Skip to main content

Gen.Variant.Symmi.41732_744dc36fce


Susp_Dropper (Kaspersky), Gen:Variant.Symmi.41732 (B) (Emsisoft), Gen:Variant.Symmi.41732 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 744dc36fce68007660828111b613538e

SHA1: 141aef4fd86b979eabd3e83886a751669ce4620d

SHA256: 3b9d36b3a56d23f55a1bb6558e2dff5a4153ef1f27b3c9315f7b6783e9e72fa4

SSDeep: 6144:fgdSgMiw3NnSESKbOsddmEEGhJozjXs/NIarqkqiivruxBchpk PBOsRVo:fgwjnrSKbVdRjhJcs/2wqu1/chpk PB

Size: 370688 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6

Company: CamStudio Group

Created at: 2016-06-30 09:20:04

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3404

The Trojan injects its code into the following process(es):

AppModelService.exe:3500
notepad.exe:3392

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:3404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe (742 bytes)

Registry activity

The process AppModelService.exe:3500 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:


To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AppModelService.exe" = "Type: REG_SZ, Length: 0"

The process %original file name%.exe:3404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AppModelService.exe" = "Type: REG_SZ, Length: 0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3404

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe (742 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "AppModelService.exe" = "Type: REG_SZ, Length: 0"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0409631129600d41d8cd98f00b204e9800998ecf8427e
UPX13153923686403676165.439959737472d12a1d6eeaba96a925a964d8f
.rsrc684032409620482.415890cf24c7550e05115dd852616c2eb6d01

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 12
14b7270426722a5ee8c3caaed10f7279
891b0cf3cd08d0f1f120825215858593
fd666eaadc94246a506a16deb66ddc8e
f0e6212ad84487e23b96f0fc6237b4a4
29614bca30f23abf9afca11256cd4dc6
7c1b4c32ff9082c6dab7e613aaff5130
cc1d5641e85ac8c81c712ccc80256b03
99a10aa16bb3ac6a0ca5927c43ebce26
7408ac611619e0b99946685e250c8ebb
5502dfbe1cf2bdf9810fd8154763f94d
10f049ab354b88cf5702ef6e0421136b
90d9650a193e54c99f38392ce67ba64e

Network Activity

URLs

URL IP
dns.msftncsi.com
thebottleratmine.hldns.ru

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

AppModelService.exe_3500:

`.rsrc

`.rsrc

kernel32.dll

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

%s, ProgID: "%s"

%s, ProgID: "%s"

ole32.dll

ole32.dll

EInvalidOperation

EInvalidOperation

EInvalidGraphicOperation

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

VBoxService.exe

VBoxService.exe

SbieDll.dll

SbieDll.dll

dbghelp.dll

dbghelp.dll

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

55274-640-2673064-23950

55274-640-2673064-23950

76487-644-3177037-23510

76487-644-3177037-23510

76487-337-8429955-22614

76487-337-8429955-22614

\\.\Syser

\\.\Syser

\\.\SyserDbgMsg

\\.\SyserDbgMsg

\\.\SyserBoot

\\.\SyserBoot

\\.\SICE

\\.\SICE

\\.\NTICE

\\.\NTICE

user32.dll

user32.dll

Software\Microsoft\Windows\CurrentVersion\Run\

Software\Microsoft\Windows\CurrentVersion\Run\

10.211.55.20

10.211.55.20

notepad.exe

notepad.exe

1.0.4

1.0.4

PSAPI.dll

PSAPI.dll

C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas

C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

nss3.dll

nss3.dll

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

mozglue.dll

mozglue.dll

msvcr120.dll

msvcr120.dll

msvcp120.dll

msvcp120.dll

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\Mozilla\Firefox\

logins.json

logins.json

Mozilla Firefox

Mozilla Firefox

logins[

logins[

].hostname

].hostname

].encryptedUsername

].encryptedUsername

].encryptedPassword

].encryptedPassword

BuildImportTable: can't load library:

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

BTMemoryGetProcAddress: exported symbol not found

sqlite3_open

sqlite3_open

sqlite3_close

sqlite3_close

sqlite3_exec

sqlite3_exec

sqlite3_version

sqlite3_version

sqlite3_errmsg

sqlite3_errmsg

sqlite3_errcode

sqlite3_errcode

sqlite3_free

sqlite3_free

sqlite3_get_table

sqlite3_get_table

sqlite3_free_table

sqlite3_free_table

sqlite3_complete

sqlite3_complete

sqlite3_last_insert_rowid

sqlite3_last_insert_rowid

sqlite3_interrupt

sqlite3_interrupt

sqlite3_busy_Handler

sqlite3_busy_Handler

sqlite3_busy_timeout

sqlite3_busy_timeout

sqlite3_changes

sqlite3_changes

sqlite3_total_changes

sqlite3_total_changes

sqlite3_prepare

sqlite3_prepare

sqlite3_prepare_v2

sqlite3_prepare_v2

sqlite3_column_count

sqlite3_column_count

sqlite3_column_name

sqlite3_column_name

sqlite3_column_decltype

sqlite3_column_decltype

sqlite3_step

sqlite3_step

sqlite3_data_count

sqlite3_data_count

sqlite3_column_blob

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_double

sqlite3_column_double

sqlite3_column_Int

sqlite3_column_Int

sqlite3_column_text

sqlite3_column_text

sqlite3_column_type

sqlite3_column_type

sqlite3_column_int64

sqlite3_column_int64

sqlite3_finalize

sqlite3_finalize

sqlite3_reset

sqlite3_reset

sqlite3_bind_blob

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_text

sqlite3_bind_double

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_null

sqlite3_bind_parameter_index

sqlite3_bind_parameter_index

sqlite3_enable_shared_cache

sqlite3_enable_shared_cache

sqlite3_create_collation

sqlite3_create_collation

TSQLiteDatabase8

TSQLiteDatabase8

TSQLiteTable

TSQLiteTable

Error executing SQL

Error executing SQL

Could not prepare SQL statement

Could not prepare SQL statement

Error executing SQL statement

Error executing SQL statement

SELECT * FROM logins

SELECT * FROM logins

password_value

password_value

origin_url

origin_url

\Scream.dll

\Scream.dll

WbemScripting.SWbemLocator

WbemScripting.SWbemLocator

%s\%s

%s\%s

SELECT * FROM %s

SELECT * FROM %s

displayName %s

displayName %s

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

IMAP Password

IMAP Password

POP3 Password

POP3 Password

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

127.0.0.1

127.0.0.1

iphlpapi.dll

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

AllocateAndGetTcpExTableFromStack

AllocateAndGetUdpExTableFromStack

AllocateAndGetUdpExTableFromStack

SetTcpEntry

SetTcpEntry

GetExtendedTcpTable

GetExtendedTcpTable

GetExtendedUdpTable

GetExtendedUdpTable

\print.txt

\print.txt

Skype.exe

Skype.exe

main.db

main.db

\Yandex\YandexBrowser\User Data\Default\Login Data

\Yandex\YandexBrowser\User Data\Default\Login Data

\Comodo\Dragon\User Data\Default\Login Data

\Comodo\Dragon\User Data\Default\Login Data

\Google\Chrome\User Data\Default\Login Data

\Google\Chrome\User Data\Default\Login Data

Google Chrome

Google Chrome

TUnicodeKeyboard

TUnicodeKeyboard

Klog.dat

Klog.dat

\Klog.dat

\Klog.dat

cmd.exe

cmd.exe

SAPI.SpVoice

SAPI.SpVoice

Windows 2000

Windows 2000

Windows XP

Windows XP

Windows Server 2003

Windows Server 2003

Windows Server 2003 R2

Windows Server 2003 R2

Windows Vista

Windows Vista

Windows Server 2008

Windows Server 2008

Windows Server 2008 R2

Windows Server 2008 R2

Windows 7

Windows 7

Windows 8

Windows 8

Windows Server 2012

Windows Server 2012

Windows 8.1

Windows 8.1

Windows Server 2012 R2

Windows Server 2012 R2

Windows 10

Windows 10

Windows Server 2016 Technical Preview

Windows Server 2016 Technical Preview

%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|

%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|

Can't get the Windows version

Can't get the Windows version

deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly

deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly

9.VNf

9.VNf

I.PXQP

I.PXQP

.EF$q

.EF$q

XaP.uFP4

XaP.uFP4

%xTPO

%xTPO

AURl

AURl

LP%CT

LP%CT

Dg_SYÃ’R^

Dg_SYÃ’R^

W(.KgSi

W(.KgSi

7,%X\:p

7,%X\:p

.AbF P

.AbF P

.yBBo

.yBBo

ÞAI

ÞAI

!"#$%&'()* ,-./

!"#$%&'()* ,-./

SQLite forma

SQLite forma

CHECKEYCO

CHECKEYCO

3.5.9{

3.5.9{

ED/MSVCRTgr

ED/MSVCRTgr

685477580

685477580

lFk .AGc5N

lFk .AGc5N

!*&6.qos]

!*&6.qos]

zcÁ

zcÁ

KERNEL32.DLL

KERNEL32.DLL

Sqlite3.dll

Sqlite3.dll

sqlite3_aggregate_context

sqlite3_aggregate_context

sqlite3_aggregate_count

sqlite3_aggregate_count

sqlite3_auto_extension

sqlite3_auto_extension

sqlite3_bind_parameter_count

sqlite3_bind_parameter_count

sqlite3_bind_parameter_name

sqlite3_bind_parameter_name

sqlite3_bind_text16

sqlite3_bind_text16

sqlite3_bind_value

sqlite3_bind_value

sqlite3_bind_zeroblob

sqlite3_bind_zeroblob

sqlite3_blob_bytes

sqlite3_blob_bytes

sqlite3_blob_close

sqlite3_blob_close

sqlite3_blob_open

sqlite3_blob_open

sqlite3_blob_read

sqlite3_blob_read

sqlite3_blob_write

sqlite3_blob_write

sqlite3_busy_handler

sqlite3_busy_handler

sqlite3_clear_bindings

sqlite3_clear_bindings

sqlite3_collation_needed

sqlite3_collation_needed

sqlite3_collation_needed16

sqlite3_collation_needed16

sqlite3_column_bytes16

sqlite3_column_bytes16

sqlite3_column_decltype16

sqlite3_column_decltype16

sqlite3_column_int

sqlite3_column_int

sqlite3_column_name16

sqlite3_column_name16

sqlite3_column_text16

sqlite3_column_text16

sqlite3_column_value

sqlite3_column_value

sqlite3_commit_hook

sqlite3_commit_hook

sqlite3_complete16

sqlite3_complete16

sqlite3_context_db_handle

sqlite3_context_db_handle

sqlite3_create_collation16

sqlite3_create_collation16

sqlite3_create_collation_v2

sqlite3_create_collation_v2

sqlite3_create_function

sqlite3_create_function

sqlite3_create_function16

sqlite3_create_function16

sqlite3_create_module

sqlite3_create_module

sqlite3_create_module_v2

sqlite3_create_module_v2

sqlite3_db_handle

sqlite3_db_handle

sqlite3_declare_vtab

sqlite3_declare_vtab

sqlite3_enable_load_extension

sqlite3_enable_load_extension

sqlite3_errmsg16

sqlite3_errmsg16

sqlite3_expired

sqlite3_expired

sqlite3_extended_result_codes

sqlite3_extended_result_codes

sqlite3_file_control

sqlite3_file_control

sqlite3_get_autocommit

sqlite3_get_autocommit

sqlite3_get_auxdata

sqlite3_get_auxdata

sqlite3_global_recover

sqlite3_global_recover

sqlite3_libversion

sqlite3_libversion

sqlite3_libversion_number

sqlite3_libversion_number

sqlite3_limit

sqlite3_limit

sqlite3_load_extension

sqlite3_load_extension

sqlite3_malloc

sqlite3_malloc

sqlite3_memory_alarm

sqlite3_memory_alarm

sqlite3_memory_highwater

sqlite3_memory_highwater

sqlite3_memory_used

sqlite3_memory_used

sqlite3_mprintf

sqlite3_mprintf

sqlite3_mutex_alloc

sqlite3_mutex_alloc

sqlite3_mutex_enter

sqlite3_mutex_enter

sqlite3_mutex_free

sqlite3_mutex_free

sqlite3_mutex_held

sqlite3_mutex_held

sqlite3_mutex_leave

sqlite3_mutex_leave

sqlite3_mutex_notheld

sqlite3_mutex_notheld

sqlite3_mutex_try

sqlite3_mutex_try

sqlite3_open16

sqlite3_open16

sqlite3_open_v2

sqlite3_open_v2

sqlite3_overload_function

sqlite3_overload_function

sqlite3_prepare16

sqlite3_prepare16

sqlite3_prepare16_v2

sqlite3_prepare16_v2

sqlite3_profile

sqlite3_profile

sqlite3_progress_handler

sqlite3_progress_handler

sqlite3_randomness

sqlite3_randomness

sqlite3_realloc

sqlite3_realloc

sqlite3_release_memory

sqlite3_release_memory

sqlite3_reset_auto_extension

sqlite3_reset_auto_extension

sqlite3_result_blob

sqlite3_result_blob

sqlite3_result_double

sqlite3_result_double

sqlite3_result_error

sqlite3_result_error

sqlite3_result_error16

sqlite3_result_error16

sqlite3_result_error_code

sqlite3_result_error_code

sqlite3_result_error_nomem

sqlite3_result_error_nomem

sqlite3_result_error_toobig

sqlite3_result_error_toobig

sqlite3_result_int

sqlite3_result_int

sqlite3_result_int64

sqlite3_result_int64

sqlite3_result_null

sqlite3_result_null

sqlite3_result_text

sqlite3_result_text

sqlite3_result_text16

sqlite3_result_text16

sqlite3_result_text16be

sqlite3_result_text16be

sqlite3_result_text16le

sqlite3_result_text16le

sqlite3_result_value

sqlite3_result_value

sqlite3_result_zeroblob

sqlite3_result_zeroblob

sqlite3_rollback_hook

sqlite3_rollback_hook

sqlite3_set_authorizer

sqlite3_set_authorizer

sqlite3_set_auxdata

sqlite3_set_auxdata

sqlite3_sleep

sqlite3_sleep

sqlite3_snprintf

sqlite3_snprintf

sqlite3_soft_heap_limit

sqlite3_soft_heap_limit

sqlite3_sql

sqlite3_sql

sqlite3_test_control

sqlite3_test_control

sqlite3_thread_cleanup

sqlite3_thread_cleanup

sqlite3_threadsafe

sqlite3_threadsafe

sqlite3_trace

sqlite3_trace

sqlite3_transfer_bindings

sqlite3_transfer_bindings

sqlite3_update_hook

sqlite3_update_hook

sqlite3_user_data

sqlite3_user_data

sqlite3_value_blob

sqlite3_value_blob

sqlite3_value_bytes

sqlite3_value_bytes

sqlite3_value_bytes16

sqlite3_value_bytes16

sqlite3_value_double

sqlite3_value_double

sqlite3_value_int

sqlite3_value_int

sqlite3_value_int64

sqlite3_value_int64

sqlite3_value_numeric_type

sqlite3_value_numeric_type

sqlite3_value_text

sqlite3_value_text

sqlite3_value_text16

sqlite3_value_text16

sqlite3_value_text16be

sqlite3_value_text16be

sqlite3_value_text16le

sqlite3_value_text16le

sqlite3_value_type

sqlite3_value_type

sqlite3_vfs_find

sqlite3_vfs_find

sqlite3_vfs_register

sqlite3_vfs_register

sqlite3_vfs_unregister

sqlite3_vfs_unregister

sqlite3_vmprintf

sqlite3_vmprintf

C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe

)ju2,iu2.iu

)ju2,iu2.iu

KWindows

KWindows

yuActivePorts

yuActivePorts

FF_Passwords

FF_Passwords

UrlMon

UrlMon

UnitKeyboardStarter

UnitKeyboardStarter

UnitScriptExecuter

UnitScriptExecuter

Usndkey32

Usndkey32

GOutlookPasswords

GOutlookPasswords

UnitDownloadExec

UnitDownloadExec

UnitChrome

UnitChrome

SQLiteTable3

SQLiteTable3

SQLite3Dynamic

SQLite3Dynamic

SQLite3DLL

SQLite3DLL

AppModelService.exeP

AppModelService.exeP

AppModelService.exe

AppModelService.exe

thebottleratmine.hldns.ru#P

thebottleratmine.hldns.ru#P

WinExec

WinExec

SetNamedPipeHandleState

SetNamedPipeHandleState

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

RegQueryInfoKeyA

RegQueryInfoKeyA

RegOpenKeyExW

RegOpenKeyExW

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyW

RegOpenKeyW

RegOpenKeyA

RegOpenKeyA

RegFlushKey

RegFlushKey

RegEnumKeyExW

RegEnumKeyExW

RegEnumKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCreateKeyA

RegCreateKeyA

RegCloseKey

RegCloseKey

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

keybd_event

keybd_event

VkKeyScanA

VkKeyScanA

SetKeyboardState

SetKeyboardState

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyExA

MapVirtualKeyExA

MapVirtualKeyA

MapVirtualKeyA

GetKeyboardState

GetKeyboardState

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyNameTextA

GetKeyNameTextA

GetAsyncKeyState

GetAsyncKeyState

ExitWindowsEx

ExitWindowsEx

EnumWindows

EnumWindows

GetKeyboardType

GetKeyboardType

InternetOpenUrlA

InternetOpenUrlA

.text

.text

`.itext

`.itext

`.data

`.data

.idata

.idata

.rdata

.rdata

@.reloc

@.reloc

B.rsrc

B.rsrc

1W8p6Ü/

1W8p6Ü/

Q `.ij

Q `.ij

advapi32.dll

advapi32.dll

crypt32.dll

crypt32.dll

gdi32.dll

gdi32.dll

mpr.dll

mpr.dll

msacm32.dll

msacm32.dll

msvcrt.dll

msvcrt.dll

NetAPI32.dll

NetAPI32.dll

ntdll.dll

ntdll.dll

powrprof.dll

powrprof.dll

shell32.dll

shell32.dll

shfolder.dll

shfolder.dll

wininet.dll

wininet.dll

winmm.dll

winmm.dll

wsock32.dll

wsock32.dll

logins

logins

software\microsoft\windows\currentversion\uninstall\

software\microsoft\windows\currentversion\uninstall\

66006666

66006666

Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image

Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image

JPEG error #%d

JPEG error #%d

Invalid stream operation

Invalid stream operation

Failed to get data for '%s'

Failed to get data for '%s'

%s.Seek not implemented$Operation not allowed on sorted list

%s.Seek not implemented$Operation not allowed on sorted list

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Unsupported clipboard format

Unsupported clipboard format

.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid data type for '%s' List capacity out of bounds (%d)

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

List index out of bounds (%d) Out of memory while expanding memory stream

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

"Variant method calls not supported

"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

Invalid floating point operation

Invalid floating point operation

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point value

No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point value

I/O error %d

I/O error %d

AppModelService.exe_3500_rwx_00401000_000A5000:

kernel32.dll

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

%s, ProgID: "%s"

%s, ProgID: "%s"

ole32.dll

ole32.dll

EInvalidOperation

EInvalidOperation

EInvalidGraphicOperation

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

VBoxService.exe

VBoxService.exe

SbieDll.dll

SbieDll.dll

dbghelp.dll

dbghelp.dll

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

55274-640-2673064-23950

55274-640-2673064-23950

76487-644-3177037-23510

76487-644-3177037-23510

76487-337-8429955-22614

76487-337-8429955-22614

\\.\Syser

\\.\Syser

\\.\SyserDbgMsg

\\.\SyserDbgMsg

\\.\SyserBoot

\\.\SyserBoot

\\.\SICE

\\.\SICE

\\.\NTICE

\\.\NTICE

user32.dll

user32.dll

Software\Microsoft\Windows\CurrentVersion\Run\

Software\Microsoft\Windows\CurrentVersion\Run\

10.211.55.20

10.211.55.20

notepad.exe

notepad.exe

1.0.4

1.0.4

PSAPI.dll

PSAPI.dll

C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas

C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

nss3.dll

nss3.dll

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

mozglue.dll

mozglue.dll

msvcr120.dll

msvcr120.dll

msvcp120.dll

msvcp120.dll

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\Mozilla\Firefox\

logins.json

logins.json

Mozilla Firefox

Mozilla Firefox

logins[

logins[

].hostname

].hostname

].encryptedUsername

].encryptedUsername

].encryptedPassword

].encryptedPassword

BuildImportTable: can't load library:

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

BTMemoryGetProcAddress: exported symbol not found

sqlite3_open

sqlite3_open

sqlite3_close

sqlite3_close

sqlite3_exec

sqlite3_exec

sqlite3_version

sqlite3_version

sqlite3_errmsg

sqlite3_errmsg

sqlite3_errcode

sqlite3_errcode

sqlite3_free

sqlite3_free

sqlite3_get_table

sqlite3_get_table

sqlite3_free_table

sqlite3_free_table

sqlite3_complete

sqlite3_complete

sqlite3_last_insert_rowid

sqlite3_last_insert_rowid

sqlite3_interrupt

sqlite3_interrupt

sqlite3_busy_Handler

sqlite3_busy_Handler

sqlite3_busy_timeout

sqlite3_busy_timeout

sqlite3_changes

sqlite3_changes

sqlite3_total_changes

sqlite3_total_changes

sqlite3_prepare

sqlite3_prepare

sqlite3_prepare_v2

sqlite3_prepare_v2

sqlite3_column_count

sqlite3_column_count

sqlite3_column_name

sqlite3_column_name

sqlite3_column_decltype

sqlite3_column_decltype

sqlite3_step

sqlite3_step

sqlite3_data_count

sqlite3_data_count

sqlite3_column_blob

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_double

sqlite3_column_double

sqlite3_column_Int

sqlite3_column_Int

sqlite3_column_text

sqlite3_column_text

sqlite3_column_type

sqlite3_column_type

sqlite3_column_int64

sqlite3_column_int64

sqlite3_finalize

sqlite3_finalize

sqlite3_reset

sqlite3_reset

sqlite3_bind_blob

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_text

sqlite3_bind_double

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_null

sqlite3_bind_parameter_index

sqlite3_bind_parameter_index

sqlite3_enable_shared_cache

sqlite3_enable_shared_cache

sqlite3_create_collation

sqlite3_create_collation

TSQLiteDatabase8

TSQLiteDatabase8

TSQLiteTable

TSQLiteTable

Error executing SQL

Error executing SQL

Could not prepare SQL statement

Could not prepare SQL statement

Error executing SQL statement

Error executing SQL statement

SELECT * FROM logins

SELECT * FROM logins

password_value

password_value

origin_url

origin_url

\Scream.dll

\Scream.dll

WbemScripting.SWbemLocator

WbemScripting.SWbemLocator

%s\%s

%s\%s

SELECT * FROM %s

SELECT * FROM %s

displayName %s

displayName %s

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

IMAP Password

IMAP Password

POP3 Password

POP3 Password

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

127.0.0.1

127.0.0.1

iphlpapi.dll

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

AllocateAndGetTcpExTableFromStack

AllocateAndGetUdpExTableFromStack

AllocateAndGetUdpExTableFromStack

SetTcpEntry

SetTcpEntry

GetExtendedTcpTable

GetExtendedTcpTable

GetExtendedUdpTable

GetExtendedUdpTable

\print.txt

\print.txt

Skype.exe

Skype.exe

main.db

main.db

\Yandex\YandexBrowser\User Data\Default\Login Data

\Yandex\YandexBrowser\User Data\Default\Login Data

\Comodo\Dragon\User Data\Default\Login Data

\Comodo\Dragon\User Data\Default\Login Data

\Google\Chrome\User Data\Default\Login Data

\Google\Chrome\User Data\Default\Login Data

Google Chrome

Google Chrome

TUnicodeKeyboard

TUnicodeKeyboard

Klog.dat

Klog.dat

\Klog.dat

\Klog.dat

cmd.exe

cmd.exe

SAPI.SpVoice

SAPI.SpVoice

Windows 2000

Windows 2000

Windows XP

Windows XP

Windows Server 2003

Windows Server 2003

Windows Server 2003 R2

Windows Server 2003 R2

Windows Vista

Windows Vista

Windows Server 2008

Windows Server 2008

Windows Server 2008 R2

Windows Server 2008 R2

Windows 7

Windows 7

Windows 8

Windows 8

Windows Server 2012

Windows Server 2012

Windows 8.1

Windows 8.1

Windows Server 2012 R2

Windows Server 2012 R2

Windows 10

Windows 10

Windows Server 2016 Technical Preview

Windows Server 2016 Technical Preview

%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|

%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|

Can't get the Windows version

Can't get the Windows version

deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly

deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly

9.VNf

9.VNf

I.PXQP

I.PXQP

.EF$q

.EF$q

XaP.uFP4

XaP.uFP4

%xTPO

%xTPO

AURl

AURl

LP%CT

LP%CT

Dg_SYÃ’R^

Dg_SYÃ’R^

W(.KgSi

W(.KgSi

7,%X\:p

7,%X\:p

.AbF P

.AbF P

.yBBo

.yBBo

ÞAI

ÞAI

!"#$%&'()* ,-./

!"#$%&'()* ,-./

SQLite forma

SQLite forma

CHECKEYCO

CHECKEYCO

3.5.9{

3.5.9{

ED/MSVCRTgr

ED/MSVCRTgr

685477580

685477580

lFk .AGc5N

lFk .AGc5N

!*&6.qos]

!*&6.qos]

zcÁ

zcÁ

KERNEL32.DLL

KERNEL32.DLL

Sqlite3.dll

Sqlite3.dll

sqlite3_aggregate_context

sqlite3_aggregate_context

sqlite3_aggregate_count

sqlite3_aggregate_count

sqlite3_auto_extension

sqlite3_auto_extension

sqlite3_bind_parameter_count

sqlite3_bind_parameter_count

sqlite3_bind_parameter_name

sqlite3_bind_parameter_name

sqlite3_bind_text16

sqlite3_bind_text16

sqlite3_bind_value

sqlite3_bind_value

sqlite3_bind_zeroblob

sqlite3_bind_zeroblob

sqlite3_blob_bytes

sqlite3_blob_bytes

sqlite3_blob_close

sqlite3_blob_close

sqlite3_blob_open

sqlite3_blob_open

sqlite3_blob_read

sqlite3_blob_read

sqlite3_blob_write

sqlite3_blob_write

sqlite3_busy_handler

sqlite3_busy_handler

sqlite3_clear_bindings

sqlite3_clear_bindings

sqlite3_collation_needed

sqlite3_collation_needed

sqlite3_collation_needed16

sqlite3_collation_needed16

sqlite3_column_bytes16

sqlite3_column_bytes16

sqlite3_column_decltype16

sqlite3_column_decltype16

sqlite3_column_int

sqlite3_column_int

sqlite3_column_name16

sqlite3_column_name16

sqlite3_column_text16

sqlite3_column_text16

sqlite3_column_value

sqlite3_column_value

sqlite3_commit_hook

sqlite3_commit_hook

sqlite3_complete16

sqlite3_complete16

sqlite3_context_db_handle

sqlite3_context_db_handle

sqlite3_create_collation16

sqlite3_create_collation16

sqlite3_create_collation_v2

sqlite3_create_collation_v2

sqlite3_create_function

sqlite3_create_function

sqlite3_create_function16

sqlite3_create_function16

sqlite3_create_module

sqlite3_create_module

sqlite3_create_module_v2

sqlite3_create_module_v2

sqlite3_db_handle

sqlite3_db_handle

sqlite3_declare_vtab

sqlite3_declare_vtab

sqlite3_enable_load_extension

sqlite3_enable_load_extension

sqlite3_errmsg16

sqlite3_errmsg16

sqlite3_expired

sqlite3_expired

sqlite3_extended_result_codes

sqlite3_extended_result_codes

sqlite3_file_control

sqlite3_file_control

sqlite3_get_autocommit

sqlite3_get_autocommit

sqlite3_get_auxdata

sqlite3_get_auxdata

sqlite3_global_recover

sqlite3_global_recover

sqlite3_libversion

sqlite3_libversion

sqlite3_libversion_number

sqlite3_libversion_number

sqlite3_limit

sqlite3_limit

sqlite3_load_extension

sqlite3_load_extension

sqlite3_malloc

sqlite3_malloc

sqlite3_memory_alarm

sqlite3_memory_alarm

sqlite3_memory_highwater

sqlite3_memory_highwater

sqlite3_memory_used

sqlite3_memory_used

sqlite3_mprintf

sqlite3_mprintf

sqlite3_mutex_alloc

sqlite3_mutex_alloc

sqlite3_mutex_enter

sqlite3_mutex_enter

sqlite3_mutex_free

sqlite3_mutex_free

sqlite3_mutex_held

sqlite3_mutex_held

sqlite3_mutex_leave

sqlite3_mutex_leave

sqlite3_mutex_notheld

sqlite3_mutex_notheld

sqlite3_mutex_try

sqlite3_mutex_try

sqlite3_open16

sqlite3_open16

sqlite3_open_v2

sqlite3_open_v2

sqlite3_overload_function

sqlite3_overload_function

sqlite3_prepare16

sqlite3_prepare16

sqlite3_prepare16_v2

sqlite3_prepare16_v2

sqlite3_profile

sqlite3_profile

sqlite3_progress_handler

sqlite3_progress_handler

sqlite3_randomness

sqlite3_randomness

sqlite3_realloc

sqlite3_realloc

sqlite3_release_memory

sqlite3_release_memory

sqlite3_reset_auto_extension

sqlite3_reset_auto_extension

sqlite3_result_blob

sqlite3_result_blob

sqlite3_result_double

sqlite3_result_double

sqlite3_result_error

sqlite3_result_error

sqlite3_result_error16

sqlite3_result_error16

sqlite3_result_error_code

sqlite3_result_error_code

sqlite3_result_error_nomem

sqlite3_result_error_nomem

sqlite3_result_error_toobig

sqlite3_result_error_toobig

sqlite3_result_int

sqlite3_result_int

sqlite3_result_int64

sqlite3_result_int64

sqlite3_result_null

sqlite3_result_null

sqlite3_result_text

sqlite3_result_text

sqlite3_result_text16

sqlite3_result_text16

sqlite3_result_text16be

sqlite3_result_text16be

sqlite3_result_text16le

sqlite3_result_text16le

sqlite3_result_value

sqlite3_result_value

sqlite3_result_zeroblob

sqlite3_result_zeroblob

sqlite3_rollback_hook

sqlite3_rollback_hook

sqlite3_set_authorizer

sqlite3_set_authorizer

sqlite3_set_auxdata

sqlite3_set_auxdata

sqlite3_sleep

sqlite3_sleep

sqlite3_snprintf

sqlite3_snprintf

sqlite3_soft_heap_limit

sqlite3_soft_heap_limit

sqlite3_sql

sqlite3_sql

sqlite3_test_control

sqlite3_test_control

sqlite3_thread_cleanup

sqlite3_thread_cleanup

sqlite3_threadsafe

sqlite3_threadsafe

sqlite3_trace

sqlite3_trace

sqlite3_transfer_bindings

sqlite3_transfer_bindings

sqlite3_update_hook

sqlite3_update_hook

sqlite3_user_data

sqlite3_user_data

sqlite3_value_blob

sqlite3_value_blob

sqlite3_value_bytes

sqlite3_value_bytes

sqlite3_value_bytes16

sqlite3_value_bytes16

sqlite3_value_double

sqlite3_value_double

sqlite3_value_int

sqlite3_value_int

sqlite3_value_int64

sqlite3_value_int64

sqlite3_value_numeric_type

sqlite3_value_numeric_type

sqlite3_value_text

sqlite3_value_text

sqlite3_value_text16

sqlite3_value_text16

sqlite3_value_text16be

sqlite3_value_text16be

sqlite3_value_text16le

sqlite3_value_text16le

sqlite3_value_type

sqlite3_value_type

sqlite3_vfs_find

sqlite3_vfs_find

sqlite3_vfs_register

sqlite3_vfs_register

sqlite3_vfs_unregister

sqlite3_vfs_unregister

sqlite3_vmprintf

sqlite3_vmprintf

C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe

)ju2,iu2.iu

)ju2,iu2.iu

KWindows

KWindows

yuActivePorts

yuActivePorts

FF_Passwords

FF_Passwords

UrlMon

UrlMon

UnitKeyboardStarter

UnitKeyboardStarter

UnitScriptExecuter

UnitScriptExecuter

Usndkey32

Usndkey32

GOutlookPasswords

GOutlookPasswords

UnitDownloadExec

UnitDownloadExec

UnitChrome

UnitChrome

SQLiteTable3

SQLiteTable3

SQLite3Dynamic

SQLite3Dynamic

SQLite3DLL

SQLite3DLL

AppModelService.exeP

AppModelService.exeP

AppModelService.exe

AppModelService.exe

thebottleratmine.hldns.ru#P

thebottleratmine.hldns.ru#P

WinExec

WinExec

SetNamedPipeHandleState

SetNamedPipeHandleState

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

RegQueryInfoKeyA

RegQueryInfoKeyA

RegOpenKeyExW

RegOpenKeyExW

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyW

RegOpenKeyW

RegOpenKeyA

RegOpenKeyA

RegFlushKey

RegFlushKey

RegEnumKeyExW

RegEnumKeyExW

RegEnumKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCreateKeyA

RegCreateKeyA

RegCloseKey

RegCloseKey

ShellExecuteA

ShellExecuteA

SHFileOperationA

SHFileOperationA

keybd_event

keybd_event

VkKeyScanA

VkKeyScanA

SetKeyboardState

SetKeyboardState

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyExA

MapVirtualKeyExA

MapVirtualKeyA

MapVirtualKeyA

GetKeyboardState

GetKeyboardState

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyNameTextA

GetKeyNameTextA

GetAsyncKeyState

GetAsyncKeyState

ExitWindowsEx

ExitWindowsEx

EnumWindows

EnumWindows

GetKeyboardType

GetKeyboardType

InternetOpenUrlA

InternetOpenUrlA

.text

.text

`.itext

`.itext

`.data

`.data

.idata

.idata

.rdata

.rdata

@.reloc

@.reloc

B.rsrc

B.rsrc

logins

logins

software\microsoft\windows\currentversion\uninstall\

software\microsoft\windows\currentversion\uninstall\

66006666

66006666

Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image

Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image

JPEG error #%d

JPEG error #%d

Invalid stream operation

Invalid stream operation

Failed to get data for '%s'

Failed to get data for '%s'

%s.Seek not implemented$Operation not allowed on sorted list

%s.Seek not implemented$Operation not allowed on sorted list

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Unsupported clipboard format

Unsupported clipboard format

.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid data type for '%s' List capacity out of bounds (%d)

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

List index out of bounds (%d) Out of memory while expanding memory stream

External exception %x

External exception %x

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

"Variant method calls not supported

"Variant method calls not supported

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

Invalid floating point operation

Invalid floating point operation

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point value

No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point value

I/O error %d

I/O error %d

notepad.exe_3392:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

msvcrt.dll

msvcrt.dll

COMDLG32.dll

COMDLG32.dll

SHELL32.dll

SHELL32.dll

WINSPOOL.DRV

WINSPOOL.DRV

ole32.dll

ole32.dll

SHLWAPI.dll

SHLWAPI.dll

COMCTL32.dll

COMCTL32.dll

OLEAUT32.dll

OLEAUT32.dll

VERSION.dll

VERSION.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegCreateKeyW

RegCreateKeyW

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

SetViewportExtEx

SetViewportExtEx

GetKeyboardLayout

GetKeyboardLayout

_amsg_exit

_amsg_exit

_acmdln

_acmdln

ShellExecuteExW

ShellExecuteExW

notepad.pdb

notepad.pdb

name="Microsoft.Windows.Shell.notepad"

name="Microsoft.Windows.Shell.notepad"

version="5.1.0.0"

version="5.1.0.0"

Windows Shell

Windows Shell

name="Microsoft.Windows.Common-Controls"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

true

true

===111*!

===111*!

'141133!/!(!(!""/""

'141133!/!(!(!""/""

;;;;4;3423332

;;;;4;3423332

keYM

keYM

,k<.kq>

,k<.kq>

.WF"hB

.WF"hB

dx.Rl

dx.Rl

V.xOx_T

V.xOx_T

/.SETUP

/.SETUP

%s%c*.txt%c%s%c*.*%c

%s%c*.txt%c%s%c*.*%c

*.txt

*.txt

mshelp://windows/?id=5d18d5fb-e737-4a73-b6cc-dccc63720231

mshelp://windows/?id=5d18d5fb-e737-4a73-b6cc-dccc63720231

\StringFileInfo\xx\OriginalFilename

\StringFileInfo\xx\OriginalFilename

\sppsvc.exe

\sppsvc.exe

\slui.exe

\slui.exe

\sppuinotify.dll

\sppuinotify.dll

Text Documents (*.txt)

Text Documents (*.txt)

6.1.7600.16385 (win7_rtm.090713-1255)

6.1.7600.16385 (win7_rtm.090713-1255)

NOTEPAD.EXE

NOTEPAD.EXE

Windows

Windows

Operating System

Operating System

6.1.7600.16385

6.1.7600.16385

notepad.exe_3392_rwx_00060000_00001000:

kernel32.dll

kernel32.dll

notepad.exe_3392_rwx_00070000_00001000:

user32.dll

user32.dll

notepad.exe_3392_rwx_00160000_00001000:

C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe


Related articles