Skip to main content

Trojan.GenericKD.1805991_ba33176a7d


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.1805991 (AdAware), Installer.Win32.InnoSetup.FD, Installer.Win32.InnoSetup.2.FD, Worm.Win32.AutoIt.FD, InstallerInnoSetup.YR, WormAutoItGen.YR, GenericInjector.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, Installer

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: ba33176a7d522fb81c6ccddd20324e37

SHA1: 2526cb40b7b8f2b46c1dad705cc4c31a5743aae7

SHA256: 4a88d021c3192d5c44eb6f293a36532d11ee1949c98ccb638e86370afb8c37c0

SSDeep: 196608:yeAgAP9iNLg 6Ge0KsytYZWSiehbnDQPUFOonyg9:yeen 6fs5fbIPR

Size: 8484352 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2013-10-14 08:50:27

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

NETFXRepair.1024.exe:2144
NETFXRepair.1024.exe:820
%original file name%.exe:472
WINDOW~1.EXE:1720
autoit.exe:820
autoit.exe:1080

The Trojan injects its code into the following process(es):

is-OL16T.tmp:1860
autoit.exe:456
Explorer.EXE:1284

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process NETFXRepair.1024.exe:820 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sFile.ico (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sFile (0 bytes)

The process is-OL16T.tmp:1860 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-D8A11.tmp\_isetup\_RegDLL.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-D8A11.tmp\_isetup\_shfoldr.dll (23 bytes)

The process %original file name%.exe:472 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\WINDOW~1.EXE (120354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\autoit.exe (19715 bytes)

The process WINDOW~1.EXE:1720 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-3SLEL.tmp\is-OL16T.tmp (3736 bytes)

The process autoit.exe:820 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sFile.ico (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sFile (0 bytes)

The process autoit.exe:456 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\cglogs.dat (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (9224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (32 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (0 bytes)

The process autoit.exe:1080 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (227 bytes)

Registry activity

The process NETFXRepair.1024.exe:2144 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 A2 EF 43 7D 49 9A 06 4C 3F 9D 37 88 09 B3 9B"

The process NETFXRepair.1024.exe:820 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 67 06 A1 3D 97 E4 8B AB B0 14 20 EC 27 08 89"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process is-OL16T.tmp:1860 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 8D 65 4F 8F F1 E5 DD 93 96 0C A1 C9 9A E3 2A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:472 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 6F AF 9E E8 81 26 8A 4A D1 E3 EF E5 FF 2F F7"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process WINDOW~1.EXE:1720 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE B6 F5 6A A5 23 46 EB F0 87 C5 5C F5 6F 01 04"

The process autoit.exe:820 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 9E 2A 1D C4 D0 3D FF CE 87 81 D3 44 80 35 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process autoit.exe:456 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 87 BC 4B A6 7D A5 C4 9A AB 7E E4 43 C4 02 D8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\NetFramework\Microsoft.NET]
"NETFXRepair.1024.exe" = "NETFXRepair.1024"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\autoit]
"FirstExecution" = "08/11/2014 -- 10:15"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\autoit]
"NewIdentification" = "autoit"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process autoit.exe:1080 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 80 4C 4E 9B A4 E0 0B 34 E6 4C 5C 13 72 AF B6"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AdobeReader" = "c:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe"

Dropped PE files

MD5 File path
9a3d6b40beb9817d8b0f1d9a51696e19c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\WINDOW~1.EXE
0ce6f027fed95fe1445ed82460c969c5c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\autoit.exe
b683339ce008e97a0243a0f83bca1e09c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-3SLEL.tmp\is-OL16T.tmp
bb211d7a8cea15072de7425403508c17c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-D8A11.tmp\_isetup\_RegDLL.tmp
92dc6ef532fbb4a5c3201469a5b5eb63c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-D8A11.tmp\_isetup\_shfoldr.dll
0ce6f027fed95fe1445ed82460c969c5c:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    NETFXRepair.1024.exe:2144
    NETFXRepair.1024.exe:820
    %original file name%.exe:472
    WINDOW~1.EXE:1720
    autoit.exe:820
    autoit.exe:1080

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\sFile.ico (428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-D8A11.tmp\_isetup\_RegDLL.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-D8A11.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\WINDOW~1.EXE (120354 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\autoit.exe (19715 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-3SLEL.tmp\is-OL16T.tmp (3736 bytes)
    %Documents and Settings%\%current user%\Application Data\cglogs.dat (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (9224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (32 bytes)
    C:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe (7971 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (227 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "AdobeReader" = "c:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe"

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Microsoft Corporation
Product Name: Internet Explorer
Product Version: 11.00.9600.16428
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

Company Name: Microsoft CorporationProduct Name: Internet ExplorerProduct Version: 11.00.9600.16428Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE .MUIInternal Name: Wextract File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409626060261124.42567e9bf1a1e456a9a811b1b86e6602e3636
.data32768679610242.20139317f8a934ee443eee01c2a315bde9ca1
.idata40960421646083.49941d8675ba112ef922c6057a02546757a1a
.rsrc49152845004884464645.54392603ae81d01dc622358705bb2b3785a64
.reloc8499200503851202.5804383de2f9b2c95be6fea06bced7e8a058e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_472:

.text

.text

`.data

`.data

.idata

.idata

@.rsrc

@.rsrc

@.reloc

@.reloc

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

advapi32.dll

advapi32.dll

setupx.dll

setupx.dll

setupapi.dll

setupapi.dll

advpack.dll

advpack.dll

wininit.ini

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

Software\Microsoft\Windows\CurrentVersion\App Paths

ADMQCMD

ADMQCMD

USRQCMD

USRQCMD

FINISHMSG

FINISHMSG

IXPd.TMP

IXPd.TMP

msdownld.tmp

msdownld.tmp

TMP4351$.TMP

TMP4351$.TMP

wextract.pdb

wextract.pdb

PSSSSSSh

PSSSSSSh

SSSh

SSSh

PSSShp

PSSShp

PSShp

PSShp

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

wextract_cleanup%d

Command.com /c %s

Command.com /c %s

rundll32.exe %s,InstallHinfSection %s 128 %s

rundll32.exe %s,InstallHinfSection %s 128 %s

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnce

%s /D:%s

%s /D:%s

PendingFileRenameOperations

PendingFileRenameOperations

SHELL32.DLL

SHELL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

RegQueryInfoKeyA

RegQueryInfoKeyA

RegCloseKey

RegCloseKey

ADVAPI32.dll

ADVAPI32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

GDI32.dll

GDI32.dll

ExitWindowsEx

ExitWindowsEx

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

USER32.dll

USER32.dll

_amsg_exit

_amsg_exit

_acmdln

_acmdln

msvcrt.dll

msvcrt.dll

COMCTL32.dll

COMCTL32.dll

Cabinet.dll

Cabinet.dll

VERSION.dll

VERSION.dll

)%u]Q

)%u]Q

Bp.Dx

Bp.Dx

gA`0)%UJ

gA`0)%UJ

WINDOW~1.EXE

WINDOW~1.EXE

autoit.exe

autoit.exe

Y.jcU

Y.jcU

E.Nd~

E.Nd~

@u.gr@

@u.gr@

%S9d8hr;%

%S9d8hr;%

&j.HXz

&j.HXz

%Ä_r

%Ä_r

Ie.pz

Ie.pz

.,\%C

.,\%C

O.kyi

O.kyi

MsGb

MsGb

..Yq!

..Yq!

hc.gY

hc.gY

;%uGx

;%uGx

U0YU%c&

U0YU%c&

.yoVgB

.yoVgB

.frhs

.frhs

.rl*7 S

.rl*7 S

(l%fS

(l%fS

{-c

{-c

1.Qs2S

1.Qs2S

%XVT`

%XVT`

ee_.UBx

ee_.UBx

.Ki_^C4c

.Ki_^C4c

.WK@q1

.WK@q1

.Hy*wJ

.Hy*wJ

.tf`J

.tf`J

fq|l.RCD

fq|l.RCD

.BbXj

.BbXj

n.MI!K4

n.MI!K4

Ý ^

Ý ^

NE%s)

NE%s)

VQ.PdUft

VQ.PdUft

@.Ø

@.Ø

oX\%sh

oX\%sh

oa.izS

oa.izS

d.bgn

d.bgn

@lKLE.zzr

@lKLE.zzr

;7XHb.rq

;7XHb.rq

_%cgA

_%cgA

o:%x`

o:%x`

=8%ug

=8%ug

~.IFq

~.IFq

.Yng}

.Yng}

}.ln6

}.ln6

e[.Pj

e[.Pj

MSGSC

MSGSC

.wGh@kt M

.wGh@kt M

tb.WgNK

tb.WgNK

O,dr.mj

O,dr.mj

-e9}C

-e9}C

F.JOh!

F.JOh!

h.BE~N

h.BE~N

.rgyB

.rgyB

ø(;

ø(;

}I%C$

}I%C$

8%Uci(

8%Uci(

.sKpb

.sKpb

ZFO%x>

ZFO%x>

.xV\K

.xV\K

f.fQi

f.fQi

mxg{%FX[

mxg{%FX[

,t).RN

,t).RN

KkW%C

KkW%C

W.%DW

W.%DW

pe%S5

pe%S5

y%2yJ.xK{'

y%2yJ.xK{'

5r-I}

5r-I}

^.vR.=Vk

^.vR.=Vk

3"`.Dj

3"`.Dj

1Q.UI]

1Q.UI]

`.Jy,

`.Jy,

$%UfJn

$%UfJn

0L6%7S

0L6%7S

=0.TG'

=0.TG'

T.yc6

T.yc6

%Co^x

%Co^x

#KeYP

#KeYP

Rn%dz

Rn%dz

l.DZ>

l.DZ>

%dYhOB

%dYhOB

k.HhG

k.HhG

.WM/;

.WM/;

R-M}'

R-M}'

URl?T

URl?T

EZR%c

EZR%c

C.yTm

C.yTm

k.vNZ

k.vNZ

%Dx/A

%Dx/A

f*9%f

f*9%f

De.qKv

De.qKv

=N.Xo

=N.Xo

d%x,_

d%x,_

J

J

y%d@34

y%d@34

,.nlii

,.nlii

"7l.MN

"7l.MN

Ik %s

Ik %s

.CwJ2h

.CwJ2h

%cl LYR#

%cl LYR#

*~g%d_1e

*~g%d_1e

%uCGh

%uCGh

r%O%u

r%O%u

%s.Hl

%s.Hl

%9Ü0

%9Ü0

Fu%c*

Fu%c*

-[%sQ

-[%sQ

* .oG

* .oG

Ft8.gY

Ft8.gY

Q/.Sn

Q/.Sn

L

L

Qy.Pa

Qy.Pa

d%cJu

d%cJu

fS.PE

fS.PE

Fi2%C`r~i

Fi2%C`r~i

.Jj-H

.Jj-H

!?ð

!?ð

:AÓ=Bp

:AÓ=Bp

.Ion7

.Ion7

^r.pt

^r.pt

j?%dR

j?%dR

%Xf'w

%Xf'w

.FJnp

.FJnp

;h.PQ

;h.PQ

'nd@R%X

'nd@R%X

O.AFe)

O.AFe)

D.lT$X

D.lT$X

A!.HJ%m

A!.HJ%m

"b-%X9

"b-%X9

>%U]f

>%U]f

.vb[*

.vb[*

/.Yu}

/.Yu}

K.SaEar

K.SaEar

\%c\KC

\%c\KC

SAó

SAó

%F

%F

Z.gHJd

Z.gHJd

G?.vI

G?.vI

m`$%s

m`$%s

u'.afS

u'.afS

]$_.gX

]$_.gX

.BHt(7.>

.BHt(7.>

.hvNBw

.hvNBw

1ywI.Up

1ywI.Up

Z.tnq

Z.tnq

.aYF/

.aYF/

wEbe

wEbe

3.HC M

3.HC M

fC6%s

fC6%s

h;nA2G%x

h;nA2G%x

.cM,N

.cM,N

7/.Xn

7/.Xn

.ge/=p

.ge/=p

]I.bl

]I.bl

-s.bJ#

-s.bJ#

.LO&k

.LO&k

:T1%d

:T1%d

I.bVd{

I.bVd{

Bkx %F

Bkx %F

p=.yq.Jj

p=.yq.Jj

h.iB1

h.iB1

hPJ.Ae

hPJ.Ae

|8c g%D

|8c g%D

Z>&.IU~

Z>&.IU~

(!G%d

(!G%d

L|.OZ

L|.OZ

%9xg;

%9xg;

Mk.Lc

Mk.Lc

V&Ë

V&Ë

.Rxnm

.Rxnm

].Lxb

].Lxb

[3bhoS.nT

[3bhoS.nT

bYSSHr

bYSSHr

\v.pA`

\v.pA`

B>wA.vO

B>wA.vO

%s>qW9

%s>qW9

WEbG

WEbG

OkEy

OkEy

Q.zVx

Q.zVx

d%CQ{:

d%CQ{:

gUkn%d

gUkn%d

Ú4nW

Ú4nW

x.MgA

x.MgA

E.vE`

E.vE`

|.UD"

|.UD"

%DX!o

%DX!o

H.xGE

H.xGE

~>QAv96s2%c

~>QAv96s2%c

8e.fV9

8e.fV9

..PUc

..PUc

np3È8

np3È8

Pv.td

Pv.td

*E7^7%UG

*E7^7%UG

LbC%F

LbC%F

wF%U#

wF%U#

WGurl

WGurl

.IY$^

.IY$^

w.oR\

w.oR\

.yp`A

.yp`A

NOw%X

NOw%X

*.AbA

*.AbA

/m.Sb

/m.Sb

A38i_.Wh

A38i_.Wh

-J}{E

-J}{E

9T}%X

9T}%X

.uklMj

.uklMj

[,.vMr

[,.vMr

.RpBI

.RpBI

vTCp

vTCp

VUdPY

VUdPY

k.Cl)ba

k.Cl)ba

`B9%u

`B9%u

z%4%f

z%4%f

R^%saQ

R^%saQ

Hiq.Ai

Hiq.Ai

%fj.evv

%fj.evv

Yd3.OV&

Yd3.OV&

DQ.DH

DQ.DH

_3%Sg

_3%Sg

Q.OPo

Q.OPo

:e2%x

:e2%x

,Ml

,Ml

p".aH

p".aH

:s.IRe

:s.IRe

l".dKlgHF

l".dKlgHF

.Ze8r

.Ze8r

l.id*

l.id*

w=MPI.gcj

w=MPI.gcj

)*.LP

)*.LP

p)_.tTd

p)_.tTd

_.tNt

_.tNt

S.BP{9XZ

S.BP{9XZ

9b.xR

9b.xR

%X]`U;'

%X]`U;'

-(%X7L

-(%X7L

;*%du7

;*%du7

iTj%F

iTj%F

!.ubd,

!.ubd,

0L%ZP%S}

0L%ZP%S}

gN.iK

gN.iK

dZ.Xx

dZ.Xx

.OzTHi

.OzTHi

_[.DQ

_[.DQ

Y4r.pR

Y4r.pR

%UcZp

%UcZp

sl.YN

sl.YN

-i5iR}

-i5iR}

iGd{.Bh

iGd{.Bh

S%s6.J

S%s6.J

.Uj\]

.Uj\]

1%u09

1%u09

@9h%D

@9h%D

!.ZV_h

!.ZV_h

%X@n8

%X@n8

J`SSH

J`SSH

%X:HB@

%X:HB@

}.qzV

}.qzV

%cZTH[

%cZTH[

BEû

BEû

%XLyX

%XLyX

.BtW/_

.BtW/_

bÿ`

bÿ`

,>dö

,>dö

[-y}}

[-y}}

0Ðv

0Ðv

%f?;=

%f?;=

h>b%u

h>b%u

Ok.Gd

Ok.Gd

,h.bv

,h.bv

|.Dj1

|.Dj1

s%x<_>

s%x<_>

4.jS/

4.jS/

3:Ls%x

3:Ls%x

%U"ys

%U"ys

i%U

i%U

E5.ta.

E5.ta.

xL.Pm

xL.Pm

a0.MV

a0.MV

P_u.PhI

P_u.PhI

. .GQ

. .GQ

.eZ1b

.eZ1b

*%.kZ

*%.kZ

MVú

MVú

ÿ8)

ÿ8)

be0.feb

be0.feb

m.iC

m.iC

ij.rx

ij.rx

,>#%s

,>#%s

.KkUn

.KkUn

GxV.Mx

GxV.Mx

0g.Pd

0g.Pd

.zIwrD

.zIwrD

2[.wW

2[.wW

aA#.dv

aA#.dv

zcmD

zcmD

d8À

d8À

,.ug;'l

,.ug;'l

@WEb"

@WEb"

6cH.ka@

6cH.ka@

.cUEy

.cUEy

\d'.NV

\d'.NV

.TmB(

.TmB(

*^A

*^A

.Bt{?v*

.Bt{?v*

z(FM

z(FM

or%ue

or%ue

4/.KZ

4/.KZ

.lbYbH
.lA
]m.ZK
.zFa_
s.TKT
%0u64B
%fy?u
n__%U
 l.vgu
&R.Ji
.dN|\
T5O%0us
b8.Gg;
{.JO1
=`%xMr
a.EMq
>xDo35%s
(.OtPY
A:\:)
%s&@WS
Xy.JZZ
^.GI8j]C
'd.itb
sPh%d
I#.pB
vz89%xzS
d.bW}}
%cH6?8
.KAFZ
SC.kS
HA.rd
'O.ne
Tg.nh
t|GuRl
CwÄ
.OH4G
"`%di(
9.SAc
hdü4
* .pRc
JF.CaB
P.ce `
/W5.bF5
E'e..MC
oj.CM
@Y&%F !
vEa.vI
-S}Qt
 V.vy
.Yz!e
T?V.fV`
KFTP
^.dNC
r)L%d
.JrmY
JP.EQf
*!.sZG
TV|%s
.Sq%Bz
Y&.uV
D"w.VE
.sp,!
!.MF[
J].gm
;w.ZKP
TSði
{AK%F
5.iHww
$.NOa
%Cm
%C-?_
%fi>6O
|.xqN
Y.Kyj
.YiKH
t^Ü
".MK@
k0.ka
QD>.Wq
r.QtU
y.tQO
7o$òN
5%0xx
U/%FhY
 .EH3K
9%Ue4
q".hQC
[9U%FHT
udp?ZZ
h)%UPV
N0.by
]GgÃ…
T.bn`
CMdP
%c!@1
T.eSb
ÃŒOK
.cvZ3.
9%SdR
7 %Dv
.mY=7
7.ea3
Q%FUC
s:\1U
Qt.xQu
(p*%c
>/s%S
.Uc|!dD
%UqK!*Z
C"C.yuR
'^.bq.\
].tTK
.MOuPMf
.Yi3Q~~g
az.LS
uL=<.uq>
1%u"ZB
M%UZlz
.UP0nd
.Ox8h
.Ywhw
rLb%F
 b.Ae
[E.Zp
d.qG]A\}
=M.oZ&
.esHH
ZL%fK,T8u
z.KE4
y.Ui5
Dx %f
DDN.yyD
0%U$C
Rtü
(7q%U
U%6XB
%fV9f
|.KJq
.Wge@
UEq.Ox
].cgyOo
%SRwR
F4?%d
N%6Xy
Rj)%U8
n:\Ei
".OLO
#QF%C(quf
-Fssh
&:.Tl8w
~.Rd_k
.fYfB
*%u ;
>.qbNF
K}[.umJw
H.ru/Q^
fp.CZr
.gN@z
nm.dv
%s#X
.Ix=AhJ
cn
f%Ury
EKft.KR
a1.km
.Jh31
sWLz7.kH
~K÷f
wI%XI
=O.Fq
Wp%dQm
{ .UH
K%CvMj
  4I%d
p?BT%u
6$O.wV>
.Kst2
"
-9f}2
PS](keY.
E%0sz
.iquQFo
n%F
g6[w%8SuZBn
Bb/.zk
9;E.PT
%F?8yCd4
q&.Dc
u5.ih
=ETa%D
.UJu}
\@1L%D
.tNHn
1C%%F
q.uaf
a.zFZ
f}Tcp
!8`%F
%SpId
.qeHd
dq.oH9
%x^t%
?>.vv
*.gn[&b^e
.pJ!g
8Pw.zy
YX-Å“3(c(
%UHm%
D\?.lKSy
.VpIY{
lx(@.tQ
BaT4 .QR
Jx.Ce~
U^.eg
v
m6%S0'W
J;.Mf`
upG.XgM
l_%6U
h.LpNu
Gw.Ie
J%6s$
[B.ji
X.Yrq
Sqlv'k
6g.Vv
AkS.zq
Z.EJr
u%C>:
.9%c~
:^p%f
tlAE*x%X
8p%CX
.Sac-
qb.Yh
*.IL/
v.ylj
.pX!/_
H.ylpo
`nj%d`
TcPu
F"Z.LM%mz
vF.zHu
4Taþ
%FX|B
:.Rhd
Qws.Fj
|.Sv#Z
ÊUm,x
ûoJ
ws.aji
$~QG.AI
[/=uF%du
d%uBxA
't.tu
.SN(s
%S1[;
D.rGj
%Xk&3
%u: 1Wy
g%uBP;
s.PWq3
L3L.eZ"
8.KJKC
vb;-'%C
m8.aaqG
<.oq>
%Dx;\
%U` R
I%U5=(*
s=3%s
d?$.Qe~
d:\9"(m
4Inno Setup Setup Data (5.1.2)
M%FZ"
z.LXUr
x9%f~
\.db#
cg%Fo
.UnEGu
l!%x-v
bH%8xH
.wz[9U
AsQl
bZ1.qghh
szl.Hi
l.tkjY
f.Py!
%dmZn
%coqrg
x%u]z2
.ojRw
.eSY(
.vAQSX@a
M÷:X
@.OuJ
?F%DxD
OL.fVHj/
nlh
Ul5lE
D!.hJDO
%8UTP
`CýkSOe&
q'&%U
.YT0h
5~#9%D
'^
PFtp
.meRMx
_
/.Lh8
m.tEd
%sl I
eo%c@ThJ
Z.mXi
^%usW
;PUSB%S,
TJ_%X
k:9.FV
<.roz>
duRlJ
IW"%d
F(%XWz
\z6%fr
a.WDk
/o j.WW
C%Xdw^
[4.cQ
VÃŽ~
'-.xtv
&.YNf|
oA%FnK
r%s;hM
;%uGb:
%C]?I
.qlUN\
!.dskW"
.hwIP
%c@;1
.pAa(*
.JJ{a`
`.zDr
%CkCy
*e]
&0%sXZ
m[v%F
w.JO9P
*N
=%Cv"I
~>o
a%uK`k
BX.Vg
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
Kernel32.dll
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.SError en la obtenci
n de espacio en: %s.
Mensaje de sistema: %s.5No se puede encontrar uno de los recursos necesarios.#
n del sistema operativo./Error en la solicitud de asignaci
n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio primero y presione Reintentar, o presione Cancelar para salir del programa de instalaci
n.XLa carpeta no es v
rese de que la carpeta existe y se puede escribir en ella.DDebe especificar una carpeta con la ruta completa o elegir Cancelar.
!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
n de carpeta.ENo se pueden cargar las funciones requeridas por el di
logo Examinar.\No se pudo cargar el archivo Shell32.dll, requerido por el cuadro de di
n del proceso . Causa: %s5El tama
ster en este sistema no es soportado.3Uno de los recursos necesarios parece estar da
ado.[Es necesario Windows 95 o Windows NT 4.0 Beta 2 o posterior para realizar esta instalaci
Error al cargar %s]Error de GetProcAddress() en funci
n "%s". Causa posible: versi
n incorrecta de advpack.dll.@Es necesario Windows 95 o Windows NT para instalar este producto No se pudo crear la carpeta "%s"
Para instalar este programa, necesita %s KB disponibles en la unidad %s. Es recomendable que libere la cantidad necesaria de espacio en disco antes de continuar.
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
n de la carpeta de Windows
)Apagar NT: Error en token de OpenProcess.*Apagar NT: Error en AdjustTokenPrivileges."Apagar NT: Error en ExitWindowsEx.
n del archivo. Probablemente se deba a un problema de memoria baja (poco espacio en disco para el intercambio de archivos) o un archivo .CAB da
ado.wEl programa de instalaci
n del volumen para la unidad (%s) .
Mensaje del sistema: %s.
n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio e int
ntelo de nuevo.hEl programa de instalaci
/C: -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
/C: -- Sobrescribir el comando de instalaci
[Otra copia del paquete "%s" ya est
Desea ejecutar otra copia?$No se pudo encontrar el archivo: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
 No existe la carpeta "%s".
Desea crearla?lOtra copia del paquete "%s" ya est
ndose en su sistema. Solo es posible ejecutar una copia a la vez.OEl paquete "%s" no es compatible con la versi
n de Windows que est
ejecutando.^El paquete "%s" no es compatible con la versi
n del archivo %s que se encuentra en su sistema.
11.00.9600.16428 (winblue_gdr.131013-1700)
WEXTRACT.EXE .MUI
11.00.9600.16428
WINDOW~1.EXE_1720:
.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
.DEFAULT\Control Panel\International
File I/O error %d
lzma: Compressed data is corrupted (%d)
LzmaDecoderInit failed (%d)
LzmaDecode failed (%d)
shell32.dll
/SL4 $%x "
" %d %d
Inno Setup Setup Data (5.1.2)
Inno Setup Messages (5.1.0)
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
MsgWaitForMultipleObjects
ExitWindowsEx
comctl32.dll
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
This installation was built with Inno Setup: hXXp://VVV.innosetup.com
WindowsDoctor International LLC
Windows Doctor 2.7.8 Setup
is-OL16T.tmp_1860:
.idata
.rdata
P.reloc
P.rsrc
%s_%d
EInvalidOperation
TKeyEvent
TKeyPressEvent
crSQLWait
t.HtR
EInvalidGraphicOperation
TWindowState
poProportional
KeyPreview|
WindowState
OnKeyDownl,A
OnKeyPress0,A
OnKeyUp
CTL3D32.DLL
PasswordCharl
ssHorizontal
kernel32.dll
RegDeleteKeyExA
advapi32.dll
.DEFAULT\Control Panel\International
user32.dll
TPSExec
TPSRuntimeClassImporter
TPSExportedVar
Cannot Import
Interface not supported
Uh.WC
Uh.jD
TPSCustomDebugExec
TPSDebugExec
uxtheme.dll
oleacc.dll
RICHED20.DLL
RICHED32.DLL
File I/O error %d
Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.
shell32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
WININIT.INI
t.Htb
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
RegCreateKeyEx
RegOpenKeyEx
sfc.dll
cmd.exe" /C "
COMMAND.COM" /C
PendingFileRenameOperations
PendingFileRenameOperations2
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
OLEAUT32.DLL
%s Log %s #%.3u.txt
_isetup\_RegDLL.tmp
_RegDLL.tmp %u %u
MsgWaitForMultipleObjects
REGDLL failed with exit code 0x%x
REGDLL mutex wait failed (%d, %d)
REGDLL returned unknown result code %d
HELPER_EXE_AMD64
HELPER_EXE_IA64
Cannot utilize 64-bit features on this version of Windows
64-bit helper EXE wasn't extracted
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x
CreateNamedPipe
SetNamedPipeHandleState
helper %d 0x%x
Helper process PID: %u
Stopping 64-bit helper process. (PID: %u)
Helper process exited with failure code: 0x%x
TransactNamedPipe
TransactNamedPipe/GetOverlappedResult
Helper: Command did not execute
MoveFileEx failed (%d).
Deleting directory: %s
Failed to delete directory (%d). Will retry later.
Failed to delete directory (%d). Will delete on restart (if empty).
Failed to delete directory (%d).
Deleting file: %s
Failed to delete the file; it may be in use (%d).
The file appears to be in use (%d). Will delete on restart.
Decrementing shared count (%d-bit): %s
Unregistering 64-bit DLL/OCX: %s
Unregistering 32-bit DLL/OCX: %s
Not unregistering DLL/OCX again: %s
Unregistering 64-bit type library: %s
Unregistering 32-bit type library: %s
Running Exec filename:
Running Exec parameters:
CreateProcess failed (%d).
Running ShellExec filename:
Running ShellExec parameters:
ShellExecuteEx failed (%d).
Skipping RunOnceId "%s" filename: %s
Unregistering font: %s
zlib: Internal error. Code %d
1.2.1
bzlib: Internal error. Code %d
lzma: Compressed data is corrupted (%d)
LzmaDecoderInit failed (%d)
LzmaDecode failed (%d)
TPasswordEdit
TPasswordEdit8
PasswordEdit(
Passwordl
c:\directory
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
PasswordPage
PasswordLabel
PasswordEdit
PasswordEditLabel
Could not find page with ID %d
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s\%s_is1
CheckPassword
/:*?"|
\/:*?"|
%s-%d.bin
%s-%d%s.bin
..\DISK%d\
Asking user for new disk containing "%s".
Cannot read an encrypted file before the key has been set
LoggedMsgBox returned an unexpected value. Assuming Abort.
Software\Microsoft\Windows\CurrentVersion\Uninstall\
5.1.6
URLInfoAbout
URLUpdateInfo
Creating directory: %s
Setting permissions on directory: %s
IMsg
Failed to set value in Fonts registry key.
Failed to open Fonts registry key.
Setting permissions on file: %s
Dest filename: %s
Dest file is protected by Windows File Protection.
Time stamp of our file: %s
Time stamp of existing file: %s
Version of our file: %u.%u.%u.%u
Version of existing file: %u.%u.%u.%u
Existing file is protected by Windows File Protection. Skipping.
The existing file appears to be in use (%d). Will replace on restart.
The existing file appears to be in use (%d). Retrying.
Registering file as a font ("%s")
Cannot install files to 64-bit locations on this version of Windows
Filename: %s
target.lnk
Desktop.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\
Setting permissions on registry key: %s\%s
Failed to set permissions on registry key.
Cannot access 64-bit registry keys on this version of Windows
Software\Microsoft\Windows\CurrentVersion\RunOnce
Registering 64-bit DLL/OCX: %s
Registering 32-bit DLL/OCX: %s
Registering 64-bit type library: %s
Registering 32-bit type library: %s
Directory for uninstall files: %s
LoggedMsgBox returned an unexpected value. Assuming Cancel.
Fatal exception during installation process (%s):
ExtractTemporaryFile: The file "%s" was not found
Invalid symbol '%s' found
Invalid token '%s' found
FormKeyDown
PasswordCheckHash
Expression error '%s'
Password
Cannot evaluate "%s" constant during Uninstall
Cannot access a 64-bit key in a "reg" constant on this version of Windows
Unknown custom message name "%s" in "cm" constant
srcexe
Cannot expand "pf64" constant on this version of Windows
Cannot expand "cf64" constant on this version of Windows
uninstallexe
Failed to expand shell folder constant "%s"
Unknown constant "%s"
Software\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
cmd.exe
COMMAND.COM
\_RegDLL.tmp
REGDLL_EXE
\_setup64.tmp
_isetup\_shfoldr.dll
Failed to get version numbers of _shfoldr.dll
shfolder.dll
Failed to load DLL "%s"
Found pending rename or delete that matches one of our files: %s
Windows version: %u.%.2u.%u%s (NT platform: %s)
64-bit Windows: %s
Processor architecture: %s
Defaulting to %s for suppressed message box (%s):
Message box (%s):
User chose %s.
MsgBox failed.
64-bit install mode: %s
%d.%.*d
_isetup\_isdecmp.dll
_isetup\_iscrypt.dll
/Password=
/SuppressMsgBoxes
/DETACHEDMSG
Setup version: Inno Setup version 5.1.6
Original Setup EXE:
-0.bin
Windows NT
Windows
Not restarting Windows because Setup is being run from the debugger.
Restarting Windows.
Inno Setup version 5.1.6
Portions Copyright (C) 2000-2005 Martijn Laan
hXXp://VVV.innosetup.com/
hXXp://VVV.remobjects.com/?ps
Type: Exec
Type: ShellExec
Process exit code: %u
ShellExecuteEx
Need to restart Windows? %s
Will not restart Windows automatically.
System\CurrentControlSet\Control\Windows
TOutputMsgWizardPage
TOutputMsgMemoWizardPage
TOutputMsgMemoWizardPage
PASSWORDLABEL
PASSWORDEDIT
PASSWORDEDITLABEL
MsgLabel
Msg1Label
Msg2Label
function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;
function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption, AMsg: String): TOutputMsgMemoWizardPage;
function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;
function GetIniString(const Section, Key, Default, Filename: String): String;
function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;
function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;
function IniKeyExists(const Section, Key, Filename: String): Boolean;
function SetIniString(const Section, Key, Value, Filename: String): Boolean;
function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;
function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;
procedure DeleteIniEntry(const Section, Key, Filename: String);
function GetCmdTail: String;
function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;
function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;
function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;
function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function CheckForMutexes(Mutexes: String): Boolean;
function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function MakePendingFileRenameOperationsChecksum: String;
function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;
function ExitSetupMsgBox: Boolean;
function GetWindowsVersion: Cardinal;
procedure GetWindowsVersionEx(var Version: TWindowsVersion);
function GetWindowsVersionString: String;
function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;
function CustomMessage(const MsgName: String): String;
function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;
function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;
function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;
procedure RaiseException(const Msg: String);
function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
Cannot call "%s" function during Setup
Cannot call "%s" function during Uninstall
CREATEOUTPUTMSGPAGE
CREATEOUTPUTMSGMEMOPAGE
MSGBOX
Invalid RootKey value
INIKEYEXISTS
GETCMDTAIL
REGKEYEXISTS
REGDELETEKEYINCLUDINGSUBKEYS
REGDELETEKEYIFEMPTY
REGGETSUBKEYNAMES
CHECKFORMUTEXES
SHELLEXEC
MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM
Unknown custom message name "%s"
EXITSETUPMSGBOX
GETWINDOWSVERSION
GETWINDOWSVERSIONSTRING
%u.%.2u.%u
SUPPRESSIBLEMSGBOX
%u.%u.%u.%u
Uh.mH
GetWindowsVersionEx
Runtime Error (at %d:%d):
Exception "%s" at address %p
TScriptRunner.SetPSExecParameters: Invalid type
TScriptRunner.LoadScript failed
Remove shared file %s? User chose %s%s
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x
Original Uninstall EXE:
Detached uninstall MSG:
Install was done in 64-bit mode but not running 64-bit Windows now
Removed all? %s
Not restarting Windows because Uninstall is being run from the debugger.
IMsgt/
isRS-???.tmp
isRS-%.3u.tmp
DisableProcessWindowsGhosting
FTPF0P
0123456789abcdefInno Setup Setup Data (5.1.2)
Inno Setup Messages (5.1.0)
oleaut32.dll
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
GetWindowsDirectoryA
CreateNamedPipeA
mpr.dll
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
comctl32.dll
ole32.dll
ShellExecuteExA
ShellExecuteA
comdlg32.dll
.text
`.rdata
@.data
.pdata
SHLWAPI.dll
SetProcessShutdownParameters
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
@.pdata
@.srdata
@.sdata
.data
`.data
.rsrc
@.reloc
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
shlwapi.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation
RegKey
GetWindowsDirectoryW
RegOpenKeyA
SHFOLDER.dll
dll\shfolder.dbg
Font.Color
Font.Height
Font.Name
Font.Style
OnKeyDown
PasswordEditLabel
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
Stream write error Out of memory while expanding memory stream*Can't write to a read-only resource stream.WriteObject called twice for the same instance
Class %s not found
Resource %s not found!Resource %s is of incorrect class
List index out of bounds Operation not allowed on sorted string list%String list does not allow duplicates
Tab index out of bounds#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists#''%s'' is not a valid integer value
Error reading %s.%s: %s
Ancestor for '%s' not found
Bitmap is empty!Cannot change the size of an icon$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s property out of range
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex2Cannot have more than one MDI form per application
Could not load CARDS.DLL
Duplicate CardId found"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation
Grid too large for operation Too many rows or columns deleted
%s on line %d
''%s'' expected
%s expected
Invalid input value7Invalid input value. Use escape key to abandon changes
Value must be between %d and %d
''%s'' is not a valid date
''%s'' is not a valid time#''%s'' is not a valid date and time
Invalid file name - %s
All files (*.*)|*.*
&Files: (*.*)
Invalid clipboard format Clipboard does not support Icons
Custom Colors Operation not supported on selected printer.There is no default printer currently selected
Unable to write to %s
Invalid data type for '%s'
Failed to create key %s
Failed to set data for '%s'
Failed to get data for '%s'9Synchronize called when main VCL thread in a WaitFor call0Unknown RichEdit conversion file extension (.%s)
/Menu '%s' is already being used by another form
Failed to Save Stream)StatusBar cannot have more than 64 panels!Error assigning Hot-Key to %s. %s
Hot-Key is invalid#Window is invalid or a child window%Hot-Key is assigned to another window %s is already associated with %s!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
n%USERPROFILE%
r%SYSTEMROOT%
5.50.4807.2300
Microsoft(R) Windows (R) 2000 Operating System
Datos de programa%Configuraci
51.42.0.0
Copyright (C) 1997-2005 Jordan Russell. Portions Copyright (C) 2000-2005 Martijn Laan.
Inno Setup home page: hXXp://VVV.innosetup.com
autoit.exe_456:
.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
Gt.Ht$
t.jGZf;
PSSShD
PVSShD
f;Crt
?#%X.y
GetProcessWindowStation
operator
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.
kernel32.dll
oleaut32.dll
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
WSOCK32.dll
VERSION.dll
WINMM.dll
COMCTL32.dll
MPR.dll
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
WININET.dll
PSAPI.DLL
IPHLPAPI.DLL
USERENV.dll
UxTheme.dll
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
KERNEL32.dll
OpenWindowStationW
SetProcessWindowStation
CloseWindowStation
MapVirtualKeyW
EnumChildWindows
EnumWindows
VkKeyScanW
GetKeyState
GetKeyboardState
SetKeyboardState
GetAsyncKeyState
keybd_event
EnumThreadWindows
ExitWindowsEx
UnregisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
USER32.dll
SetViewportOrgEx
GDI32.dll
COMDLG32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyW
ADVAPI32.dll
ShellExecuteW
SHFileOperationW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
GetCPInfo
zcÁ
k%C[0u
S%Cwk
x=.As]
@.nD,
\z6%fr
a.WDk
/o j.WW
C%Xdw^
2 3(393@3
5"5(5,52565
5W5C5V5_5r5
9’9S9x9
9 9$9(9,9094989
1/2g2
: :$:(:,:0:4:8:<:>
7-747v7}7
mscoree.dll
combase.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
>>>AUTOIT NO CMDEXECUTE
CMDLINERAW
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
APPSKEY
789:;?
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDelay
SendKeyDownDelay
TCPTimeout
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
D%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 10, 2
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
autoit.exe_456_rwx_00050000_00001000:
KERNEL32.DLL
autoit.exe_456_rwx_00190000_00001000:
KERNEL32.DLL
autoit.exe_456_rwx_001D0000_00001000:
KERNEL32.DLL
autoit.exe_456_rwx_00210000_00001000:
KERNEL32.DLL
autoit.exe_456_rwx_00250000_00001000:
KERNEL32.DLL
autoit.exe_456_rwx_00290000_00001000:
KERNEL32.DLL
autoit.exe_456_rwx_01210000_00001000:
advapi32.dll
autoit.exe_456_rwx_01340000_00001000:
RegOpenKeyA
autoit.exe_456_rwx_01350000_00001000:
advapi32.dll
autoit.exe_456_rwx_01380000_00001000:
AVICAP32.DLL
autoit.exe_456_rwx_014C0000_00001000:
AVICAP32.DLL
autoit.exe_456_rwx_014F0000_00001000:
gdi32.dll
autoit.exe_456_rwx_01630000_00001000:
gdi32.dll
autoit.exe_456_rwx_01660000_00001000:
gdiplus.dll
autoit.exe_456_rwx_017A0000_00001000:
gdiplus.dll
autoit.exe_456_rwx_017D0000_00001000:
mpr.dll
autoit.exe_456_rwx_01810000_00001000:
mpr.dll
autoit.exe_456_rwx_01840000_00001000:
msacm32.dll
autoit.exe_456_rwx_01880000_00001000:
msacm32.dll
autoit.exe_456_rwx_018B0000_00001000:
ntdll.dll
autoit.exe_456_rwx_01A00000_00001000:
ntdll.dll
autoit.exe_456_rwx_01C40000_00001000:
ole32.dll
autoit.exe_456_rwx_01D80000_00001000:
ole32.dll
autoit.exe_456_rwx_01DB0000_00001000:
oleaut32.dll
autoit.exe_456_rwx_01EF0000_00001000:
oleaut32.dll
autoit.exe_456_rwx_01F20000_00001000:
powrprof.dll
autoit.exe_456_rwx_02060000_00001000:
powrprof.dll
autoit.exe_456_rwx_02090000_00001000:
shell32.dll
autoit.exe_456_rwx_021D0000_00001000:
shell32.dll
autoit.exe_456_rwx_02200000_00001000:
user32.dll
autoit.exe_456_rwx_02340000_00001000:
user32.dll
autoit.exe_456_rwx_02370000_00001000:
wininet.dll
autoit.exe_456_rwx_024A0000_00001000:
FtpOpenFileA
autoit.exe_456_rwx_024B0000_00001000:
wininet.dll
autoit.exe_456_rwx_024E0000_00001000:
winmm.dll
autoit.exe_456_rwx_02620000_00001000:
winmm.dll
autoit.exe_456_rwx_02650000_00001000:
wsock32.dll
autoit.exe_456_rwx_02790000_00001000:
wsock32.dll
autoit.exe_456_rwx_10480000_00061000:
`.rsrc
kernel32.dll
Portions Copyright (c) 1999,2003 Avenger by NhT
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
####@####
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Portugal
Turkey
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFile = objFileSystem.CreateTextFile("
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
AVICAP32.dll
tFtpAccess
v1.05.1
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
Mozilla3_5Password
GetChromePass
StartHttpProxy
1.2.3
XxX.xXx
UuU.uUu
keyboardkey
webcaminactive
webcamgetbuffer
webcam
enviarexecnormal
enviarexechidden
openweb
downexec
sendftp
keylogger
keyloggergetlog
keyloggereraselog
keyloggerativar
keyloggerdesativar
renamekey
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listarportas
listarportasdns
finalizarprocessoportas
webcamsettings
chatmsg
getpassword
updateservidorweb
keyloggersearch
urlredirect
urlredirecttrue
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
t.Shd
%SYS%
ÞSKTOP%
FirstExecution
chatmsg|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getfirefox
getielogin
getiepass
getieweb
getchrome
getpassword|getpasswordlist|
getpassword|getpassworderror|
C:\Windows\System32\drivers\etc\hosts
ntdll.dll
XX--XX--XX.txt
cglogs.dat
SQLite3.dll
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
KWindows
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
UnitWebcam
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
RegCloseKey
GdiplusShutdown
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
%( % & % % % ]
.idata
.reloc
P.rsrc
advapi32.dll
AVICAP32.DLL
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
ole32.dll
oleaut32.dll
powrprof.dll
user32.dll
wininet.dll
winmm.dll
wsock32.dll
Explorer.EXE_1284_rwx_013D0000_00001000:
KERNEL32.DLL
Explorer.EXE_1284_rwx_01BB0000_00001000:
KERNEL32.DLL
Explorer.EXE_1284_rwx_01C30000_00001000:
KERNEL32.DLL
Explorer.EXE_1284_rwx_01C80000_00001000:
KERNEL32.DLL
Explorer.EXE_1284_rwx_01EC0000_00001000:
KERNEL32.DLL
Explorer.EXE_1284_rwx_01F00000_00001000:
KERNEL32.DLL
Explorer.EXE_1284_rwx_01F30000_00001000:
advapi32.dll
Explorer.EXE_1284_rwx_02060000_00001000:
RegOpenKeyA
Explorer.EXE_1284_rwx_02070000_00001000:
advapi32.dll
Explorer.EXE_1284_rwx_020A0000_00001000:
AVICAP32.DLL
Explorer.EXE_1284_rwx_021E0000_00001000:
AVICAP32.DLL
Explorer.EXE_1284_rwx_02210000_00001000:
gdi32.dll
Explorer.EXE_1284_rwx_02350000_00001000:
gdi32.dll
Explorer.EXE_1284_rwx_02380000_00001000:
gdiplus.dll
Explorer.EXE_1284_rwx_024C0000_00001000:
gdiplus.dll
Explorer.EXE_1284_rwx_024F0000_00001000:
mpr.dll
Explorer.EXE_1284_rwx_02530000_00001000:
mpr.dll
Explorer.EXE_1284_rwx_02560000_00001000:
msacm32.dll
Explorer.EXE_1284_rwx_025A0000_00001000:
msacm32.dll
Explorer.EXE_1284_rwx_025D0000_00001000:
ntdll.dll
Explorer.EXE_1284_rwx_02920000_00001000:
ntdll.dll
Explorer.EXE_1284_rwx_02950000_00001000:
ole32.dll
Explorer.EXE_1284_rwx_02A90000_00001000:
ole32.dll
Explorer.EXE_1284_rwx_02AC0000_00001000:
oleaut32.dll
Explorer.EXE_1284_rwx_02C00000_00001000:
oleaut32.dll
Explorer.EXE_1284_rwx_02C30000_00001000:
powrprof.dll
Explorer.EXE_1284_rwx_02D70000_00001000:
powrprof.dll
Explorer.EXE_1284_rwx_02DA0000_00001000:
shell32.dll
Explorer.EXE_1284_rwx_02EE0000_00001000:
shell32.dll
Explorer.EXE_1284_rwx_02F10000_00001000:
user32.dll
Explorer.EXE_1284_rwx_03050000_00001000:
user32.dll
Explorer.EXE_1284_rwx_03080000_00001000:
wininet.dll
Explorer.EXE_1284_rwx_031B0000_00001000:
FtpOpenFileA
Explorer.EXE_1284_rwx_031C0000_00001000:
wininet.dll
Explorer.EXE_1284_rwx_031F0000_00001000:
winmm.dll
Explorer.EXE_1284_rwx_03330000_00001000:
winmm.dll
Explorer.EXE_1284_rwx_03360000_00001000:
wsock32.dll
Explorer.EXE_1284_rwx_034A0000_00001000:
wsock32.dll
Explorer.EXE_1284_rwx_10410000_00061000:
`.rsrc
kernel32.dll
Portions Copyright (c) 1999,2003 Avenger by NhT
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
####@####
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Portugal
Turkey
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFile = objFileSystem.CreateTextFile("
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
AVICAP32.dll
tFtpAccess
v1.05.1
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
Mozilla3_5Password
GetChromePass
StartHttpProxy
1.2.3
XxX.xXx
UuU.uUu
keyboardkey
webcaminactive
webcamgetbuffer
webcam
enviarexecnormal
enviarexechidden
openweb
downexec
sendftp
keylogger
keyloggergetlog
keyloggereraselog
keyloggerativar
keyloggerdesativar
renamekey
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listarportas
listarportasdns
finalizarprocessoportas
webcamsettings
chatmsg
getpassword
updateservidorweb
keyloggersearch
urlredirect
urlredirecttrue
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
t.Shd
%SYS%
ÞSKTOP%
FirstExecution
chatmsg|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getfirefox
getielogin
getiepass
getieweb
getchrome
getpassword|getpasswordlist|
getpassword|getpassworderror|
C:\Windows\System32\drivers\etc\hosts
ntdll.dll
XX--XX--XX.txt
cglogs.dat
SQLite3.dll
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
KWindows
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
UnitWebcam
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
RegCloseKey
GdiplusShutdown
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
%( % & % % % ]
.idata
.reloc
P.rsrc
advapi32.dll
AVICAP32.DLL
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
ole32.dll
oleaut32.dll
powrprof.dll
user32.dll
wininet.dll
winmm.dll
wsock32.dll