

at line %d not inside a loop

label '%s' already defined on line %d

label '%s' already defined on line %d

%s: %s precompiled chunk

%s: %s precompiled chunk

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

cmd.exe

cmd.exe

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

?#%X.y

?#%X.y

%S#[k

%S#[k

portuguese-brazilian

portuguese-brazilian

GetProcessWindowStation

GetProcessWindowStation

operator

operator

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

bit library self-test failed (%s)

bit library self-test failed (%s)

crash report crypt failed

crash report crypt failed

) on url:

) on url:

CoInternetParseUrl failed (

CoInternetParseUrl failed (

unsupported

unsupported

Unsupported data type

Unsupported data type

POWRPROF.dll

POWRPROF.dll

CoInternetParseUrl

CoInternetParseUrl

URLDownloadToFileW

URLDownloadToFileW

urlmon.dll

urlmon.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

dbghelp.dll

dbghelp.dll

VERSION.dll

VERSION.dll

SHFileOperationW

SHFileOperationW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

SHDeleteKeyW

SHDeleteKeyW

SHLWAPI.dll

SHLWAPI.dll

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetCrackUrlW

InternetCrackUrlW

HttpSendRequestW

HttpSendRequestW

HttpAddRequestHeadersW

HttpAddRequestHeadersW

HttpOpenRequestW

HttpOpenRequestW

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

GetProcessHeap

GetProcessHeap

zcÁ

zcÁ

.?AVlast_error_t@stl@http@@

.?AVlast_error_t@stl@http@@

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\a2QU3nBENE\abPp62aH\Setup.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\a2QU3nBENE\abPp62aH\Setup.exe

io.stdout:setvbuf('no')

io.stdout:setvbuf('no')

package.path = ''

package.path = ''

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)

package.path=''

package.path=''

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)

if r ~= nil then r = ml.tstring(r) end

if r ~= nil then r = ml.tstring(r) end

foundation.encoding

foundation.encoding

foundation._http

foundation._http

foundation.logic

foundation.logic

foundation.misc

foundation.misc

foundation.zip

foundation.zip

join

join

key_exists

key_exists

create_key

create_key

enumerate_subkeys

enumerate_subkeys

enumerate_subkeys_next

enumerate_subkeys_next

enumerate_subkeys_close

enumerate_subkeys_close

shell_execute_ex

shell_execute_ex

load_exe_resource

load_exe_resource

y.XDMo

y.XDMo

.Pg213

.Pg213

.FS5A

.FS5A

"

"

%0So?r

%0So?r

}.Zmy

}.Zmy

.tY]Z

.tY]Z

yw%sN

yw%sN

.iK=

.iK=

F%xudn3

F%xudn3

nTcP^)

nTcP^)

S"CMD

S"CMD

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

nKERNEL32.DLL

nKERNEL32.DLL

WUSER32.DLL

WUSER32.DLL

IDispatch error #%d

IDispatch error #%d

" --crash_report="

" --crash_report="

crash_report

crash_report

errorUrl

errorUrl

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

3.0.0.73

3.0.0.73

malwarebytes.exe

malwarebytes.exe