Susp_Dropper (Kaspersky), Gen:Variant.Symmi.41732 (B) (Emsisoft), Gen:Variant.Symmi.41732 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 744dc36fce68007660828111b613538e
SHA1: 141aef4fd86b979eabd3e83886a751669ce4620d
SHA256: 3b9d36b3a56d23f55a1bb6558e2dff5a4153ef1f27b3c9315f7b6783e9e72fa4
SSDeep: 6144:fgdSgMiw3NnSESKbOsddmEEGhJozjXs/NIarqkqiivruxBchpk PBOsRVo:fgwjnrSKbVdRjhJcs/2wqu1/chpk PB
Size: 370688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: CamStudio Group
Created at: 2016-06-30 09:20:04
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3404
The Trojan injects its code into the following process(es):
AppModelService.exe:3500
notepad.exe:3392
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe (742 bytes)
Registry activity
The process AppModelService.exe:3500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AppModelService.exe" = "Type: REG_SZ, Length: 0"
The process %original file name%.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AppModelService.exe" = "Type: REG_SZ, Length: 0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3404
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe (742 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AppModelService.exe" = "Type: REG_SZ, Length: 0" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 311296 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 315392 | 368640 | 367616 | 5.43995 | 9737472d12a1d6eeaba96a925a964d8f |
| .rsrc | 684032 | 4096 | 2048 | 2.41589 | 0cf24c7550e05115dd852616c2eb6d01 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 12
14b7270426722a5ee8c3caaed10f7279
891b0cf3cd08d0f1f120825215858593
fd666eaadc94246a506a16deb66ddc8e
f0e6212ad84487e23b96f0fc6237b4a4
29614bca30f23abf9afca11256cd4dc6
7c1b4c32ff9082c6dab7e613aaff5130
cc1d5641e85ac8c81c712ccc80256b03
99a10aa16bb3ac6a0ca5927c43ebce26
7408ac611619e0b99946685e250c8ebb
5502dfbe1cf2bdf9810fd8154763f94d
10f049ab354b88cf5702ef6e0421136b
90d9650a193e54c99f38392ce67ba64e
Network Activity
URLs
| URL | IP |
|---|---|
| dns.msftncsi.com | |
| thebottleratmine.hldns.ru |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
AppModelService.exe_3500:
`.rsrc
`.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
%s, ProgID: "%s"
%s, ProgID: "%s"
ole32.dll
ole32.dll
EInvalidOperation
EInvalidOperation
EInvalidGraphicOperation
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
VBoxService.exe
VBoxService.exe
SbieDll.dll
SbieDll.dll
dbghelp.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
55274-640-2673064-23950
76487-644-3177037-23510
76487-644-3177037-23510
76487-337-8429955-22614
76487-337-8429955-22614
\\.\Syser
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SyserBoot
\\.\SICE
\\.\SICE
\\.\NTICE
\\.\NTICE
user32.dll
user32.dll
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
10.211.55.20
10.211.55.20
notepad.exe
notepad.exe
1.0.4
1.0.4
PSAPI.dll
PSAPI.dll
C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas
C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
nss3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
mozglue.dll
mozglue.dll
msvcr120.dll
msvcr120.dll
msvcp120.dll
msvcp120.dll
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
\Mozilla\Firefox\
logins.json
logins.json
Mozilla Firefox
Mozilla Firefox
logins[
logins[
].hostname
].hostname
].encryptedUsername
].encryptedUsername
].encryptedPassword
].encryptedPassword
BuildImportTable: can't load library:
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
BTMemoryGetProcAddress: exported symbol not found
sqlite3_open
sqlite3_open
sqlite3_close
sqlite3_close
sqlite3_exec
sqlite3_exec
sqlite3_version
sqlite3_version
sqlite3_errmsg
sqlite3_errmsg
sqlite3_errcode
sqlite3_errcode
sqlite3_free
sqlite3_free
sqlite3_get_table
sqlite3_get_table
sqlite3_free_table
sqlite3_free_table
sqlite3_complete
sqlite3_complete
sqlite3_last_insert_rowid
sqlite3_last_insert_rowid
sqlite3_interrupt
sqlite3_interrupt
sqlite3_busy_Handler
sqlite3_busy_Handler
sqlite3_busy_timeout
sqlite3_busy_timeout
sqlite3_changes
sqlite3_changes
sqlite3_total_changes
sqlite3_total_changes
sqlite3_prepare
sqlite3_prepare
sqlite3_prepare_v2
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_count
sqlite3_column_name
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_decltype
sqlite3_step
sqlite3_step
sqlite3_data_count
sqlite3_data_count
sqlite3_column_blob
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_double
sqlite3_column_Int
sqlite3_column_Int
sqlite3_column_text
sqlite3_column_text
sqlite3_column_type
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_int64
sqlite3_finalize
sqlite3_finalize
sqlite3_reset
sqlite3_reset
sqlite3_bind_blob
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_bind_parameter_index
sqlite3_enable_shared_cache
sqlite3_enable_shared_cache
sqlite3_create_collation
sqlite3_create_collation
TSQLiteDatabase8
TSQLiteDatabase8
TSQLiteTable
TSQLiteTable
Error executing SQL
Error executing SQL
Could not prepare SQL statement
Could not prepare SQL statement
Error executing SQL statement
Error executing SQL statement
SELECT * FROM logins
SELECT * FROM logins
password_value
password_value
origin_url
origin_url
\Scream.dll
\Scream.dll
WbemScripting.SWbemLocator
WbemScripting.SWbemLocator
%s\%s
%s\%s
SELECT * FROM %s
SELECT * FROM %s
displayName %s
displayName %s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
IMAP Password
IMAP Password
POP3 Password
POP3 Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
127.0.0.1
127.0.0.1
iphlpapi.dll
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
SetTcpEntry
GetExtendedTcpTable
GetExtendedTcpTable
GetExtendedUdpTable
GetExtendedUdpTable
\print.txt
\print.txt
Skype.exe
Skype.exe
main.db
main.db
\Yandex\YandexBrowser\User Data\Default\Login Data
\Yandex\YandexBrowser\User Data\Default\Login Data
\Comodo\Dragon\User Data\Default\Login Data
\Comodo\Dragon\User Data\Default\Login Data
\Google\Chrome\User Data\Default\Login Data
\Google\Chrome\User Data\Default\Login Data
Google Chrome
Google Chrome
TUnicodeKeyboard
TUnicodeKeyboard
Klog.dat
Klog.dat
\Klog.dat
\Klog.dat
cmd.exe
cmd.exe
SAPI.SpVoice
SAPI.SpVoice
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows Server 2003
Windows Server 2003
Windows Server 2003 R2
Windows Server 2003 R2
Windows Vista
Windows Vista
Windows Server 2008
Windows Server 2008
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
Windows 8
Windows 8
Windows Server 2012
Windows Server 2012
Windows 8.1
Windows 8.1
Windows Server 2012 R2
Windows Server 2012 R2
Windows 10
Windows 10
Windows Server 2016 Technical Preview
Windows Server 2016 Technical Preview
%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|
%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|
Can't get the Windows version
Can't get the Windows version
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
9.VNf
9.VNf
I.PXQP
I.PXQP
.EF$q
.EF$q
XaP.uFP4
XaP.uFP4
%xTPO
%xTPO
AURl
AURl
LP%CT
LP%CT
Dg_SYÃ’R^
Dg_SYÃ’R^
W(.KgSi
W(.KgSi
7,%X\:p
7,%X\:p
.AbF P
.AbF P
.yBBo
.yBBo
ÞAI
ÞAI
!"#$%&'()* ,-./
!"#$%&'()* ,-./
SQLite forma
SQLite forma
CHECKEYCO
CHECKEYCO
3.5.9{
3.5.9{
ED/MSVCRTgr
ED/MSVCRTgr
685477580
685477580
lFk .AGc5N
lFk .AGc5N
!*&6.qos]
!*&6.qos]
zcÃ
zcÃ
KERNEL32.DLL
KERNEL32.DLL
Sqlite3.dll
Sqlite3.dll
sqlite3_aggregate_context
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_auto_extension
sqlite3_bind_parameter_count
sqlite3_bind_parameter_count
sqlite3_bind_parameter_name
sqlite3_bind_parameter_name
sqlite3_bind_text16
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_read
sqlite3_blob_write
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_busy_handler
sqlite3_clear_bindings
sqlite3_clear_bindings
sqlite3_collation_needed
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_collation_needed16
sqlite3_column_bytes16
sqlite3_column_bytes16
sqlite3_column_decltype16
sqlite3_column_decltype16
sqlite3_column_int
sqlite3_column_int
sqlite3_column_name16
sqlite3_column_name16
sqlite3_column_text16
sqlite3_column_text16
sqlite3_column_value
sqlite3_column_value
sqlite3_commit_hook
sqlite3_commit_hook
sqlite3_complete16
sqlite3_complete16
sqlite3_context_db_handle
sqlite3_context_db_handle
sqlite3_create_collation16
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_create_module_v2
sqlite3_db_handle
sqlite3_db_handle
sqlite3_declare_vtab
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_enable_load_extension
sqlite3_errmsg16
sqlite3_errmsg16
sqlite3_expired
sqlite3_expired
sqlite3_extended_result_codes
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_file_control
sqlite3_get_autocommit
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_get_auxdata
sqlite3_global_recover
sqlite3_global_recover
sqlite3_libversion
sqlite3_libversion
sqlite3_libversion_number
sqlite3_libversion_number
sqlite3_limit
sqlite3_limit
sqlite3_load_extension
sqlite3_load_extension
sqlite3_malloc
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_free
sqlite3_mutex_held
sqlite3_mutex_held
sqlite3_mutex_leave
sqlite3_mutex_leave
sqlite3_mutex_notheld
sqlite3_mutex_notheld
sqlite3_mutex_try
sqlite3_mutex_try
sqlite3_open16
sqlite3_open16
sqlite3_open_v2
sqlite3_open_v2
sqlite3_overload_function
sqlite3_overload_function
sqlite3_prepare16
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_prepare16_v2
sqlite3_profile
sqlite3_profile
sqlite3_progress_handler
sqlite3_progress_handler
sqlite3_randomness
sqlite3_randomness
sqlite3_realloc
sqlite3_realloc
sqlite3_release_memory
sqlite3_release_memory
sqlite3_reset_auto_extension
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_set_auxdata
sqlite3_sleep
sqlite3_sleep
sqlite3_snprintf
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_soft_heap_limit
sqlite3_sql
sqlite3_sql
sqlite3_test_control
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_threadsafe
sqlite3_trace
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_update_hook
sqlite3_user_data
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_text16le
sqlite3_value_type
sqlite3_value_type
sqlite3_vfs_find
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vfs_unregister
sqlite3_vmprintf
sqlite3_vmprintf
C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe
)ju2,iu2.iu
)ju2,iu2.iu
KWindows
KWindows
yuActivePorts
yuActivePorts
FF_Passwords
FF_Passwords
UrlMon
UrlMon
UnitKeyboardStarter
UnitKeyboardStarter
UnitScriptExecuter
UnitScriptExecuter
Usndkey32
Usndkey32
GOutlookPasswords
GOutlookPasswords
UnitDownloadExec
UnitDownloadExec
UnitChrome
UnitChrome
SQLiteTable3
SQLiteTable3
SQLite3Dynamic
SQLite3Dynamic
SQLite3DLL
SQLite3DLL
AppModelService.exeP
AppModelService.exeP
AppModelService.exe
AppModelService.exe
thebottleratmine.hldns.ru#P
thebottleratmine.hldns.ru#P
WinExec
WinExec
SetNamedPipeHandleState
SetNamedPipeHandleState
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
CreatePipe
CreatePipe
RegQueryInfoKeyA
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyW
RegOpenKeyW
RegOpenKeyA
RegOpenKeyA
RegFlushKey
RegFlushKey
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
keybd_event
keybd_event
VkKeyScanA
VkKeyScanA
SetKeyboardState
SetKeyboardState
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyExA
MapVirtualKeyExA
MapVirtualKeyA
MapVirtualKeyA
GetKeyboardState
GetKeyboardState
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
GetAsyncKeyState
GetAsyncKeyState
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
GetKeyboardType
GetKeyboardType
InternetOpenUrlA
InternetOpenUrlA
.text
.text
`.itext
`.itext
`.data
`.data
.idata
.idata
.rdata
.rdata
@.reloc
@.reloc
B.rsrc
B.rsrc
1W8p6Ü/
1W8p6Ü/
Q `.ij
Q `.ij
advapi32.dll
advapi32.dll
crypt32.dll
crypt32.dll
gdi32.dll
gdi32.dll
mpr.dll
mpr.dll
msacm32.dll
msacm32.dll
msvcrt.dll
msvcrt.dll
NetAPI32.dll
NetAPI32.dll
ntdll.dll
ntdll.dll
powrprof.dll
powrprof.dll
shell32.dll
shell32.dll
shfolder.dll
shfolder.dll
wininet.dll
wininet.dll
winmm.dll
winmm.dll
wsock32.dll
wsock32.dll
logins
logins
software\microsoft\windows\currentversion\uninstall\
software\microsoft\windows\currentversion\uninstall\
66006666
66006666
Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image
Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image
JPEG error #%d
JPEG error #%d
Invalid stream operation
Invalid stream operation
Failed to get data for '%s'
Failed to get data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Unsupported clipboard format
Unsupported clipboard format
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
List index out of bounds (%d) Out of memory while expanding memory stream
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
"Variant method calls not supported
"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
Invalid floating point operation
Invalid floating point operation
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point value
No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
I/O error %d
AppModelService.exe_3500_rwx_00401000_000A5000:
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
%s, ProgID: "%s"
%s, ProgID: "%s"
ole32.dll
ole32.dll
EInvalidOperation
EInvalidOperation
EInvalidGraphicOperation
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
VBoxService.exe
VBoxService.exe
SbieDll.dll
SbieDll.dll
dbghelp.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
55274-640-2673064-23950
76487-644-3177037-23510
76487-644-3177037-23510
76487-337-8429955-22614
76487-337-8429955-22614
\\.\Syser
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SyserBoot
\\.\SICE
\\.\SICE
\\.\NTICE
\\.\NTICE
user32.dll
user32.dll
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
10.211.55.20
10.211.55.20
notepad.exe
notepad.exe
1.0.4
1.0.4
PSAPI.dll
PSAPI.dll
C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas
C:\Users\gurkanarkas\Desktop\Dtback\AlienEdition\Server\SuperObject.pas
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
nss3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
mozglue.dll
mozglue.dll
msvcr120.dll
msvcr120.dll
msvcp120.dll
msvcp120.dll
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
\Mozilla\Firefox\
logins.json
logins.json
Mozilla Firefox
Mozilla Firefox
logins[
logins[
].hostname
].hostname
].encryptedUsername
].encryptedUsername
].encryptedPassword
].encryptedPassword
BuildImportTable: can't load library:
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
BTMemoryGetProcAddress: exported symbol not found
sqlite3_open
sqlite3_open
sqlite3_close
sqlite3_close
sqlite3_exec
sqlite3_exec
sqlite3_version
sqlite3_version
sqlite3_errmsg
sqlite3_errmsg
sqlite3_errcode
sqlite3_errcode
sqlite3_free
sqlite3_free
sqlite3_get_table
sqlite3_get_table
sqlite3_free_table
sqlite3_free_table
sqlite3_complete
sqlite3_complete
sqlite3_last_insert_rowid
sqlite3_last_insert_rowid
sqlite3_interrupt
sqlite3_interrupt
sqlite3_busy_Handler
sqlite3_busy_Handler
sqlite3_busy_timeout
sqlite3_busy_timeout
sqlite3_changes
sqlite3_changes
sqlite3_total_changes
sqlite3_total_changes
sqlite3_prepare
sqlite3_prepare
sqlite3_prepare_v2
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_count
sqlite3_column_name
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_decltype
sqlite3_step
sqlite3_step
sqlite3_data_count
sqlite3_data_count
sqlite3_column_blob
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_double
sqlite3_column_Int
sqlite3_column_Int
sqlite3_column_text
sqlite3_column_text
sqlite3_column_type
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_int64
sqlite3_finalize
sqlite3_finalize
sqlite3_reset
sqlite3_reset
sqlite3_bind_blob
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_bind_parameter_index
sqlite3_enable_shared_cache
sqlite3_enable_shared_cache
sqlite3_create_collation
sqlite3_create_collation
TSQLiteDatabase8
TSQLiteDatabase8
TSQLiteTable
TSQLiteTable
Error executing SQL
Error executing SQL
Could not prepare SQL statement
Could not prepare SQL statement
Error executing SQL statement
Error executing SQL statement
SELECT * FROM logins
SELECT * FROM logins
password_value
password_value
origin_url
origin_url
\Scream.dll
\Scream.dll
WbemScripting.SWbemLocator
WbemScripting.SWbemLocator
%s\%s
%s\%s
SELECT * FROM %s
SELECT * FROM %s
displayName %s
displayName %s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
IMAP Password
IMAP Password
POP3 Password
POP3 Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
127.0.0.1
127.0.0.1
iphlpapi.dll
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
SetTcpEntry
GetExtendedTcpTable
GetExtendedTcpTable
GetExtendedUdpTable
GetExtendedUdpTable
\print.txt
\print.txt
Skype.exe
Skype.exe
main.db
main.db
\Yandex\YandexBrowser\User Data\Default\Login Data
\Yandex\YandexBrowser\User Data\Default\Login Data
\Comodo\Dragon\User Data\Default\Login Data
\Comodo\Dragon\User Data\Default\Login Data
\Google\Chrome\User Data\Default\Login Data
\Google\Chrome\User Data\Default\Login Data
Google Chrome
Google Chrome
TUnicodeKeyboard
TUnicodeKeyboard
Klog.dat
Klog.dat
\Klog.dat
\Klog.dat
cmd.exe
cmd.exe
SAPI.SpVoice
SAPI.SpVoice
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows Server 2003
Windows Server 2003
Windows Server 2003 R2
Windows Server 2003 R2
Windows Vista
Windows Vista
Windows Server 2008
Windows Server 2008
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
Windows 8
Windows 8
Windows Server 2012
Windows Server 2012
Windows 8.1
Windows 8.1
Windows Server 2012 R2
Windows Server 2012 R2
Windows 10
Windows 10
Windows Server 2016 Technical Preview
Windows Server 2016 Technical Preview
%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|
%s|%s@%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|
Can't get the Windows version
Can't get the Windows version
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
9.VNf
9.VNf
I.PXQP
I.PXQP
.EF$q
.EF$q
XaP.uFP4
XaP.uFP4
%xTPO
%xTPO
AURl
AURl
LP%CT
LP%CT
Dg_SYÃ’R^
Dg_SYÃ’R^
W(.KgSi
W(.KgSi
7,%X\:p
7,%X\:p
.AbF P
.AbF P
.yBBo
.yBBo
ÞAI
ÞAI
!"#$%&'()* ,-./
!"#$%&'()* ,-./
SQLite forma
SQLite forma
CHECKEYCO
CHECKEYCO
3.5.9{
3.5.9{
ED/MSVCRTgr
ED/MSVCRTgr
685477580
685477580
lFk .AGc5N
lFk .AGc5N
!*&6.qos]
!*&6.qos]
zcÃ
zcÃ
KERNEL32.DLL
KERNEL32.DLL
Sqlite3.dll
Sqlite3.dll
sqlite3_aggregate_context
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_auto_extension
sqlite3_bind_parameter_count
sqlite3_bind_parameter_count
sqlite3_bind_parameter_name
sqlite3_bind_parameter_name
sqlite3_bind_text16
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_read
sqlite3_blob_write
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_busy_handler
sqlite3_clear_bindings
sqlite3_clear_bindings
sqlite3_collation_needed
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_collation_needed16
sqlite3_column_bytes16
sqlite3_column_bytes16
sqlite3_column_decltype16
sqlite3_column_decltype16
sqlite3_column_int
sqlite3_column_int
sqlite3_column_name16
sqlite3_column_name16
sqlite3_column_text16
sqlite3_column_text16
sqlite3_column_value
sqlite3_column_value
sqlite3_commit_hook
sqlite3_commit_hook
sqlite3_complete16
sqlite3_complete16
sqlite3_context_db_handle
sqlite3_context_db_handle
sqlite3_create_collation16
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_create_module_v2
sqlite3_db_handle
sqlite3_db_handle
sqlite3_declare_vtab
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_enable_load_extension
sqlite3_errmsg16
sqlite3_errmsg16
sqlite3_expired
sqlite3_expired
sqlite3_extended_result_codes
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_file_control
sqlite3_get_autocommit
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_get_auxdata
sqlite3_global_recover
sqlite3_global_recover
sqlite3_libversion
sqlite3_libversion
sqlite3_libversion_number
sqlite3_libversion_number
sqlite3_limit
sqlite3_limit
sqlite3_load_extension
sqlite3_load_extension
sqlite3_malloc
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_free
sqlite3_mutex_held
sqlite3_mutex_held
sqlite3_mutex_leave
sqlite3_mutex_leave
sqlite3_mutex_notheld
sqlite3_mutex_notheld
sqlite3_mutex_try
sqlite3_mutex_try
sqlite3_open16
sqlite3_open16
sqlite3_open_v2
sqlite3_open_v2
sqlite3_overload_function
sqlite3_overload_function
sqlite3_prepare16
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_prepare16_v2
sqlite3_profile
sqlite3_profile
sqlite3_progress_handler
sqlite3_progress_handler
sqlite3_randomness
sqlite3_randomness
sqlite3_realloc
sqlite3_realloc
sqlite3_release_memory
sqlite3_release_memory
sqlite3_reset_auto_extension
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_set_auxdata
sqlite3_sleep
sqlite3_sleep
sqlite3_snprintf
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_soft_heap_limit
sqlite3_sql
sqlite3_sql
sqlite3_test_control
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_threadsafe
sqlite3_trace
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_update_hook
sqlite3_user_data
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_text16le
sqlite3_value_type
sqlite3_value_type
sqlite3_vfs_find
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vfs_unregister
sqlite3_vmprintf
sqlite3_vmprintf
C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe
)ju2,iu2.iu
)ju2,iu2.iu
KWindows
KWindows
yuActivePorts
yuActivePorts
FF_Passwords
FF_Passwords
UrlMon
UrlMon
UnitKeyboardStarter
UnitKeyboardStarter
UnitScriptExecuter
UnitScriptExecuter
Usndkey32
Usndkey32
GOutlookPasswords
GOutlookPasswords
UnitDownloadExec
UnitDownloadExec
UnitChrome
UnitChrome
SQLiteTable3
SQLiteTable3
SQLite3Dynamic
SQLite3Dynamic
SQLite3DLL
SQLite3DLL
AppModelService.exeP
AppModelService.exeP
AppModelService.exe
AppModelService.exe
thebottleratmine.hldns.ru#P
thebottleratmine.hldns.ru#P
WinExec
WinExec
SetNamedPipeHandleState
SetNamedPipeHandleState
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
CreatePipe
CreatePipe
RegQueryInfoKeyA
RegQueryInfoKeyA
RegOpenKeyExW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyW
RegOpenKeyW
RegOpenKeyA
RegOpenKeyA
RegFlushKey
RegFlushKey
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
keybd_event
keybd_event
VkKeyScanA
VkKeyScanA
SetKeyboardState
SetKeyboardState
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyExA
MapVirtualKeyExA
MapVirtualKeyA
MapVirtualKeyA
GetKeyboardState
GetKeyboardState
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
GetAsyncKeyState
GetAsyncKeyState
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
GetKeyboardType
GetKeyboardType
InternetOpenUrlA
InternetOpenUrlA
.text
.text
`.itext
`.itext
`.data
`.data
.idata
.idata
.rdata
.rdata
@.reloc
@.reloc
B.rsrc
B.rsrc
logins
logins
software\microsoft\windows\currentversion\uninstall\
software\microsoft\windows\currentversion\uninstall\
66006666
66006666
Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image
Bitmaps Clipboard does not support Icons&Cannot change the size of a JPEG image
JPEG error #%d
JPEG error #%d
Invalid stream operation
Invalid stream operation
Failed to get data for '%s'
Failed to get data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Unsupported clipboard format
Unsupported clipboard format
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%List does not allow duplicates ($0%x)%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
List index out of bounds (%d) Out of memory while expanding memory stream
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
"Variant method calls not supported
"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
Invalid floating point operation
Invalid floating point operation
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point value
No argument for format '%s'!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
I/O error %d
notepad.exe_3392:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
COMDLG32.dll
COMDLG32.dll
SHELL32.dll
SHELL32.dll
WINSPOOL.DRV
WINSPOOL.DRV
ole32.dll
ole32.dll
SHLWAPI.dll
SHLWAPI.dll
COMCTL32.dll
COMCTL32.dll
OLEAUT32.dll
OLEAUT32.dll
VERSION.dll
VERSION.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyW
RegCreateKeyW
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
SetViewportExtEx
SetViewportExtEx
GetKeyboardLayout
GetKeyboardLayout
_amsg_exit
_amsg_exit
_acmdln
_acmdln
ShellExecuteExW
ShellExecuteExW
notepad.pdb
notepad.pdb
name="Microsoft.Windows.Shell.notepad"
name="Microsoft.Windows.Shell.notepad"
version="5.1.0.0"
version="5.1.0.0"
Windows Shell
Windows Shell
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
===111*!
===111*!
'141133!/!(!(!""/""
'141133!/!(!(!""/""
;;;;4;3423332
;;;;4;3423332
keYM
keYM
,k<.kq>
,k<.kq>
.WF"hB
.WF"hB
dx.Rl
dx.Rl
V.xOx_T
V.xOx_T
/.SETUP
/.SETUP
%s%c*.txt%c%s%c*.*%c
%s%c*.txt%c%s%c*.*%c
*.txt
*.txt
mshelp://windows/?id=5d18d5fb-e737-4a73-b6cc-dccc63720231
mshelp://windows/?id=5d18d5fb-e737-4a73-b6cc-dccc63720231
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\OriginalFilename
\sppsvc.exe
\sppsvc.exe
\slui.exe
\slui.exe
\sppuinotify.dll
\sppuinotify.dll
Text Documents (*.txt)
Text Documents (*.txt)
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
NOTEPAD.EXE
NOTEPAD.EXE
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
notepad.exe_3392_rwx_00060000_00001000:
kernel32.dll
kernel32.dll
notepad.exe_3392_rwx_00070000_00001000:
user32.dll
user32.dll
notepad.exe_3392_rwx_00160000_00001000:
C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\AppModelService.exe