HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.1805991 (AdAware), Installer.Win32.InnoSetup.FD, Installer.Win32.InnoSetup.2.FD, Worm.Win32.AutoIt.FD, InstallerInnoSetup.YR, WormAutoItGen.YR, GenericInjector.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ba33176a7d522fb81c6ccddd20324e37
SHA1: 2526cb40b7b8f2b46c1dad705cc4c31a5743aae7
SHA256: 4a88d021c3192d5c44eb6f293a36532d11ee1949c98ccb638e86370afb8c37c0
SSDeep: 196608:yeAgAP9iNLg 6Ge0KsytYZWSiehbnDQPUFOonyg9:yeen 6fs5fbIPR
Size: 8484352 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-10-14 08:50:27
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
NETFXRepair.1024.exe:2144
NETFXRepair.1024.exe:820
%original file name%.exe:472
WINDOW~1.EXE:1720
autoit.exe:820
autoit.exe:1080
The Trojan injects its code into the following process(es):
is-OL16T.tmp:1860
autoit.exe:456
Explorer.EXE:1284
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process NETFXRepair.1024.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sFile.ico (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sFile (0 bytes)
The process is-OL16T.tmp:1860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-D8A11.tmp\_isetup\_RegDLL.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-D8A11.tmp\_isetup\_shfoldr.dll (23 bytes)
The process %original file name%.exe:472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\WINDOW~1.EXE (120354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\autoit.exe (19715 bytes)
The process WINDOW~1.EXE:1720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-3SLEL.tmp\is-OL16T.tmp (3736 bytes)
The process autoit.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\sFile.ico (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sFile (0 bytes)
The process autoit.exe:456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\cglogs.dat (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (9224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (32 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (0 bytes)
The process autoit.exe:1080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (227 bytes)
Registry activity
The process NETFXRepair.1024.exe:2144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 A2 EF 43 7D 49 9A 06 4C 3F 9D 37 88 09 B3 9B"
The process NETFXRepair.1024.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 67 06 A1 3D 97 E4 8B AB B0 14 20 EC 27 08 89"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process is-OL16T.tmp:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 8D 65 4F 8F F1 E5 DD 93 96 0C A1 C9 9A E3 2A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 6F AF 9E E8 81 26 8A 4A D1 E3 EF E5 FF 2F F7"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The process WINDOW~1.EXE:1720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE B6 F5 6A A5 23 46 EB F0 87 C5 5C F5 6F 01 04"
The process autoit.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 9E 2A 1D C4 D0 3D FF CE 87 81 D3 44 80 35 8D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process autoit.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 87 BC 4B A6 7D A5 C4 9A AB 7E E4 43 C4 02 D8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\NetFramework\Microsoft.NET]
"NETFXRepair.1024.exe" = "NETFXRepair.1024"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\autoit]
"FirstExecution" = "08/11/2014 -- 10:15"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\autoit]
"NewIdentification" = "autoit"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process autoit.exe:1080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 80 4C 4E 9B A4 E0 0B 34 E6 4C 5C 13 72 AF B6"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AdobeReader" = "c:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe"
Dropped PE files
MD5 | File path |
---|---|
9a3d6b40beb9817d8b0f1d9a51696e19 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\WINDOW~1.EXE |
0ce6f027fed95fe1445ed82460c969c5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\autoit.exe |
b683339ce008e97a0243a0f83bca1e09 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-3SLEL.tmp\is-OL16T.tmp |
bb211d7a8cea15072de7425403508c17 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-D8A11.tmp\_isetup\_RegDLL.tmp |
92dc6ef532fbb4a5c3201469a5b5eb63 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is-D8A11.tmp\_isetup\_shfoldr.dll |
0ce6f027fed95fe1445ed82460c969c5 | c:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
NETFXRepair.1024.exe:2144
NETFXRepair.1024.exe:820
%original file name%.exe:472
WINDOW~1.EXE:1720
autoit.exe:820
autoit.exe:1080 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\sFile.ico (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-D8A11.tmp\_isetup\_RegDLL.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-D8A11.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\WINDOW~1.EXE (120354 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\autoit.exe (19715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-3SLEL.tmp\is-OL16T.tmp (3736 bytes)
%Documents and Settings%\%current user%\Application Data\cglogs.dat (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (9224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (32 bytes)
C:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (227 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AdobeReader" = "c:\NetFramework\Microsoft.NET\NETFXRepair.1024.exe" - Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: Internet Explorer
Product Version: 11.00.9600.16428
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: Internet ExplorerProduct Version: 11.00.9600.16428Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE .MUIInternal Name: Wextract File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 26060 | 26112 | 4.42567 | e9bf1a1e456a9a811b1b86e6602e3636 |
.data | 32768 | 6796 | 1024 | 2.20139 | 317f8a934ee443eee01c2a315bde9ca1 |
.idata | 40960 | 4216 | 4608 | 3.49941 | d8675ba112ef922c6057a02546757a1a |
.rsrc | 49152 | 8450048 | 8446464 | 5.54392 | 603ae81d01dc622358705bb2b3785a64 |
.reloc | 8499200 | 5038 | 5120 | 2.58043 | 83de2f9b2c95be6fea06bced7e8a058e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_472:
.text
.text
`.data
`.data
.idata
.idata
@.rsrc
@.rsrc
@.reloc
@.reloc
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
advapi32.dll
advapi32.dll
setupx.dll
setupx.dll
setupapi.dll
setupapi.dll
advpack.dll
advpack.dll
wininit.ini
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
ADMQCMD
ADMQCMD
USRQCMD
USRQCMD
FINISHMSG
FINISHMSG
IXPd.TMP
IXPd.TMP
msdownld.tmp
msdownld.tmp
TMP4351$.TMP
TMP4351$.TMP
wextract.pdb
wextract.pdb
PSSSSSSh
PSSSSSSh
SSSh
SSSh
PSSShp
PSSShp
PSShp
PSShp
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
Command.com /c %s
Command.com /c %s
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
%s /D:%s
%s /D:%s
PendingFileRenameOperations
PendingFileRenameOperations
SHELL32.DLL
SHELL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
_amsg_exit
_amsg_exit
_acmdln
_acmdln
msvcrt.dll
msvcrt.dll
COMCTL32.dll
COMCTL32.dll
Cabinet.dll
Cabinet.dll
VERSION.dll
VERSION.dll
)%u]Q
)%u]Q
Bp.Dx
Bp.Dx
gA`0)%UJ
gA`0)%UJ
WINDOW~1.EXE
WINDOW~1.EXE
autoit.exe
autoit.exe
Y.jcU
Y.jcU
E.Nd~
E.Nd~
@u.gr@
@u.gr@
%S9d8hr;%
%S9d8hr;%
&j.HXz
&j.HXz
%Ä_r
%Ä_r
Ie.pz
Ie.pz
.,\%C
.,\%C
O.kyi
O.kyi
MsGb
MsGb
..Yq!
..Yq!
hc.gY
hc.gY
;%uGx
;%uGx
U0YU%c&
U0YU%c&
.yoVgB
.yoVgB
.frhs
.frhs
.rl*7 S
.rl*7 S
(l%fS
(l%fS
{-c
{-c
1.Qs2S
1.Qs2S
%XVT`
%XVT`
ee_.UBx
ee_.UBx
.Ki_^C4c
.Ki_^C4c
.WK@q1
.WK@q1
.Hy*wJ
.Hy*wJ
.tf`J
.tf`J
fq|l.RCD
fq|l.RCD
.BbXj
.BbXj
n.MI!K4
n.MI!K4
à ^
à ^
NE%s)
NE%s)
VQ.PdUft
VQ.PdUft
@.Ø
@.Ø
oX\%sh
oX\%sh
oa.izS
oa.izS
d.bgn
d.bgn
@lKLE.zzr
@lKLE.zzr
;7XHb.rq
;7XHb.rq
_%cgA
_%cgA
o:%x`
o:%x`
=8%ug
=8%ug
~.IFq
~.IFq
.Yng}
.Yng}
}.ln6
}.ln6
e[.Pj
e[.Pj
MSGSC
MSGSC
.wGh@kt M
.wGh@kt M
tb.WgNK
tb.WgNK
O,dr.mj
O,dr.mj
-e9}C
-e9}C
F.JOh!
F.JOh!
h.BE~N
h.BE~N
.rgyB
.rgyB
ø(;
ø(;
}I%C$
}I%C$
8%Uci(
8%Uci(
.sKpb
.sKpb
ZFO%x>
ZFO%x>
.xV\K
.xV\K
f.fQi
f.fQi
mxg{%FX[
mxg{%FX[
,t).RN
,t).RN
KkW%C
KkW%C
W.%DW
W.%DW
pe%S5
pe%S5
y%2yJ.xK{'
y%2yJ.xK{'
5r-I}
5r-I}
^.vR.=Vk
^.vR.=Vk
3"`.Dj
3"`.Dj
1Q.UI]
1Q.UI]
`.Jy,
`.Jy,
$%UfJn
$%UfJn
0L6%7S
0L6%7S
=0.TG'
=0.TG'
T.yc6
T.yc6
%Co^x
%Co^x
#KeYP
#KeYP
Rn%dz
Rn%dz
l.DZ>
l.DZ>
%dYhOB
%dYhOB
k.HhG
k.HhG
.WM/;
.WM/;
R-M}'
R-M}'
URl?T
URl?T
EZR%c
EZR%c
C.yTm
C.yTm
k.vNZ
k.vNZ
%Dx/A
%Dx/A
f*9%f
f*9%f
De.qKv
De.qKv
=N.Xo
=N.Xo
d%x,_
d%x,_
J
J
y%d@34
y%d@34
,.nlii
,.nlii
"7l.MN
"7l.MN
Ik %s
Ik %s
.CwJ2h
.CwJ2h
%cl LYR#
%cl LYR#
*~g%d_1e
*~g%d_1e
%uCGh
%uCGh
r%O%u
r%O%u
%s.Hl
%s.Hl
%9Ü0
%9Ü0
Fu%c*
Fu%c*
-[%sQ
-[%sQ
* .oG
* .oG
Ft8.gY
Ft8.gY
Q/.Sn
Q/.Sn
L
L
Qy.Pa
Qy.Pa
d%cJu
d%cJu
fS.PE
fS.PE
Fi2%C`r~i
Fi2%C`r~i
.Jj-H
.Jj-H
!?ð
!?ð
:AÓ=Bp
:AÓ=Bp
.Ion7
.Ion7
^r.pt
^r.pt
j?%dR
j?%dR
%Xf'w
%Xf'w
.FJnp
.FJnp
;h.PQ
;h.PQ
'nd@R%X
'nd@R%X
O.AFe)
O.AFe)
D.lT$X
D.lT$X
A!.HJ%m
A!.HJ%m
"b-%X9
"b-%X9
>%U]f
>%U]f
.vb[*
.vb[*
/.Yu}
/.Yu}
K.SaEar
K.SaEar
\%c\KC
\%c\KC
SAó
SAó
%F
%F
Z.gHJd
Z.gHJd
G?.vI
G?.vI
m`$%s
m`$%s
u'.afS
u'.afS
]$_.gX
]$_.gX
.BHt(7.>
.BHt(7.>
.hvNBw
.hvNBw
1ywI.Up
1ywI.Up
Z.tnq
Z.tnq
.aYF/
.aYF/
wEbe
wEbe
3.HC M
3.HC M
fC6%s
fC6%s
h;nA2G%x
h;nA2G%x
.cM,N
.cM,N
7/.Xn
7/.Xn
.ge/=p
.ge/=p
]I.bl
]I.bl
-s.bJ#
-s.bJ#
.LO&k
.LO&k
:T1%d
:T1%d
I.bVd{
I.bVd{
Bkx %F
Bkx %F
p=.yq.Jj
p=.yq.Jj
h.iB1
h.iB1
hPJ.Ae
hPJ.Ae
|8c g%D
|8c g%D
Z>&.IU~
Z>&.IU~
(!G%d
(!G%d
L|.OZ
L|.OZ
%9xg;
%9xg;
Mk.Lc
Mk.Lc
V&Ë
V&Ë
.Rxnm
.Rxnm
].Lxb
].Lxb
[3bhoS.nT
[3bhoS.nT
bYSSHr
bYSSHr
\v.pA`
\v.pA`
B>wA.vO
B>wA.vO
%s>qW9
%s>qW9
WEbG
WEbG
OkEy
OkEy
Q.zVx
Q.zVx
d%CQ{:
d%CQ{:
gUkn%d
gUkn%d
Ú4nW
Ú4nW
x.MgA
x.MgA
E.vE`
E.vE`
|.UD"
|.UD"
%DX!o
%DX!o
H.xGE
H.xGE
~>QAv96s2%c
~>QAv96s2%c
8e.fV9
8e.fV9
..PUc
..PUc
np3È8
np3È8
Pv.td
Pv.td
*E7^7%UG
*E7^7%UG
LbC%F
LbC%F
wF%U#
wF%U#
WGurl
WGurl
.IY$^
.IY$^
w.oR\
w.oR\
.yp`A
.yp`A
NOw%X
NOw%X
*.AbA
*.AbA
/m.Sb
/m.Sb
A38i_.Wh
A38i_.Wh
-J}{E
-J}{E
9T}%X
9T}%X
.uklMj
.uklMj
[,.vMr
[,.vMr
.RpBI
.RpBI
vTCp
vTCp
VUdPY
VUdPY
k.Cl)ba
k.Cl)ba
`B9%u
`B9%u
z%4%f
z%4%f
R^%saQ
R^%saQ
Hiq.Ai
Hiq.Ai
%fj.evv
%fj.evv
Yd3.OV&
Yd3.OV&
DQ.DH
DQ.DH
_3%Sg
_3%Sg
Q.OPo
Q.OPo
:e2%x
:e2%x
,Ml
,Ml
p".aH
p".aH
:s.IRe
:s.IRe
l".dKlgHF
l".dKlgHF
.Ze8r
.Ze8r
l.id*
l.id*
w=MPI.gcj
w=MPI.gcj
)*.LP
)*.LP
p)_.tTd
p)_.tTd
_.tNt
_.tNt
S.BP{9XZ
S.BP{9XZ
9b.xR
9b.xR
%X]`U;'
%X]`U;'
-(%X7L
-(%X7L
;*%du7
;*%du7
iTj%F
iTj%F
!.ubd,
!.ubd,
0L%ZP%S}
0L%ZP%S}
gN.iK
gN.iK
dZ.Xx
dZ.Xx
.OzTHi
.OzTHi
_[.DQ
_[.DQ
Y4r.pR
Y4r.pR
%UcZp
%UcZp
sl.YN
sl.YN
-i5iR}
-i5iR}
iGd{.Bh
iGd{.Bh
S%s6.J
S%s6.J
.Uj\]
.Uj\]
1%u09
1%u09
@9h%D
@9h%D
!.ZV_h
!.ZV_h
%X@n8
%X@n8
J`SSH
J`SSH
%X:HB@
%X:HB@
}.qzV
}.qzV
%cZTH[
%cZTH[
BEû
BEû
%XLyX
%XLyX
.BtW/_
.BtW/_
bÿ`
bÿ`
,>dö
,>dö
[-y}}
[-y}}
0Ãv
0Ãv
%f?;=
%f?;=
h>b%u
h>b%u
Ok.Gd
Ok.Gd
,h.bv
,h.bv
|.Dj1
|.Dj1
s%x<_>
s%x<_>
4.jS/
4.jS/
3:Ls%x
3:Ls%x
%U"ys
%U"ys
i%U
i%U
E5.ta.
E5.ta.
xL.Pm
xL.Pm
a0.MV
a0.MV
P_u.PhI
P_u.PhI
. .GQ
. .GQ
.eZ1b
.eZ1b
*%.kZ
*%.kZ
MVú
MVú
ÿ8)
ÿ8)
be0.feb
be0.feb
m.iC
m.iC
ij.rx
ij.rx
,>#%s
,>#%s
.KkUn
.KkUn
GxV.Mx
GxV.Mx
0g.Pd
0g.Pd
.zIwrD
.zIwrD
2[.wW
2[.wW
aA#.dv
aA#.dv
zcmD
zcmD
d8À
d8À
,.ug;'l
,.ug;'l
@WEb"
@WEb"
6cH.ka@
6cH.ka@
.cUEy
.cUEy
\d'.NV
\d'.NV
.TmB(
.TmB(
*^A
*^A
.Bt{?v*
.Bt{?v*
z(FM
z(FM
or%ue
or%ue
4/.KZ
4/.KZ
.lbYbH
.lA]m.ZK.zFa_s.TKT%0u64B%fy?un__%Ul.vgu&R.Ji.dN|\T5O%0usb8.Gg;{.JO1=`%xMra.EMq>xDo35%s(.OtPYA:\:)%s&@WSXy.JZZ^.GI8j]C'd.itbsPh%dI#.pBvz89%xzSd.bW}}%cH6?8.KAFZSC.kSHA.rd'O.neTg.nht|GuRlCwÄ.OH4G"`%di(9.SAchdü4* .pRcJF.CaBP.ce `/W5.bF5E'e..MCoj.CM@Y&%F !vEa.vI-S}QtV.vy.Yz!eT?V.fV`KFTP^.dNCr)L%d.JrmYJP.EQf*!.sZGTV|%s.Sq%BzY&.uVD"w.VE.sp,!!.MF[J].gm;w.ZKPTSði{AK%F5.iHww$.NOa%Cm%C-?_%fi>6O|.xqNY.Kyj.YiKHt^Ü".MK@k0.kaQD>.Wqr.QtUy.tQO7o$òN5%0xxU/%FhY.EH3K9%Ue4q".hQC[9U%FHTudp?ZZh)%UPVN0.by]GgÃ…T.bn`CMdP%c!@1T.eSbÃŒOK.cvZ3.9%SdR7 %Dv.mY=77.ea3Q%FUCs:\1UQt.xQu(p*%c>/s%S.Uc|!dD%UqK!*ZC"C.yuR'^.bq.\].tTK.MOuPMf.Yi3Q~~gaz.LSuL=<.uq>1%u"ZBM%UZlz.UP0nd.Ox8h.YwhwrLb%Fb.Ae[E.Zpd.qG]A\}=M.oZ&.esHHZL%fK,T8uz.KE4y.Ui5Dx %fDDN.yyD0%U$CRtü(7q%UU%6XB%fV9f|.KJq.Wge@UEq.Ox].cgyOo%SRwRF4?%dN%6XyRj)%U8n:\Ei".OLO#QF%C(quf-Fssh&:.Tl8w~.Rd_k.fYfB*%u ;>.qbNFK}[.umJwH.ru/Q^fp.CZr.gN@znm.dv%s#X.Ix=AhJcnf%UryEKft.KRa1.km.Jh31sWLz7.kH~K÷fwI%XI=O.FqWp%dQm{ .UHK%CvMj4I%dp?BT%u6$O.wV>.Kst2"-9f}2PS](keY.E%0sz.iquQFon%Fg6[w%8SuZBnBb/.zk9;E.PT%F?8yCd4q&.Dcu5.ih=ETa%D.UJu}\@1L%D.tNHn1C%%Fq.uafa.zFZf}Tcp!8`%F%SpId.qeHddq.oH9%x^t%?>.vv*.gn[&b^e.pJ!g8Pw.zyYX-Å“3(c(%UHm%D\?.lKSy.VpIY{lx(@.tQBaT4 .QRJx.Ce~U^.egvm6%S0'WJ;.Mf`upG.XgMl_%6Uh.LpNuGw.IeJ%6s$[B.jiX.YrqSqlv'k6g.VvAkS.zqZ.EJru%C>:.9%c~:^p%ftlAE*x%X8p%CX.Sac-qb.Yh*.IL/v.ylj.pX!/_H.ylpo`nj%d`TcPuF"Z.LM%mzvF.zHu4Taþ%FX|B:.RhdQws.Fj|.Sv#ZÊUm,xûoJws.aji$~QG.AI[/=uF%dud%uBxA't.tu.SN(s%S1[;D.rGj%Xk&3%u: 1Wyg%uBP;s.PWq3L3L.eZ"8.KJKCvb;-'%Cm8.aaqG<.oq>%Dx;\%U` RI%U5=(*s=3%sd?$.Qe~d:\9"(m4Inno Setup Setup Data (5.1.2)M%FZ"z.LXUrx9%f~\.db#cg%Fo.UnEGul!%x-vbH%8xH.wz[9UAsQlbZ1.qghhszl.Hil.tkjYf.Py!%dmZn%coqrgx%u]z2.ojRw.eSY(.vAQSX@aM÷:X@.OuJ?F%DxDOL.fVHj/nlhUl5lED!.hJDO%8UTP`CýkSOe&q'&%U.YT0h5~#9%D'^PFtp.meRMx_/.Lh8m.tEd%sl Ieo%c@ThJZ.mXi^%usW;PUSB%S,TJ_%Xk:9.FV<.roz>duRlJIW"%dF(%XWz\z6%fra.WDk/o j.WWC%Xdw^[4.cQVÃŽ~'-.xtv&.YNf|oA%FnKr%s;hM;%uGb:%C]?I.qlUN\!.dskW".hwIP%c@;1.pAa(*.JJ{a``.zDr%CkCy*e]&0%sXZm[v%Fw.JO9P*N=%Cv"I~>oa%uK`kBX.Vgname="Microsoft.Windows.Common-Controls"version="6.0.0.0"publicKeyToken="6595b64144ccf1df"Kernel32.dllPlease read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.CFailed to get disk space information from: %s.System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?8Unable to retrieve operating system version information.!Memory allocation request failed.Filetable full.Ên not change to destination folder.Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.SError en la obtencin de espacio en: %s.Mensaje de sistema: %s.5No se puede encontrar uno de los recursos necesarios.#n del sistema operativo./Error en la solicitud de asignacin no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio primero y presione Reintentar, o presione Cancelar para salir del programa de instalacin.XLa carpeta no es vrese de que la carpeta existe y se puede escribir en ella.DDebe especificar una carpeta con la ruta completa o elegir Cancelar.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to installCould not create folder '%s'To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.n de carpeta.ENo se pueden cargar las funciones requeridas por el dilogo Examinar.\No se pudo cargar el archivo Shell32.dll, requerido por el cuadro de din del proceso . Causa: %s5El tamaster en este sistema no es soportado.3Uno de los recursos necesarios parece estar daado.[Es necesario Windows 95 o Windows NT 4.0 Beta 2 o posterior para realizar esta instalaciError al cargar %s]Error de GetProcAddress() en funcin "%s". Causa posible: versin incorrecta de advpack.dll.@Es necesario Windows 95 o Windows NT para instalar este producto No se pudo crear la carpeta "%s"Para instalar este programa, necesita %s KB disponibles en la unidad %s. Es recomendable que libere la cantidad necesaria de espacio en disco antes de continuar.Error retrieving Windows folder$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.n de la carpeta de Windows)Apagar NT: Error en token de OpenProcess.*Apagar NT: Error en AdjustTokenPrivileges."Apagar NT: Error en ExitWindowsEx.n del archivo. Probablemente se deba a un problema de memoria baja (poco espacio en disco para el intercambio de archivos) o un archivo .CAB daado.wEl programa de instalacin del volumen para la unidad (%s) .Mensaje del sistema: %s.n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio e intntelo de nuevo.hEl programa de instalaci/C: -- Override Install Command defined by author.eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?Could not find the file: %s./C: -- Sobrescribir el comando de instalaci[Otra copia del paquete "%s" ya estDesea ejecutar otra copia?$No se pudo encontrar el archivo: %s.:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.No existe la carpeta "%s".Desea crearla?lOtra copia del paquete "%s" ya estndose en su sistema. Solo es posible ejecutar una copia a la vez.OEl paquete "%s" no es compatible con la versin de Windows que estejecutando.^El paquete "%s" no es compatible con la versin del archivo %s que se encuentra en su sistema.11.00.9600.16428 (winblue_gdr.131013-1700)WEXTRACT.EXE .MUI11.00.9600.16428WINDOW~1.EXE_1720:.idata.rdataP.relocP.rsrckernel32.dll.DEFAULT\Control Panel\InternationalFile I/O error %dlzma: Compressed data is corrupted (%d)LzmaDecoderInit failed (%d)LzmaDecode failed (%d)shell32.dll/SL4 $%x "" %d %dInno Setup Setup Data (5.1.2)Inno Setup Messages (5.1.0)user32.dlloleaut32.dlladvapi32.dllRegOpenKeyExARegCloseKeyGetWindowsDirectoryAMsgWaitForMultipleObjectsExitWindowsExcomctl32.dllname="JR.Inno.Setup"version="1.0.0.0"name="Microsoft.Windows.Common-Controls"version="6.0.0.0"publicKeyToken="6595b64144ccf1df"!'%s' is not a valid integer value('%s' is not a valid floating point value'%s' is not a valid date'%s' is not a valid time!'%s' is not a valid date and timeI/O error %dInteger overflow Invalid floating point operationInvalid pointer operationInvalid class typecast0Access violation at address %p. %s of address %pOperation aborted%Exception %s in module %s at %p.Application Error1Format '%s' invalid or incompatible with argumentNo argument for format '%s'Invalid variant operation"Variant method calls not supportedExternal exception %xThis installation was built with Inno Setup: hXXp://VVV.innosetup.comWindowsDoctor International LLCWindows Doctor 2.7.8 Setupis-OL16T.tmp_1860:.idata.rdataP.relocP.rsrc%s_%dEInvalidOperationTKeyEventTKeyPressEventcrSQLWaitt.HtREInvalidGraphicOperationTWindowStatepoProportionalKeyPreview|WindowStateOnKeyDownl,AOnKeyPress0,AOnKeyUpCTL3D32.DLLPasswordCharlssHorizontalkernel32.dllRegDeleteKeyExAadvapi32.dll.DEFAULT\Control Panel\Internationaluser32.dllTPSExecTPSRuntimeClassImporterTPSExportedVarCannot ImportInterface not supportedUh.WCUh.jDTPSCustomDebugExecTPSDebugExecuxtheme.dlloleacc.dllRICHED20.DLLRICHED32.DLLFile I/O error %dMessages file "%s" is missing. Please correct the problem or obtain a new copy of the program.shell32.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATAWININIT.INIt.HtbSoftware\Microsoft\Windows\CurrentVersion\SharedDLLsRegCreateKeyExRegOpenKeyExsfc.dllcmd.exe" /C "COMMAND.COM" /CPendingFileRenameOperationsPendingFileRenameOperations2Software\Microsoft\Windows\CurrentVersion\FontsSoftware\Microsoft\Windows NT\CurrentVersion\FontsOLEAUT32.DLL%s Log %s #%.3u.txt_isetup\_RegDLL.tmp_RegDLL.tmp %u %uMsgWaitForMultipleObjectsREGDLL failed with exit code 0x%xREGDLL mutex wait failed (%d, %d)REGDLL returned unknown result code %dHELPER_EXE_AMD64HELPER_EXE_IA64Cannot utilize 64-bit features on this version of Windows64-bit helper EXE wasn't extracted\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8xCreateNamedPipeSetNamedPipeHandleStatehelper %d 0x%xHelper process PID: %uStopping 64-bit helper process. (PID: %u)Helper process exited with failure code: 0x%xTransactNamedPipeTransactNamedPipe/GetOverlappedResultHelper: Command did not executeMoveFileEx failed (%d).Deleting directory: %sFailed to delete directory (%d). Will retry later.Failed to delete directory (%d). Will delete on restart (if empty).Failed to delete directory (%d).Deleting file: %sFailed to delete the file; it may be in use (%d).The file appears to be in use (%d). Will delete on restart.Decrementing shared count (%d-bit): %sUnregistering 64-bit DLL/OCX: %sUnregistering 32-bit DLL/OCX: %sNot unregistering DLL/OCX again: %sUnregistering 64-bit type library: %sUnregistering 32-bit type library: %sRunning Exec filename:Running Exec parameters:CreateProcess failed (%d).Running ShellExec filename:Running ShellExec parameters:ShellExecuteEx failed (%d).Skipping RunOnceId "%s" filename: %sUnregistering font: %szlib: Internal error. Code %d1.2.1bzlib: Internal error. Code %dlzma: Compressed data is corrupted (%d)LzmaDecoderInit failed (%d)LzmaDecode failed (%d)TPasswordEditTPasswordEdit8PasswordEdit(Passwordlc:\directorySoftware\Microsoft\Windows\CurrentVersion\Explorer\AdvancedPasswordPagePasswordLabelPasswordEditPasswordEditLabelCould not find page with ID %dSoftware\Microsoft\Windows\CurrentVersion\Uninstall%s\%s_is1CheckPassword/:*?"|\/:*?"|%s-%d.bin%s-%d%s.bin..\DISK%d\Asking user for new disk containing "%s".Cannot read an encrypted file before the key has been setLoggedMsgBox returned an unexpected value. Assuming Abort.Software\Microsoft\Windows\CurrentVersion\Uninstall\5.1.6URLInfoAboutURLUpdateInfoCreating directory: %sSetting permissions on directory: %sIMsgFailed to set value in Fonts registry key.Failed to open Fonts registry key.Setting permissions on file: %sDest filename: %sDest file is protected by Windows File Protection.Time stamp of our file: %sTime stamp of existing file: %sVersion of our file: %u.%u.%u.%uVersion of existing file: %u.%u.%u.%uExisting file is protected by Windows File Protection. Skipping.The existing file appears to be in use (%d). Will replace on restart.The existing file appears to be in use (%d). Retrying.Registering file as a font ("%s")Cannot install files to 64-bit locations on this version of WindowsFilename: %starget.lnkDesktop.iniSoftware\Microsoft\Windows\CurrentVersion\App Paths\Setting permissions on registry key: %s\%sFailed to set permissions on registry key.Cannot access 64-bit registry keys on this version of WindowsSoftware\Microsoft\Windows\CurrentVersion\RunOnceRegistering 64-bit DLL/OCX: %sRegistering 32-bit DLL/OCX: %sRegistering 64-bit type library: %sRegistering 32-bit type library: %sDirectory for uninstall files: %sLoggedMsgBox returned an unexpected value. Assuming Cancel.Fatal exception during installation process (%s):ExtractTemporaryFile: The file "%s" was not foundInvalid symbol '%s' foundInvalid token '%s' foundFormKeyDownPasswordCheckHashExpression error '%s'PasswordCannot evaluate "%s" constant during UninstallCannot access a 64-bit key in a "reg" constant on this version of WindowsUnknown custom message name "%s" in "cm" constantsrcexeCannot expand "pf64" constant on this version of WindowsCannot expand "cf64" constant on this version of WindowsuninstallexeFailed to expand shell folder constant "%s"Unknown constant "%s"Software\Microsoft\Windows\CurrentVersionSOFTWARE\Microsoft\Windows NT\CurrentVersioncmd.exeCOMMAND.COM\_RegDLL.tmpREGDLL_EXE\_setup64.tmp_isetup\_shfoldr.dllFailed to get version numbers of _shfoldr.dllshfolder.dllFailed to load DLL "%s"Found pending rename or delete that matches one of our files: %sWindows version: %u.%.2u.%u%s (NT platform: %s)64-bit Windows: %sProcessor architecture: %sDefaulting to %s for suppressed message box (%s):Message box (%s):User chose %s.MsgBox failed.64-bit install mode: %s%d.%.*d_isetup\_isdecmp.dll_isetup\_iscrypt.dll/Password=/SuppressMsgBoxes/DETACHEDMSGSetup version: Inno Setup version 5.1.6Original Setup EXE:-0.binWindows NTWindowsNot restarting Windows because Setup is being run from the debugger.Restarting Windows.Inno Setup version 5.1.6Portions Copyright (C) 2000-2005 Martijn LaanhXXp://VVV.innosetup.com/hXXp://VVV.remobjects.com/?psType: ExecType: ShellExecProcess exit code: %uShellExecuteExNeed to restart Windows? %sWill not restart Windows automatically.System\CurrentControlSet\Control\WindowsTOutputMsgWizardPageTOutputMsgMemoWizardPageTOutputMsgMemoWizardPagePASSWORDLABELPASSWORDEDITPASSWORDEDITLABELMsgLabelMsg1LabelMsg2Labelfunction CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption, AMsg: String): TOutputMsgMemoWizardPage;function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;function GetIniString(const Section, Key, Default, Filename: String): String;function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;function IniKeyExists(const Section, Key, Filename: String): Boolean;function SetIniString(const Section, Key, Value, Filename: String): Boolean;function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;procedure DeleteIniEntry(const Section, Key, Filename: String);function GetCmdTail: String;function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;function CheckForMutexes(Mutexes: String): Boolean;function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;function MakePendingFileRenameOperationsChecksum: String;function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;function ExitSetupMsgBox: Boolean;function GetWindowsVersion: Cardinal;procedure GetWindowsVersionEx(var Version: TWindowsVersion);function GetWindowsVersionString: String;function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;function CustomMessage(const MsgName: String): String;function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;procedure RaiseException(const Msg: String);function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;Cannot call "%s" function during SetupCannot call "%s" function during UninstallCREATEOUTPUTMSGPAGECREATEOUTPUTMSGMEMOPAGEMSGBOXInvalid RootKey valueINIKEYEXISTSGETCMDTAILREGKEYEXISTSREGDELETEKEYINCLUDINGSUBKEYSREGDELETEKEYIFEMPTYREGGETSUBKEYNAMESCHECKFORMUTEXESSHELLEXECMAKEPENDINGFILERENAMEOPERATIONSCHECKSUMUnknown custom message name "%s"EXITSETUPMSGBOXGETWINDOWSVERSIONGETWINDOWSVERSIONSTRING%u.%.2u.%uSUPPRESSIBLEMSGBOX%u.%u.%u.%uUh.mHGetWindowsVersionExRuntime Error (at %d:%d):Exception "%s" at address %pTScriptRunner.SetPSExecParameters: Invalid typeTScriptRunner.LoadScript failedRemove shared file %s? User chose %s%s/SECONDPHASE="%s" /FIRSTPHASEWND=$%xOriginal Uninstall EXE:Detached uninstall MSG:Install was done in 64-bit mode but not running 64-bit Windows nowRemoved all? %sNot restarting Windows because Uninstall is being run from the debugger.IMsgt/isRS-???.tmpisRS-%.3u.tmpDisableProcessWindowsGhostingFTPF0P0123456789abcdefInno Setup Setup Data (5.1.2)Inno Setup Messages (5.1.0)oleaut32.dllRegQueryInfoKeyARegOpenKeyExARegEnumKeyExARegDeleteKeyARegCreateKeyExARegCloseKeyGetWindowsDirectoryACreateNamedPipeAmpr.dllversion.dllgdi32.dllSetViewportOrgExUnhookWindowsHookExSetWindowsHookExAMapVirtualKeyAGetKeyStateGetKeyNameTextAExitWindowsExEnumWindowsEnumThreadWindowscomctl32.dllole32.dllShellExecuteExAShellExecuteAcomdlg32.dll.text`.rdata@.data.pdataSHLWAPI.dllSetProcessShutdownParametersKERNEL32.dllADVAPI32.dllSHELL32.dllOLEAUT32.dll@.pdata@.srdata@.sdata.data`.data.rsrc@.relocSoftware\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersshlwapi.dllSOFTWARE\Microsoft\Windows\CurrentVersionSoftware\Microsoft\Windows\CurrentVersion\ProfileReconciliationRegKeyGetWindowsDirectoryWRegOpenKeyASHFOLDER.dlldll\shfolder.dbgFont.ColorFont.HeightFont.NameFont.StyleOnKeyDownPasswordEditLabelname="JR.Inno.Setup"version="1.0.0.0"name="Microsoft.Windows.Common-Controls"version="6.0.0.0"publicKeyToken="6595b64144ccf1df"Cannot assign a %s to a %sCannot create file %sCannot open file %sStream write error Out of memory while expanding memory stream*Can't write to a read-only resource stream.WriteObject called twice for the same instanceClass %s not foundResource %s not found!Resource %s is of incorrect classList index out of bounds Operation not allowed on sorted string list%String list does not allow duplicatesTab index out of bounds#A component named %s already exists$''%s'' is not a valid component nameA class named %s already exists#''%s'' is not a valid integer valueError reading %s.%s: %sAncestor for '%s' not foundBitmap is empty!Cannot change the size of an icon$Unknown picture file extension (.%s)Unsupported clipboard formatError creating window Cannot focus a disabled or invisible window!Control '%s' has no parent window%s property out of range%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex2Cannot have more than one MDI form per applicationCould not load CARDS.DLLDuplicate CardId found"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversationGrid too large for operation Too many rows or columns deleted%s on line %d''%s'' expected%s expectedInvalid input value7Invalid input value. Use escape key to abandon changesValue must be between %d and %d''%s'' is not a valid date''%s'' is not a valid time#''%s'' is not a valid date and timeInvalid file name - %sAll files (*.*)|*.*&Files: (*.*)Invalid clipboard format Clipboard does not support IconsCustom Colors Operation not supported on selected printer.There is no default printer currently selectedUnable to write to %sInvalid data type for '%s'Failed to create key %sFailed to set data for '%s'Failed to get data for '%s'9Synchronize called when main VCL thread in a WaitFor call0Unknown RichEdit conversion file extension (.%s)/Menu '%s' is already being used by another formFailed to Save Stream)StatusBar cannot have more than 64 panels!Error assigning Hot-Key to %s. %sHot-Key is invalid#Window is invalid or a child window%Hot-Key is assigned to another window %s is already associated with %s!'%s' is not a valid integer value('%s' is not a valid floating point value'%s' is not a valid date'%s' is not a valid time!'%s' is not a valid date and timeI/O error %dInteger overflow Invalid floating point operationInvalid pointer operationInvalid class typecast0Access violation at address %p. %s of address %pOperation aborted%Exception %s in module %s at %p.Application Error1Format '%s' invalid or incompatible with argumentNo argument for format '%s'Invalid variant operation"Variant method calls not supportedExternal exception %xn%USERPROFILE%r%SYSTEMROOT%5.50.4807.2300Microsoft(R) Windows (R) 2000 Operating SystemDatos de programa%Configuraci51.42.0.0Copyright (C) 1997-2005 Jordan Russell. Portions Copyright (C) 2000-2005 Martijn Laan.Inno Setup home page: hXXp://VVV.innosetup.comautoit.exe_456:.text`.rdata@.data.rsrc@.relocPSSSSSShGt.Ht$t.jGZf;PSSShDPVSShDf;Crt?#%X.yGetProcessWindowStationoperatorThis is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.kernel32.dlloleaut32.dllRegDeleteKeyExWadvapi32.dllError text not found (please report)operand of unlimited repeat could match the empty stringPOSIX named classes are supported only within a classerroffset passed as NULLPOSIX collating elements are not supportedthis version of PCRE is compiled without UTF supportPCRE does not support \L, \l, \N{name}, \U, or \usupport for \P, \p, and \X has not been compiledthis version of PCRE is not compiled with Unicode property support\N is not supported in a classWSOCK32.dllVERSION.dllWINMM.dllCOMCTL32.dllMPR.dllInternetCrackUrlWHttpQueryInfoWHttpOpenRequestWHttpSendRequestWFtpOpenFileWFtpGetFileSizeInternetOpenUrlWWININET.dllPSAPI.DLLIPHLPAPI.DLLUSERENV.dllUxTheme.dllGetProcessHeapCreatePipeGetWindowsDirectoryWKERNEL32.dllOpenWindowStationWSetProcessWindowStationCloseWindowStationMapVirtualKeyWEnumChildWindowsEnumWindowsVkKeyScanWGetKeyStateGetKeyboardStateSetKeyboardStateGetAsyncKeyStatekeybd_eventEnumThreadWindowsExitWindowsExUnregisterHotKeyRegisterHotKeyGetKeyboardLayoutNameWUSER32.dllSetViewportOrgExGDI32.dllCOMDLG32.dllRegOpenKeyExWRegCloseKeyRegCreateKeyExWRegEnumKeyExWRegDeleteKeyWADVAPI32.dllShellExecuteWSHFileOperationWShellExecuteExWSHELL32.dllole32.dllOLEAUT32.dllGetCPInfozcÃk%C[0uS%Cwkx=.As]@.nD,\z6%fra.WDk/o j.WWC%Xdw^2 3(393@35"5(5,525655W5C5V5_5r59’9S9x99 9$9(9,90949891/2g2: :$:(:,:0:4:8:<:>7-747v7}7mscoree.dllcombase.dll- CRT not initialized- Attempt to initialize the CRT more than once.- floating point support not loadedUSER32.DLL>>>AUTOIT NO CMDEXECUTECMDLINERAWCMDLINE/AutoIt3ExecuteLine/AutoIt3ExecuteScriptAPPSKEY789:;?FTPSETPROXYGUICTRLRECVMSGGUICTRLSENDMSGGUIGETMSGGUIREGISTERMSGHOTKEYSETHTTPSETPROXYHTTPSETUSERAGENTISKEYWORDMSGBOXREGENUMKEYSHELLEXECUTESHELLEXECUTEWAITTCPACCEPTTCPCLOSESOCKETTCPCONNECTTCPLISTENTCPNAMETOIPTCPRECVTCPSENDTCPSHUTDOWNTCPSTARTUPTRAYGETMSGUDPBINDUDPCLOSESOCKETUDPOPENUDPRECVUDPSENDUDPSHUTDOWNUDPSTARTUPSendKeyDelaySendKeyDownDelayTCPTimeoutWINDOWSDIRAUTOITEXEHOTKEYPRESSEDD%s (%d) : ==> %s.:Line %d:Line %d (File "%s"):%s (%d) : ==> %s:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)04090000%u.%u.%u.%u0.0.0.0Mddddd"%s" (%d) : ==> %s:\??\%sGUI_RUNDEFMSGAUTOITCALLVARIABLE%d255.255.255.255KeywordAUTOIT.ERRORNull Object assignment in FOR..IN loopIncorrect Object type in FOR..IN loop3, 3, 10, 2HKEY_LOCAL_MACHINEHKEY_CLASSES_ROOTHKEY_CURRENT_CONFIGHKEY_CURRENT_USERHKEY_USERS%d/d/dAutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.Missing operator in expression."Unbalanced brackets in expression.Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.autoit.exe_456_rwx_00050000_00001000:KERNEL32.DLLautoit.exe_456_rwx_00190000_00001000:KERNEL32.DLLautoit.exe_456_rwx_001D0000_00001000:KERNEL32.DLLautoit.exe_456_rwx_00210000_00001000:KERNEL32.DLLautoit.exe_456_rwx_00250000_00001000:KERNEL32.DLLautoit.exe_456_rwx_00290000_00001000:KERNEL32.DLLautoit.exe_456_rwx_01210000_00001000:advapi32.dllautoit.exe_456_rwx_01340000_00001000:RegOpenKeyAautoit.exe_456_rwx_01350000_00001000:advapi32.dllautoit.exe_456_rwx_01380000_00001000:AVICAP32.DLLautoit.exe_456_rwx_014C0000_00001000:AVICAP32.DLLautoit.exe_456_rwx_014F0000_00001000:gdi32.dllautoit.exe_456_rwx_01630000_00001000:gdi32.dllautoit.exe_456_rwx_01660000_00001000:gdiplus.dllautoit.exe_456_rwx_017A0000_00001000:gdiplus.dllautoit.exe_456_rwx_017D0000_00001000:mpr.dllautoit.exe_456_rwx_01810000_00001000:mpr.dllautoit.exe_456_rwx_01840000_00001000:msacm32.dllautoit.exe_456_rwx_01880000_00001000:msacm32.dllautoit.exe_456_rwx_018B0000_00001000:ntdll.dllautoit.exe_456_rwx_01A00000_00001000:ntdll.dllautoit.exe_456_rwx_01C40000_00001000:ole32.dllautoit.exe_456_rwx_01D80000_00001000:ole32.dllautoit.exe_456_rwx_01DB0000_00001000:oleaut32.dllautoit.exe_456_rwx_01EF0000_00001000:oleaut32.dllautoit.exe_456_rwx_01F20000_00001000:powrprof.dllautoit.exe_456_rwx_02060000_00001000:powrprof.dllautoit.exe_456_rwx_02090000_00001000:shell32.dllautoit.exe_456_rwx_021D0000_00001000:shell32.dllautoit.exe_456_rwx_02200000_00001000:user32.dllautoit.exe_456_rwx_02340000_00001000:user32.dllautoit.exe_456_rwx_02370000_00001000:wininet.dllautoit.exe_456_rwx_024A0000_00001000:FtpOpenFileAautoit.exe_456_rwx_024B0000_00001000:wininet.dllautoit.exe_456_rwx_024E0000_00001000:winmm.dllautoit.exe_456_rwx_02620000_00001000:winmm.dllautoit.exe_456_rwx_02650000_00001000:wsock32.dllautoit.exe_456_rwx_02790000_00001000:wsock32.dllautoit.exe_456_rwx_10480000_00061000:`.rsrckernel32.dllPortions Copyright (c) 1999,2003 Avenger by NhTSHFileOperationAshell32.dllURLDownloadToFileAurlmon.dllShellExecuteASOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersGetWindowsDirectoryASOFTWARE\Microsoft\Windows\CurrentVersionhttp\shell\open\command\Internet Explorer\iexplore.exe####@####$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)PortugalTurkeyWindows 3.1Windows 95 (Release 2)Windows 95Windows 98 SEWindows 98Windows MEWindows 7Windows Vista%s %sWindows XP Professional x64Windows XP HomeWindows XP ProfessionalWindows 2000 ProfessionalWindows NT %d.%dWindows 2008%s %s ServerWindows 2003 Server DatacenterWindows 2003 Server EnterpriseWindows 2003 Server Web EditionWindows 2003 ServerWindows Home ServerWindows 2003 Server (Release 2)Windows 2000 Server DatacenterWindows 2000 Server EnterpriseWindows 2000 Server Web EditionWindows 2000 ServerWindows NT 4.0 Server DatacenterWindows NT 4.0 Server EnterpriseWindows NT 4.0 Server Web EditionWindows NT 4.0 ServerUnknown Platform ID (%d)%d.%d%s (Build: %d- Service Pack: %sKERNEL32.DLLteste.vbsteste.txtSet objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)Set objFileSystem = CreateObject("Scripting.fileSystemObject")Set objFile = objFileSystem.CreateTextFile("Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & EnterInfo = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & EnterobjFile.WriteLine(Info)objFile.Closecscript.exeAVICAP32.dlltFtpAccessv1.05.1BuildImportTable: can't load library:BuildImportTable: ReallocMemory failedBuildImportTable: GetProcAddress failedBTMemoryLoadLibary: BuildImportTable failedBTMemoryGetProcAddress: no export table foundBTMemoryGetProcAddress: DLL doesn't export anythingBTMemoryGetProcAddress: exported symbol not foundSetupApi.dllSetupDiOpenClassRegKeySetupDiOpenClassRegKeyExASetupDiOpenClassRegKeyExWSetupDiCreateDeviceInterfaceRegKeyASetupDiCreateDeviceInterfaceRegKeyWSetupDiOpenDeviceInterfaceRegKeySetupDiDeleteDeviceInterfaceRegKeySetupDiCreateDevRegKeyASetupDiCreateDevRegKeyWSetupDiOpenDevRegKeySetupDiDeleteDevRegKeyCM_DEVCAP_LOCKSUPPORTEDCM_DEVCAP_EJECTSUPPORTEDPDCAP_D0_SUPPORTEDPDCAP_D1_SUPPORTEDPDCAP_D2_SUPPORTEDPDCAP_D3_SUPPORTEDPDCAP_WAKE_FROM_D0_SUPPORTEDPDCAP_WAKE_FROM_D1_SUPPORTEDPDCAP_WAKE_FROM_D2_SUPPORTEDPDCAP_WAKE_FROM_D3_SUPPORTEDPDCAP_WARM_EJECT_SUPPORTEDHKEY_CLASSES_ROOTHKEY_CURRENT_CONFIGHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERS127.0.0.1iphlpapi.dllAllocateAndGetTcpExTableFromStackAllocateAndGetUdpExTableFromStackSetTcpEntryGetExtendedTcpTableGetExtendedUdpTableMozilla3_5PasswordGetChromePassStartHttpProxy1.2.3XxX.xXxUuU.uUukeyboardkeywebcaminactivewebcamgetbufferwebcamenviarexecnormalenviarexechiddenopenwebdownexecsendftpkeyloggerkeyloggergetlogkeyloggereraselogkeyloggerativarkeyloggerdesativarrenamekeywindowsfecharwindowsmaxwindowsminwindowsmostrarwindowsocultarwindowsmintodaswindowscaptionlistarportaslistarportasdnsfinalizarprocessoportaswebcamsettingschatmsggetpasswordupdateservidorwebkeyloggersearchurlredirecturlredirecttrueSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSAPI.dll\config\SteamAppData.vdfAutoLoginUser/ClientRegistry.Blob\ClientRegistry.blob\steam.dllt.Shd%SYS%ÞSKTOP%FirstExecutionchatmsg|Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runlistarjanelas|windowsfechar|listarjanelas|windowsmax|listarjanelas|windowsmin|listarjanelas|windowsmostrar|listarjanelas|windowsocultar|listarjanelas|windowsmintodas|listarjanelas|windowscaption|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstalllistarportas|listadeportaspronta|listarportas|finalizarconexao|listarportas|finalizarprocessoportas|Y|listarportas|finalizarprocessoportas|N|registro|renamekey|keylogger|keylogger|keyloggerativar|keylogger|keylogger|keyloggerdesativar|keylogger|keyloggergetlog|keylogger|keylogger|keyloggervazio|keyloggersearchok|webcam|webcaminactive|webcam|webcamactive|_x_X_PASSWORDLIST_X_x_NOIP.abcMSN.abcFIREFOX.abcIELOGIN.abcIEPASS.abcIEAUTO.abcIEWEB.abcSOFTWARE\Mozilla\Mozilla Firefoxgetfirefoxgetielogingetiepassgetiewebgetchromegetpassword|getpasswordlist|getpassword|getpassworderror|C:\Windows\System32\drivers\etc\hostsntdll.dllXX--XX--XX.txtcglogs.datSQLite3.dlldeflate 1.2.3 Copyright 1995-2005 Jean-loup Gaillyinflate 1.2.3 Copyright 1995-2005 Mark AdlerKWindowsUnitExecutarComandosuftpUrlMon.UnitBytesSizeUnitListarPortasAtivasUnitWebcamUnitKeyloggerWinExecSetNamedPipeHandleStateGetProcessHeapCreatePipeRegOpenKeyExARegOpenKeyARegEnumKeyExARegDeleteKeyARegCreateKeyARegCloseKeyGdiplusShutdownkeybd_eventMapVirtualKeyAGetKeyboardStateGetKeyboardLayoutNameAGetKeyStateGetAsyncKeyStateExitWindowsExEnumWindowsFtpGetFileSizeFtpSetCurrentDirectoryAFtpOpenFileA%( % & % % % ].idata.relocP.rsrcadvapi32.dllAVICAP32.DLLgdi32.dllgdiplus.dllmpr.dllmsacm32.dllole32.dlloleaut32.dllpowrprof.dlluser32.dllwininet.dllwinmm.dllwsock32.dllExplorer.EXE_1284_rwx_013D0000_00001000:KERNEL32.DLLExplorer.EXE_1284_rwx_01BB0000_00001000:KERNEL32.DLLExplorer.EXE_1284_rwx_01C30000_00001000:KERNEL32.DLLExplorer.EXE_1284_rwx_01C80000_00001000:KERNEL32.DLLExplorer.EXE_1284_rwx_01EC0000_00001000:KERNEL32.DLLExplorer.EXE_1284_rwx_01F00000_00001000:KERNEL32.DLLExplorer.EXE_1284_rwx_01F30000_00001000:advapi32.dllExplorer.EXE_1284_rwx_02060000_00001000:RegOpenKeyAExplorer.EXE_1284_rwx_02070000_00001000:advapi32.dllExplorer.EXE_1284_rwx_020A0000_00001000:AVICAP32.DLLExplorer.EXE_1284_rwx_021E0000_00001000:AVICAP32.DLLExplorer.EXE_1284_rwx_02210000_00001000:gdi32.dllExplorer.EXE_1284_rwx_02350000_00001000:gdi32.dllExplorer.EXE_1284_rwx_02380000_00001000:gdiplus.dllExplorer.EXE_1284_rwx_024C0000_00001000:gdiplus.dllExplorer.EXE_1284_rwx_024F0000_00001000:mpr.dllExplorer.EXE_1284_rwx_02530000_00001000:mpr.dllExplorer.EXE_1284_rwx_02560000_00001000:msacm32.dllExplorer.EXE_1284_rwx_025A0000_00001000:msacm32.dllExplorer.EXE_1284_rwx_025D0000_00001000:ntdll.dllExplorer.EXE_1284_rwx_02920000_00001000:ntdll.dllExplorer.EXE_1284_rwx_02950000_00001000:ole32.dllExplorer.EXE_1284_rwx_02A90000_00001000:ole32.dllExplorer.EXE_1284_rwx_02AC0000_00001000:oleaut32.dllExplorer.EXE_1284_rwx_02C00000_00001000:oleaut32.dllExplorer.EXE_1284_rwx_02C30000_00001000:powrprof.dllExplorer.EXE_1284_rwx_02D70000_00001000:powrprof.dllExplorer.EXE_1284_rwx_02DA0000_00001000:shell32.dllExplorer.EXE_1284_rwx_02EE0000_00001000:shell32.dllExplorer.EXE_1284_rwx_02F10000_00001000:user32.dllExplorer.EXE_1284_rwx_03050000_00001000:user32.dllExplorer.EXE_1284_rwx_03080000_00001000:wininet.dllExplorer.EXE_1284_rwx_031B0000_00001000:FtpOpenFileAExplorer.EXE_1284_rwx_031C0000_00001000:wininet.dllExplorer.EXE_1284_rwx_031F0000_00001000:winmm.dllExplorer.EXE_1284_rwx_03330000_00001000:winmm.dllExplorer.EXE_1284_rwx_03360000_00001000:wsock32.dllExplorer.EXE_1284_rwx_034A0000_00001000:wsock32.dllExplorer.EXE_1284_rwx_10410000_00061000:`.rsrckernel32.dllPortions Copyright (c) 1999,2003 Avenger by NhTSHFileOperationAshell32.dllURLDownloadToFileAurlmon.dllShellExecuteASOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersGetWindowsDirectoryASOFTWARE\Microsoft\Windows\CurrentVersionhttp\shell\open\command\Internet Explorer\iexplore.exe####@####$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)PortugalTurkeyWindows 3.1Windows 95 (Release 2)Windows 95Windows 98 SEWindows 98Windows MEWindows 7Windows Vista%s %sWindows XP Professional x64Windows XP HomeWindows XP ProfessionalWindows 2000 ProfessionalWindows NT %d.%dWindows 2008%s %s ServerWindows 2003 Server DatacenterWindows 2003 Server EnterpriseWindows 2003 Server Web EditionWindows 2003 ServerWindows Home ServerWindows 2003 Server (Release 2)Windows 2000 Server DatacenterWindows 2000 Server EnterpriseWindows 2000 Server Web EditionWindows 2000 ServerWindows NT 4.0 Server DatacenterWindows NT 4.0 Server EnterpriseWindows NT 4.0 Server Web EditionWindows NT 4.0 ServerUnknown Platform ID (%d)%d.%d%s (Build: %d- Service Pack: %sKERNEL32.DLLteste.vbsteste.txtSet objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)Set objFileSystem = CreateObject("Scripting.fileSystemObject")Set objFile = objFileSystem.CreateTextFile("Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & EnterInfo = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & EnterobjFile.WriteLine(Info)objFile.Closecscript.exeAVICAP32.dlltFtpAccessv1.05.1BuildImportTable: can't load library:BuildImportTable: ReallocMemory failedBuildImportTable: GetProcAddress failedBTMemoryLoadLibary: BuildImportTable failedBTMemoryGetProcAddress: no export table foundBTMemoryGetProcAddress: DLL doesn't export anythingBTMemoryGetProcAddress: exported symbol not foundSetupApi.dllSetupDiOpenClassRegKeySetupDiOpenClassRegKeyExASetupDiOpenClassRegKeyExWSetupDiCreateDeviceInterfaceRegKeyASetupDiCreateDeviceInterfaceRegKeyWSetupDiOpenDeviceInterfaceRegKeySetupDiDeleteDeviceInterfaceRegKeySetupDiCreateDevRegKeyASetupDiCreateDevRegKeyWSetupDiOpenDevRegKeySetupDiDeleteDevRegKeyCM_DEVCAP_LOCKSUPPORTEDCM_DEVCAP_EJECTSUPPORTEDPDCAP_D0_SUPPORTEDPDCAP_D1_SUPPORTEDPDCAP_D2_SUPPORTEDPDCAP_D3_SUPPORTEDPDCAP_WAKE_FROM_D0_SUPPORTEDPDCAP_WAKE_FROM_D1_SUPPORTEDPDCAP_WAKE_FROM_D2_SUPPORTEDPDCAP_WAKE_FROM_D3_SUPPORTEDPDCAP_WARM_EJECT_SUPPORTEDHKEY_CLASSES_ROOTHKEY_CURRENT_CONFIGHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERS127.0.0.1iphlpapi.dllAllocateAndGetTcpExTableFromStackAllocateAndGetUdpExTableFromStackSetTcpEntryGetExtendedTcpTableGetExtendedUdpTableMozilla3_5PasswordGetChromePassStartHttpProxy1.2.3XxX.xXxUuU.uUukeyboardkeywebcaminactivewebcamgetbufferwebcamenviarexecnormalenviarexechiddenopenwebdownexecsendftpkeyloggerkeyloggergetlogkeyloggereraselogkeyloggerativarkeyloggerdesativarrenamekeywindowsfecharwindowsmaxwindowsminwindowsmostrarwindowsocultarwindowsmintodaswindowscaptionlistarportaslistarportasdnsfinalizarprocessoportaswebcamsettingschatmsggetpasswordupdateservidorwebkeyloggersearchurlredirecturlredirecttrueSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSAPI.dll\config\SteamAppData.vdfAutoLoginUser/ClientRegistry.Blob\ClientRegistry.blob\steam.dllt.Shd%SYS%ÞSKTOP%FirstExecutionchatmsg|Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runlistarjanelas|windowsfechar|listarjanelas|windowsmax|listarjanelas|windowsmin|listarjanelas|windowsmostrar|listarjanelas|windowsocultar|listarjanelas|windowsmintodas|listarjanelas|windowscaption|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstalllistarportas|listadeportaspronta|listarportas|finalizarconexao|listarportas|finalizarprocessoportas|Y|listarportas|finalizarprocessoportas|N|registro|renamekey|keylogger|keylogger|keyloggerativar|keylogger|keylogger|keyloggerdesativar|keylogger|keyloggergetlog|keylogger|keylogger|keyloggervazio|keyloggersearchok|webcam|webcaminactive|webcam|webcamactive|_x_X_PASSWORDLIST_X_x_NOIP.abcMSN.abcFIREFOX.abcIELOGIN.abcIEPASS.abcIEAUTO.abcIEWEB.abcSOFTWARE\Mozilla\Mozilla Firefoxgetfirefoxgetielogingetiepassgetiewebgetchromegetpassword|getpasswordlist|getpassword|getpassworderror|C:\Windows\System32\drivers\etc\hostsntdll.dllXX--XX--XX.txtcglogs.datSQLite3.dlldeflate 1.2.3 Copyright 1995-2005 Jean-loup Gaillyinflate 1.2.3 Copyright 1995-2005 Mark AdlerKWindowsUnitExecutarComandosuftpUrlMon.UnitBytesSizeUnitListarPortasAtivasUnitWebcamUnitKeyloggerWinExecSetNamedPipeHandleStateGetProcessHeapCreatePipeRegOpenKeyExARegOpenKeyARegEnumKeyExARegDeleteKeyARegCreateKeyARegCloseKeyGdiplusShutdownkeybd_eventMapVirtualKeyAGetKeyboardStateGetKeyboardLayoutNameAGetKeyStateGetAsyncKeyStateExitWindowsExEnumWindowsFtpGetFileSizeFtpSetCurrentDirectoryAFtpOpenFileA%( % & % % % ].idata.relocP.rsrcadvapi32.dllAVICAP32.DLLgdi32.dllgdiplus.dllmpr.dllmsacm32.dllole32.dlloleaut32.dllpowrprof.dlluser32.dllwininet.dllwinmm.dllwsock32.dll