Trojan-Downloader.Win32.AutoIt.th (Kaspersky), Backdoor.Generic.622690 (B) (Emsisoft), Backdoor.Generic.622690 (AdAware), Trojan.Win32.Bumat.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, Virus.Win32.Parite.B.FD, GenericAutorunWorm.YR, VirusParite.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor, Worm, Virus, VirTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a0a4cd62bf0ff4556a5f9830cfd0553d
SHA1: 49d0d0459af4fedebdfa1aba19864e63392596b8
SHA256: 7331ba67c11daa5f86f1f0910e8979e5a8914357372236d9da557f653ea37292
SSDeep: 24576:hfmMv6Ckr7MnyI8fgVrTdjDOPOZTrkMI6z/:h3v 7/I8fQrTR
Size: 1261142 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: ??????????
Created at: 2010-03-07 18:08:39
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
5ze4r5y5ry1DLL.exe:1168
%original file name%.exe:1552
The Backdoor injects its code into the following process(es):
svchost.exe:592
Explorer.EXE:1684
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process 5ze4r5y5ry1DLL.exe:1168 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmd1.tmp (11010 bytes)
The process %original file name%.exe:1552 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\Explorer32DLL.exe (23913 bytes)
%WinDir%\5ze4r5y5ry1DLL.exe (307 bytes)
The Backdoor deletes the following file(s):
%WinDir%\Explorer32DLL.exe (0 bytes)
Registry activity
The process 5ze4r5y5ry1DLL.exe:1168 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 75 97 34 2D 63 7A B0 B3 0F 1E 1F 97 0A B7 FB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"svchost.exe" = "svchost"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1552 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 9A 26 C6 76 A0 EA 9D 37 B7 93 7A C3 7C BF CA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{{DML7J752-5356-4Z46-B4TB-NY2A1F738Y0I}}]
"StubPath" = "%WinDir%\Explorer32DLL.exe"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer" = "%WinDir%\Explorer32DLL.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Explorer" = "%WinDir%\Explorer32DLL.exe"
Dropped PE files
MD5 | File path |
---|---|
ec9a9078a8452ee622741d60648f5343 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\svchost.exe |
685f1cbd4af30a1d0c25f252d399a666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\jmd1.tmp |
ec9a9078a8452ee622741d60648f5343 | c:\WINDOWS\5ze4r5y5ry1DLL.exe |
5d1978c42c8ddcd2db3ec9cd37cae1fe | c:\%original file name%.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
5ze4r5y5ry1DLL.exe:1168
%original file name%.exe:1552 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmd1.tmp (11010 bytes)
%WinDir%\Explorer32DLL.exe (23913 bytes)
%WinDir%\5ze4r5y5ry1DLL.exe (307 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer" = "%WinDir%\Explorer32DLL.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Explorer" = "%WinDir%\Explorer32DLL.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 6, 0
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 3, 3, 6, 0File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 524311 | 524800 | 4.59881 | 6c20c6bf686768b6f134f5bd508171bc |
.rdata | 532480 | 55644 | 55808 | 3.15551 | 321c940899050104ced482b1e5bf7a0e |
.data | 589824 | 107800 | 26624 | 1.52615 | e5d77411f751d28c6eee48a743606795 |
.rsrc | 700416 | 26224 | 26624 | 3.55864 | 89967892fb8c209a8bdb03cb6dfa960f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_592:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
P.tqn
P.tqn
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
SQL error or missing database
SQL error or missing database
An internal logic error in SQLite
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has another row ready
sqlite3_step() has finished executing
sqlite3_step() has finished executing
Unknown SQLite Error Code "
Unknown SQLite Error Code "
ESQLiteException
ESQLiteException
TSQLiteDatabase
TSQLiteDatabase
TSQLiteTable
TSQLiteTable
sqlite3_open
sqlite3_open
sqlite3_errmsg
sqlite3_errmsg
sqlite3_free
sqlite3_free
sqlite3_close
sqlite3_close
sqlite3_last_insert_rowid
sqlite3_last_insert_rowid
sqlite3_total_changes
sqlite3_total_changes
sqlite3_errcode
sqlite3_errcode
sqlite3_bind_text
sqlite3_bind_text
sqlite3_bind_int
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_int64
sqlite3_bind_double
sqlite3_bind_double
sqlite3_bind_null
sqlite3_bind_null
sqlite3_bind_blob
sqlite3_bind_blob
sqlite3_prepare_v2
sqlite3_prepare_v2
sqlite3_step
sqlite3_step
sqlite3_reset
sqlite3_reset
sqlite3_finalize
sqlite3_finalize
sqlite3_prepare
sqlite3_prepare
sqlite3_busy_timeout
sqlite3_busy_timeout
sqlite3_libversion
sqlite3_libversion
sqlite3_create_collation
sqlite3_create_collation
sqlite3_bind_parameter_index
sqlite3_bind_parameter_index
sqlite3_changes
sqlite3_changes
sqlite3_column_count
sqlite3_column_count
sqlite3_column_name
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_decltype
sqlite3_column_type
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_int64
sqlite3_column_double
sqlite3_column_double
sqlite3_column_bytes
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_column_blob
sqlite3_column_text
sqlite3_column_text
Failed to open database "%s" : %s
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Failed to open database "%s" : unknown error
Error [%d]: %s.
Error [%d]: %s.
"%s": %s
"%s": %s
Error executing SQL
Error executing SQL
Could not prepare SQL statement
Could not prepare SQL statement
Error executing SQL statement
Error executing SQL statement
SQLite is Busy
SQLite is Busy
udprec
udprec
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
\Mozilla Firefox\
nss3.dll
nss3.dll
mozcrt19.dll
mozcrt19.dll
sqlite3.dll
sqlite3.dll
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nssutil3.dll
nssutil3.dll
softokn3.dll
softokn3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
userenv.dll
userenv.dll
\Mozilla\Firefox\
\Mozilla\Firefox\
profiles.ini
profiles.ini
\signons3.txt
\signons3.txt
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\profiles.ini
signons.sqlite
signons.sqlite
SELECT * FROM moz_logins
SELECT * FROM moz_logins
encryptedPassword
encryptedPassword
Urlmon.dll
Urlmon.dll
Shell32.dll
Shell32.dll
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
Future Windows version (unknown)
Future Windows version (unknown)
Windows
Windows
UDPPROG1|
UDPPROG1|
UDPStart|
UDPStart|
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Mozilla\Mozilla Firefox\
WEBDL
WEBDL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost.exe
svchost.exe
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
GetCPInfo
GetCPInfo
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
5 5$5(5,5054585
5 5$5(5,5054585
>">*>2>:>
>">*>2>:>
: :$:(:,:0:4:8:<:>
: :$:(:,:0:4:8:<:>
SQLite3
SQLite3
KWindows
KWindows
UrlMon
UrlMon
SQLiteTable3
SQLiteTable3
Kernel32.dll
Kernel32.dll
ADVAPI32.dll
ADVAPI32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
List index out of bounds (%d) Out of memory while expanding memory stream
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
svchost.exe_592_rwx_00427000_00001000:
Kernel32.dll
Kernel32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
svchost.exe_592_rwx_008B1000_00071000:
UDPSockError
UDPSockError
NMUDP
NMUDP
Errmsg
Errmsg
Port
Port
TNMUDP
TNMUDP
RemotePort
RemotePort
LocalPort
LocalPort
ReportLevelLk
ReportLevelLk
0.0.0.0
0.0.0.0
%d.%d.%d.%d
%d.%d.%d.%d
AutoHotkeys
AutoHotkeys
:].tJ
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation,0
EInvalidGraphicOperation
EInvalidGraphicOperation
KeyPreview,
KeyPreview,
WindowState
WindowState
OnKeyDown
OnKeyDown
OnKeyPressdz
OnKeyPressdz
OnKeyUp
OnKeyUp
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
TDragOperation
TDragOperation
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
crSQLWait
crSQLWait
%s (%s)
%s (%s)
IMM32.DLL
IMM32.DLL
EInvalidOperation
EInvalidOperation
%s[%d]
%s[%d]
%s_%d
%s_%d
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
kernel32.dll
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
*.TMP
Kernel32.dll
Kernel32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
readbook.exe
readbook.exe
rundll32.exe
rundll32.exe
*.exe
*.exe
*.scr
*.scr
UdpT
UdpT
UdpOnDataReceived
UdpOnDataReceived
xxtype.cpp
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
Operation not permitted
Operation not permitted
%H:%M:%S
%H:%M:%S
%m/%d/%y
%m/%d/%y
%A, %B %d, %Y
%A, %B %d, %Y
d/d/d d:d:d.d
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
elemType->tpClass.tpcFlags & CF_HAS_DTOR
ReportLevel
ReportLevel
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
SetViewportOrgEx
SetViewportOrgEx
ActivateKeyboardLayout
ActivateKeyboardLayout
EnumThreadWindows
EnumThreadWindows
EnumWindows
EnumWindows
GetKeyNameTextA
GetKeyNameTextA
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardState
GetKeyboardType
GetKeyboardType
LoadKeyboardLayoutA
LoadKeyboardLayoutA
MapVirtualKeyA
MapVirtualKeyA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
VprK|%Ud
VprK|%Ud
€00404
€00404
8 @ @ @ @ @
8 @ @ @ @ @
.text
.text
`.data
`.data
.idata
.idata
@.edata
@.edata
@.rsrc
@.rsrc
@.reloc
@.reloc
70"!(&&$
70"!(&&$
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Win32 Error. Code: %d.
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Invalid data type for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
!Control '%s' has no parent window
!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Ancestor for '%s' not found
Ancestor for '%s' not found
Unsupported clipboard format
Unsupported clipboard format
Class %s not found
Class %s not found
Resource %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
A class named %s already exists
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Cannot create file %s
Cannot create file %s
Cannot open file %s
Cannot open file %s
Explorer.EXE_1684_rwx_022A1000_00071000:
UDPSockError
UDPSockError
NMUDP
NMUDP
Errmsg
Errmsg
Port
Port
TNMUDP
TNMUDP
RemotePort
RemotePort
LocalPort
LocalPort
ReportLevelLk*
ReportLevelLk*
0.0.0.0
0.0.0.0
%d.%d.%d.%d
%d.%d.%d.%d
AutoHotkeys
AutoHotkeys
:].tJ
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation,0
EInvalidGraphicOperation
EInvalidGraphicOperation
KeyPreview,
KeyPreview,
WindowState
WindowState
OnKeyDown
OnKeyDown
OnKeyPressdz,
OnKeyPressdz,
OnKeyUp
OnKeyUp
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
TDragOperation
TDragOperation
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
crSQLWait
crSQLWait
%s (%s)
%s (%s)
IMM32.DLL
IMM32.DLL
EInvalidOperation
EInvalidOperation
%s[%d]
%s[%d]
%s_%d
%s_%d
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
kernel32.dll
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
*.TMP
Kernel32.dll
Kernel32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
readbook.exe
readbook.exe
rundll32.exe
rundll32.exe
*.exe
*.exe
*.scr
*.scr
UdpT
UdpT
UdpOnDataReceived
UdpOnDataReceived
xxtype.cpp
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Inappropriate I/O control operation
Broken pipe
Broken pipe
Operation not permitted
Operation not permitted
%H:%M:%S
%H:%M:%S
%m/%d/%y
%m/%d/%y
%A, %B %d, %Y
%A, %B %d, %Y
d/d/d d:d:d.d
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
elemType->tpClass.tpcFlags & CF_HAS_DTOR
ReportLevel
ReportLevel
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegFlushKey
RegFlushKey
SetViewportOrgEx
SetViewportOrgEx
ActivateKeyboardLayout
ActivateKeyboardLayout
EnumThreadWindows
EnumThreadWindows
EnumWindows
EnumWindows
GetKeyNameTextA
GetKeyNameTextA
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardState
GetKeyboardType
GetKeyboardType
LoadKeyboardLayoutA
LoadKeyboardLayoutA
MapVirtualKeyA
MapVirtualKeyA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
VprK|%Ud
VprK|%Ud
€00404
€00404
8 @ @ @ @ @
8 @ @ @ @ @
.text
.text
`.data
`.data
.idata
.idata
@.edata
@.edata
@.rsrc
@.rsrc
@.reloc
@.reloc
70"!(&&$
70"!(&&$
External exception %x
External exception %x
Interface not supported
Interface not supported
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Win32 Error. Code: %d.
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Invalid variant operation"Variant method calls not supported
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Invalid data type for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
!Control '%s' has no parent window
!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Ancestor for '%s' not found
Ancestor for '%s' not found
Unsupported clipboard format
Unsupported clipboard format
Class %s not found
Class %s not found
Resource %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
A class named %s already exists
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Cannot create file %s
Cannot create file %s
Cannot open file %s
Cannot open file %s