Gen.Variant.Graftor.Elzob.20639_682d3df289
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.Elzob.20639 (B) (Emsisoft), Gen:Variant.Graftor.Elzob.20639 (AdAware), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BackdoorFynloski.YR, GenericDownloader.YR, GenericInjector.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS) Behaviour: Trojan-Downloader, Trojan, Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 682d3df2890629249a1f41d5fbd0bba3
SHA1: 34ae4c4286b9f8d1db3981793e53b7ce77f78680
SHA256: 7a498beb06bf771723850a592880d0707acd11f7ba1db50aaf8eebf08265a4c1
SSDeep: 196608:MCUDjlOxkQ94rjqpdHvb97AEd5JzzXSL54evF3nNyDahx21X0UJnsZsJQ:M3jwT4aXPvJX854uuahQVGZsJQ
Size: 13156352 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2012-04-06 12:51:23
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
msdcsc.exe:3712
1.exe:3412
notepad.exe:3400
%original file name%.exe:3408
The Trojan injects its code into the following process(es):
notepad.exe:2300
2.exe:3716
iexplore.exe:3724
Mutexes
The following mutexes were created/opened: No objects were found.
File activity
The process 1.exe:3412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe (2321 bytes)
The process notepad.exe:3400 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.exe (0 bytes)
The process %original file name%.exe:3408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.exe (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2.exe (3214 bytes)
Registry activity
The process msdcsc.exe:3712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\CurrentVersion\Explorern]
"NoControlPanel" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
User account control (UAC) is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "C:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "4"
Firewall notifications are enabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "0"
The process 1.exe:3412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "C:\Windows\system32\userinit.exe,C:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "C:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process %original file name%.exe:3408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process 2.exe:3716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "2.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| d7e91708a7e752ce1d893ef8ee55bef5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\2.exe |
| 6c64f00f26c5cdb0bb8776dea44518af | c:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
msdcsc.exe:3712
1.exe:3412
notepad.exe:3400
%original file name%.exe:3408 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.exe (420 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2.exe (3214 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "C:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "C:\Windows\system32\userinit.exe,C:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 14766 | 16384 | 4.31589 | fcf9b1a470ab37098356dd50085d8c88 |
| .rdata | 20480 | 2178 | 4096 | 2.38072 | 4aa8682a734eef34e27e38ad2e7b7709 |
| .data | 24576 | 10780 | 12288 | 0.268124 | 48507b379509ef395e1420c132236db7 |
| .rsrc | 36864 | 13119200 | 13119488 | 5.5419 | 18170111866dabd40876c544e9fd2046 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| mrwings.hopto.org |  176.114.190.121 |
| dns.msftncsi.com |  131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
conhost.exe_3580:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
ntdll.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
IMM32.dll
IMM32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
Cannot allocate 0n%d bytes
|%SWj
|%SWj
O.fBf;
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
FTPh
\>.Sj
\>.Sj
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
GetKeyboardState
GetKeyboardState
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
GetKeyState
GetKeyState
ActivateKeyboardLayout
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
_amsg_exit
_amsg_exit
_acmdln
_acmdln
ShipAssert
ShipAssert
NtReplyWaitReceivePort
NtReplyWaitReceivePort
NtCreatePort
NtCreatePort
NtEnumerateValueKey
NtEnumerateValueKey
NtQueryValueKey
NtQueryValueKey
NtOpenKey
NtOpenKey
NtAcceptConnectPort
NtAcceptConnectPort
NtReplyPort
NtReplyPort
SetProcessShutdownParameters
SetProcessShutdownParameters
GetCPInfo
GetCPInfo
conhost.pdb
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%$%a%b%V%U%c%Q%W%]%\%[%
%
%
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
name="Microsoft.Windows.ConsoleHost"
name="Microsoft.Windows.ConsoleHost.SystemDefault" name="Microsoft.Windows.ConsoleHost.SystemDefault" publicKeyToken="6595b64144ccf1df" publicKeyToken="6595b64144ccf1df" name="Microsoft.Windows.SystemCompatible" name="Microsoft.Windows.SystemCompatible" version="6.0.0.0" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" publicKeyToken="6595b64144ccf1df" :>@> :>@> 2%2X2 2%2X2 %SystemRoot% %SystemRoot% \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen WindowSize WindowSize ColorTableu ColorTableu ExtendedEditkeyCustom ExtendedEditkeyCustom ExtendedEditKey ExtendedEditKey Software\Microsoft\Windows\CurrentVersion Software\Microsoft\Windows\CurrentVersion \ !:=/.;|& \ !:=/.;|& %d/%d %d/%d cmd.exe cmd.exe desktop.ini desktop.ini \console.dll \console.dll %d/%d %d/%d 6.1.7601.17641 (win7sp1_gdr.110623-1503) 6.1.7601.17641 (win7sp1_gdr.110623-1503) CONHOST.EXE CONHOST.EXE Windows Windows Operating System Operating System 6.1.7601.17641 6.1.7601.17641 conhost.exe_264:
.text .text `.data `.data .rsrc .rsrc @.reloc @.reloc GDI32.dll GDI32.dll USER32.dll USER32.dll msvcrt.dll msvcrt.dll ntdll.dll ntdll.dll API-MS-Win-Core-LocalRegistry-L1-1-0.dll API-MS-Win-Core-LocalRegistry-L1-1-0.dll KERNEL32.dll KERNEL32.dll IMM32.dll IMM32.dll ole32.dll ole32.dll OLEAUT32.dll OLEAUT32.dll PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected Invalid message 0x%x Invalid message 0x%x InitExtendedEditKeys: Unsupported version number(%d) InitExtendedEditKeys: Unsupported version number(%d) Console init failed with status 0x%x Console init failed with status 0x%x CreateWindowsWindow failed with status 0x%x, gle = 0x%x CreateWindowsWindow failed with status 0x%x, gle = 0x%x InitWindowsStuff failed with status 0x%x (gle = 0x%x) InitWindowsStuff failed with status 0x%x (gle = 0x%x) InitSideBySide failed create an activation context. Error: %d InitSideBySide failed create an activation context. Error: %d GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1. GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1. GetModuleFileNameW failed %d. GetModuleFileNameW failed %d. Invalid EventType: 0x%x Invalid EventType: 0x%x Dup handle failed for %d of %d (Status = 0x%x) Dup handle failed for %d of %d (Status = 0x%x) Couldn't grow input buffer, Status == 0x%x Couldn't grow input buffer, Status == 0x%x InitializeScrollBuffer failed, Status = 0x%x InitializeScrollBuffer failed, Status = 0x%x CreateWindow failed with gle = 0x%x CreateWindow failed with gle = 0x%x Opening Font file failed with error 0x%x Opening Font file failed with error 0x%x \ega.cpi \ega.cpi NtReplyWaitReceivePort failed with Status 0x%x NtReplyWaitReceivePort failed with Status 0x%x ConsoleOpenWaitEvent failed with Status 0x%x ConsoleOpenWaitEvent failed with Status 0x%x NtCreatePort failed with Status 0x%x NtCreatePort failed with Status 0x%x GetCharWidth32 failed with error 0x%x GetCharWidth32 failed with error 0x%x GetTextMetricsW failed with error 0x%x GetTextMetricsW failed with error 0x%x GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x RtlStringCchCopy failed with Status 0x%x RtlStringCchCopy failed with Status 0x%x Cannot allocate 0n%d bytes Cannot allocate 0n%d bytes |%SWj |%SWj O.fBf; O.fBf; ReCreateDbcsScreenBuffer failed. Restoring to CP=%d ReCreateDbcsScreenBuffer failed. Restoring to CP=%d Invalid Parameter: 0x%x, 0x%x, 0x%x Invalid Parameter: 0x%x, 0x%x, 0x%x ConsoleKeyInfo buffer is full ConsoleKeyInfo buffer is full Invalid screen buffer size (0x%x, 0x%x) Invalid screen buffer size (0x%x, 0x%x) SetROMFontCodePage: failed to memory allocation %d bytes SetROMFontCodePage: failed to memory allocation %d bytes FONT.NT FONT.NT Failed to set font image. wc=x, sz=(%x,%x) Failed to set font image. wc=x, sz=(%x,%x) Failed to set font image. wc=x sz=(%x, %x). Failed to set font image. wc=x sz=(%x, %x). Failed to set font image. wc=x sz=(%x,%x) Failed to set font image. wc=x sz=(%x,%x) FullscreenControlSetColors failed - Status = 0x%x FullscreenControlSetColors failed - Status = 0x%x FullscreenControlSetPalette failed - Status = 0x%x FullscreenControlSetPalette failed - Status = 0x%x WriteCharsFromInput failed 0x%x WriteCharsFromInput failed 0x%x WriteCharsFromInput failed %x WriteCharsFromInput failed %x RtlStringCchCopyW failed with Status 0x%x RtlStringCchCopyW failed with Status 0x%x CreateFontCache failed with Status 0x%x CreateFontCache failed with Status 0x%x FTPh FTPh \>.Sj \>.Sj GetKeyboardLayout GetKeyboardLayout MapVirtualKeyW MapVirtualKeyW VkKeyScanW VkKeyScanW GetKeyboardState GetKeyboardState UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExW SetWindowsHookExW GetKeyState GetKeyState ActivateKeyboardLayout ActivateKeyboardLayout GetKeyboardLayoutNameA GetKeyboardLayoutNameA GetKeyboardLayoutNameW GetKeyboardLayoutNameW _amsg_exit _amsg_exit _acmdln _acmdln ShipAssert ShipAssert NtReplyWaitReceivePort NtReplyWaitReceivePort NtCreatePort NtCreatePort NtEnumerateValueKey NtEnumerateValueKey NtQueryValueKey NtQueryValueKey NtOpenKey NtOpenKey NtAcceptConnectPort NtAcceptConnectPort NtReplyPort NtReplyPort SetProcessShutdownParameters SetProcessShutdownParameters GetCPInfo GetCPInfo conhost.pdb conhost.pdb %$%a%b%V%U%c%Q%W%]%\%[% %$%a%b%V%U%c%Q%W%]%\%[% %
%
version="5.1.0.0" version="5.1.0.0" name="Microsoft.Windows.ConsoleHost" name="Microsoft.Windows.ConsoleHost" name="Microsoft.Windows.ConsoleHost.SystemDefault" name="Microsoft.Windows.ConsoleHost.SystemDefault" publicKeyToken="6595b64144ccf1df" publicKeyToken="6595b64144ccf1df" name="Microsoft.Windows.SystemCompatible" name="Microsoft.Windows.SystemCompatible" version="6.0.0.0" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" publicKeyToken="6595b64144ccf1df" :>@> :>@> 2%2X2 2%2X2 %SystemRoot% %SystemRoot% \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen WindowSize WindowSize ColorTableu ColorTableu ExtendedEditkeyCustom ExtendedEditkeyCustom ExtendedEditKey ExtendedEditKey Software\Microsoft\Windows\CurrentVersion Software\Microsoft\Windows\CurrentVersion \ !:=/.;|& \ !:=/.;|& %d/%d %d/%d cmd.exe cmd.exe desktop.ini desktop.ini \console.dll \console.dll %d/%d %d/%d 6.1.7601.17641 (win7sp1_gdr.110623-1503) 6.1.7601.17641 (win7sp1_gdr.110623-1503) CONHOST.EXE CONHOST.EXE Windows Windows Operating System Operating System 6.1.7601.17641 6.1.7601.17641 2.exe_3716_rwx_0013A000_00006000:
(.mjY (.mjY 2.exe_3716_rwx_00E00000_00007000:
.Mfi3 .Mfi3 2.exe_3716_rwx_00E70000_00010000:
.Mfi3 .Mfi3 2.exe_3716_rwx_01470000_00010000:
.Mfi3 .Mfi3 2.exe_3716_rwx_020F0000_00010000:
.Mfi3 .Mfi3 iexplore.exe_3724:
`.rsrc `.rsrc kernel32.dll kernel32.dll Windows Windows MSWHEEL_ROLLMSG MSWHEEL_ROLLMSG MSH_WHEELSUPPORT_MSG MSH_WHEELSUPPORT_MSG MSH_SCROLL_LINES_MSG MSH_SCROLL_LINES_MSG $*@@@*[email protected]@@$ *@@* [email protected]@($*)@-$*@@$-*@@$*[email protected]@(*$)@-*[email protected]@*[email protected]@*[email protected]@-* [email protected]$ *@* [email protected]$ *[email protected]$ -*@*- [email protected]($ *)(* $) $*@@@*[email protected]@@$ *@@* [email protected]@($*)@-$*@@$-*@@$*[email protected]@(*$)@-*[email protected]@*[email protected]@*[email protected]@-* [email protected]$ *@* [email protected]$ *[email protected]$ -*@*- [email protected]($ *)(* $) oleaut32.dll oleaut32.dll EVariantBadIndexError EVariantBadIndexError ssShift ssShift htKeyword htKeyword EInvalidOperation EInvalidOperation %s_%d %s_%d EInvalidGraphicOperation EInvalidGraphicOperation SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes %s, ClassID: %s %s, ClassID: %s %s, ProgID: "%s" %s, ProgID: "%s" ole32.dll ole32.dll TUploadFTP TUploadFTP user32.dll user32.dll 1.2.3 1.2.3 BuildImportTable: can't load library: BuildImportTable: can't load library: BuildImportTable: ReallocMemory failed BuildImportTable: ReallocMemory failed BuildImportTable: GetProcAddress failed BuildImportTable: GetProcAddress failed BTMemoryLoadLibary: BuildImportTable failed BTMemoryLoadLibary: BuildImportTable failed BTMemoryGetProcAddress: no export table found BTMemoryGetProcAddress: no export table found BTMemoryGetProcAddress: DLL doesn't export anything BTMemoryGetProcAddress: DLL doesn't export anything BTMemoryGetProcAddress: exported symbol not found BTMemoryGetProcAddress: exported symbol not found 127.0.0.1 127.0.0.1 TDCWebCam TDCWebCam wlanapi.dll wlanapi.dll 80211_SHARED_KEY 80211_SHARED_KEY \Internet Explorer\iexplore.exe \Internet Explorer\iexplore.exe explorer.exe explorer.exe USER32.DLL USER32.DLL uxtheme.dll uxtheme.dll DWMAPI.DLL DWMAPI.DLL clWebSnow clWebSnow clWebFloralWhite clWebFloralWhite clWebLavenderBlush clWebLavenderBlush clWebOldLace clWebOldLace clWebIvory clWebIvory clWebCornSilk clWebCornSilk clWebBeige clWebBeige clWebAntiqueWhite clWebAntiqueWhite clWebWheat clWebWheat clWebAliceBlue clWebAliceBlue clWebGhostWhite clWebGhostWhite clWebLavender clWebLavender clWebSeashell clWebSeashell clWebLightYellow clWebLightYellow clWebPapayaWhip clWebPapayaWhip clWebNavajoWhite clWebNavajoWhite clWebMoccasin clWebMoccasin clWebBurlywood clWebBurlywood clWebAzure clWebAzure clWebMintcream clWebMintcream clWebHoneydew clWebHoneydew clWebLinen clWebLinen clWebLemonChiffon clWebLemonChiffon clWebBlanchedAlmond clWebBlanchedAlmond clWebBisque clWebBisque clWebPeachPuff clWebPeachPuff clWebTan clWebTan clWebYellow clWebYellow clWebDarkOrange clWebDarkOrange clWebRed clWebRed clWebDarkRed clWebDarkRed clWebMaroon clWebMaroon clWebIndianRed clWebIndianRed clWebSalmon clWebSalmon clWebCoral clWebCoral clWebGold clWebGold clWebTomato clWebTomato clWebCrimson clWebCrimson clWebBrown clWebBrown clWebChocolate clWebChocolate clWebSandyBrown clWebSandyBrown clWebLightSalmon clWebLightSalmon clWebLightCoral clWebLightCoral clWebOrange clWebOrange clWebOrangeRed clWebOrangeRed clWebFirebrick clWebFirebrick clWebSaddleBrown clWebSaddleBrown clWebSienna clWebSienna clWebPeru clWebPeru clWebDarkSalmon clWebDarkSalmon clWebRosyBrown clWebRosyBrown clWebPaleGoldenrod clWebPaleGoldenrod clWebLightGoldenrodYellow clWebLightGoldenrodYellow clWebOlive clWebOlive clWebForestGreen clWebForestGreen clWebGreenYellow clWebGreenYellow clWebChartreuse clWebChartreuse clWebLightGreen clWebLightGreen clWebAquamarine clWebAquamarine clWebSeaGreen clWebSeaGreen clWebGoldenRod clWebGoldenRod clWebKhaki clWebKhaki clWebOliveDrab clWebOliveDrab clWebGreen clWebGreen clWebYellowGreen clWebYellowGreen clWebLawnGreen clWebLawnGreen clWebPaleGreen clWebPaleGreen clWebMediumAquamarine clWebMediumAquamarine clWebMediumSeaGreen clWebMediumSeaGreen clWebDarkGoldenRod clWebDarkGoldenRod clWebDarkKhaki clWebDarkKhaki clWebDarkOliveGreen clWebDarkOliveGreen clWebDarkgreen clWebDarkgreen clWebLimeGreen clWebLimeGreen clWebLime clWebLime clWebSpringGreen clWebSpringGreen clWebMediumSpringGreen clWebMediumSpringGreen clWebDarkSeaGreen clWebDarkSeaGreen clWebLightSeaGreen clWebLightSeaGreen clWebPaleTurquoise clWebPaleTurquoise clWebLightCyan clWebLightCyan clWebLightBlue clWebLightBlue clWebLightSkyBlue clWebLightSkyBlue clWebCornFlowerBlue clWebCornFlowerBlue clWebDarkBlue clWebDarkBlue clWebIndigo clWebIndigo clWebMediumTurquoise clWebMediumTurquoise clWebTurquoise clWebTurquoise clWebCyan clWebCyan clWebPowderBlue clWebPowderBlue clWebSkyBlue clWebSkyBlue clWebRoyalBlue clWebRoyalBlue clWebMediumBlue clWebMediumBlue clWebMidnightBlue clWebMidnightBlue clWebDarkTurquoise clWebDarkTurquoise clWebCadetBlue clWebCadetBlue clWebDarkCyan clWebDarkCyan clWebTeal clWebTeal clWebDeepskyBlue clWebDeepskyBlue clWebDodgerBlue clWebDodgerBlue clWebBlue clWebBlue clWebNavy clWebNavy clWebDarkViolet clWebDarkViolet clWebDarkOrchid clWebDarkOrchid clWebMagenta clWebMagenta clWebDarkMagenta clWebDarkMagenta clWebMediumVioletRed clWebMediumVioletRed clWebPaleVioletRed clWebPaleVioletRed clWebBlueViolet clWebBlueViolet clWebMediumOrchid clWebMediumOrchid clWebMediumPurple clWebMediumPurple clWebPurple clWebPurple clWebDeepPink clWebDeepPink clWebLightPink clWebLightPink clWebViolet clWebViolet clWebOrchid clWebOrchid clWebPlum clWebPlum clWebThistle clWebThistle clWebHotPink clWebHotPink clWebPink clWebPink clWebLightSteelBlue clWebLightSteelBlue clWebMediumSlateBlue clWebMediumSlateBlue clWebLightSlateGray clWebLightSlateGray clWebWhite clWebWhite clWebLightgrey clWebLightgrey clWebGray clWebGray clWebSteelBlue clWebSteelBlue clWebSlateBlue clWebSlateBlue clWebSlateGray clWebSlateGray clWebWhiteSmoke clWebWhiteSmoke clWebSilver clWebSilver clWebDimGray clWebDimGray clWebMistyRose clWebMistyRose clWebDarkSlateBlue clWebDarkSlateBlue clWebDarkSlategray clWebDarkSlategray clWebGainsboro clWebGainsboro clWebDarkGray clWebDarkGray clWebBlack clWebBlack comctl32.dll comctl32.dll AutoHotkeys AutoHotkeys \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ TKeyEvent TKeyEvent TKeyPressEvent TKeyPressEvent HelpKeyword HelpKeyword crSQLWait crSQLWait %s (%s) %s (%s) imm32.dll imm32.dll ssHotTrack ssHotTrack TWindowState TWindowState poProportional poProportional TWMKey TWMKey KeyPreview KeyPreview WindowState WindowState OnKeyDown$ OnKeyDown$ OnKeyPress OnKeyPress OnKeyUp OnKeyUp Uhx%F Uhx%F UhX%F UhX%F Uh %F Uh %F GlassFrame.Bottom GlassFrame.Bottom GlassFrame.Enabled GlassFrame.Enabled GlassFrame.Left GlassFrame.Left GlassFrame.Right GlassFrame.Right GlassFrame.SheetOfGlass GlassFrame.SheetOfGlass GlassFrame.Top GlassFrame.Top System\CurrentControlSet\Control\Keyboard Layouts\%.8x System\CurrentControlSet\Control\Keyboard Layouts\%.8x User32.dll User32.dll PSAPI.dll PSAPI.dll \Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders \Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders *.torrent *.torrent SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Microsoft\Windows\CurrentVersion\Run hkey hkey cmd.exe cmd.exe TSocketPort TSocketPort %d.%d.%d.%d %d.%d.%d.%d 0.0.0.0 0.0.0.0 POST /index.php/1.0 POST /index.php/1.0 BTRESULTHTTP Flood|Http Flood task finished!| BTRESULTHTTP Flood|Http Flood task finished!| BTRESULTVisit URL|finished to visit BTRESULTVisit URL|finished to visit BTERRORVisit URL|An exception occured in the thread| BTERRORVisit URL|An exception occured in the thread| PortScanAdd PortScanAdd BTRESULTUDP Flood|UDP Flood task finished!| BTRESULTUDP Flood|UDP Flood task finished!| FTPPORT FTPPORT FTPPASS FTPPASS FTPUSER FTPUSER FTPHOST FTPHOST FTPROOT FTPROOT FTPUPLOADK FTPUPLOADK FTPSIZE FTPSIZE TCaptureWebcam TCaptureWebcam taskmgr.exe taskmgr.exe ERR|Cannot listen to port, try another one..| ERR|Cannot listen to port, try another one..| UPLOADEXEC UPLOADEXEC UPANDEXEC UPANDEXEC PASSWORD PASSWORD out.txt out.txt tmp.txt tmp.txt Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows NT\CurrentVersion\Winlogon Software\Microsoft\Windows NT\CurrentVersion\Winlogon 127.0.0.1:1604 127.0.0.1:1604 #KCMDDC51#- #KCMDDC51#- 5.3.0 5.3.0 \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ DC3_FEXEC DC3_FEXEC Windows NT 4.0 Windows NT 4.0 Windows 2000 Windows 2000 Windows XP Windows XP Windows Server 2003 Windows Server 2003 Windows Vista Windows Vista Windows 7 Windows 7 Windows 95 Windows 95 Windows 98 Windows 98 Windows Me Windows Me S-%u- S-%u- Mozilla Mozilla BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...| BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...| BTERRORDownload File| Error on downloading file check if you type the correct url...| BTERRORDownload File| Error on downloading file check if you type the correct url...| notepad.exe notepad.exe KEYNAME KEYNAME %ShortCut# %ShortCut# RELATEDCMD RELATEDCMD ping 127.0.0.1 -n 4 > NUL && " ping 127.0.0.1 -n 4 > NUL && " DRKey DRKey CRKey CRKey DelMSKey DelMSKey InstallHKEY InstallHKEY ActiveOnlineKeylogger ActiveOnlineKeylogger UnActiveOnlineKeylogger UnActiveOnlineKeylogger KeylogOn KeylogOn ActiveOfflineKeylogger ActiveOfflineKeylogger UnActiveOfflineKeylogger UnActiveOfflineKeylogger ActiveOnlineKeyStrokes ActiveOnlineKeyStrokes UnActiveOnlineKeyStrokes UnActiveOnlineKeyStrokes OpenWebPage OpenWebPage tmpprint.txt tmpprint.txt URLUpdate URLUpdate MSGBOX MSGBOX #BOT#VisitUrl #BOT#VisitUrl #BOT#OpenUrl #BOT#OpenUrl HTTP:// HTTP:// hXXp:// hXXp:// BTRESULTOpen URL| BTRESULTOpen URL| Command successfully executed!| Command successfully executed!| #BOT#URLUpdate #BOT#URLUpdate BTERRORUpdate from URL| Error on downloading file check if you type the correct url...| BTERRORUpdate from URL| Error on downloading file check if you type the correct url...| BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...| BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...| #BOT#URLDownload #BOT#URLDownload GetActivePorts GetActivePorts DDOSHTTPFLOOD DDOSHTTPFLOOD DDOSUDPFLOOD DDOSUDPFLOOD %IPPORTSCAN %IPPORTSCAN SAPI.SpVoice SAPI.SpVoice WEBCAMLIVE WEBCAMLIVE WEBCAMSTOP WEBCAMSTOP FTPFILEUPLOAD FTPFILEUPLOAD URLDOWNLOADTOFILE URLDOWNLOADTOFILE FAKEMSG FAKEMSG MSGICON MSGICON MSGTITLE MSGTITLE MSGCORE MSGCORE deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly inflate 1.2.3 Copyright 1995-2005 Mark Adler inflate 1.2.3 Copyright 1995-2005 Mark Adler C:\Users\"%CurrentUserName%"\AppData\Roaming\dclogs\2017-03-31-6.dc C:\Users\"%CurrentUserName%"\AppData\Roaming\dclogs\2017-03-31-6.dc iu2.iu iu2.iu .lym4l .lym4l .lb_/l .lb_/l UntKeylogger UntKeylogger KWindows KWindows UntActivePorts UntActivePorts UntControlKey UntControlKey UntCaptureWebcam UntCaptureWebcam UntWebCam UntWebCam UrlMon UrlMon (UntUploadFTPThread (UntUploadFTPThread UntFTP UntFTP _UntUDPFlood _UntUDPFlood YUntScanPorts YUntScanPorts 0UntPasswordAndData 0UntPasswordAndData XUntHTTPFlood XUntHTTPFlood UntCPU UntCPU WinExec WinExec PeekNamedPipe PeekNamedPipe GetWindowsDirectoryA GetWindowsDirectoryA GetProcessHeap GetProcessHeap GetCPInfo GetCPInfo CreatePipe CreatePipe RegQueryInfoKeyA RegQueryInfoKeyA RegOpenKeyExA RegOpenKeyExA RegOpenKeyA RegOpenKeyA RegFlushKey RegFlushKey RegEnumKeyExA RegEnumKeyExA RegDeleteKeyA RegDeleteKeyA RegCreateKeyExA RegCreateKeyExA RegCreateKeyA RegCreateKeyA RegCloseKey RegCloseKey SetViewportOrgEx SetViewportOrgEx GdiplusShutdown GdiplusShutdown ShellExecuteExA ShellExecuteExA ShellExecuteA ShellExecuteA SHFileOperationA SHFileOperationA URLDownloadToFileA URLDownloadToFileA keybd_event keybd_event VkKeyScanA VkKeyScanA UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExA SetWindowsHookExA MsgWaitForMultipleObjectsEx MsgWaitForMultipleObjectsEx MsgWaitForMultipleObjects MsgWaitForMultipleObjects MapVirtualKeyA MapVirtualKeyA LoadKeyboardLayoutA LoadKeyboardLayoutA GetKeyboardState GetKeyboardState GetKeyboardLayoutNameA GetKeyboardLayoutNameA GetKeyboardLayoutList GetKeyboardLayoutList GetKeyboardLayout GetKeyboardLayout GetKeyState GetKeyState GetKeyNameTextA GetKeyNameTextA ExitWindowsEx ExitWindowsEx EnumWindows EnumWindows EnumThreadWindows EnumThreadWindows EnumChildWindows EnumChildWindows ActivateKeyboardLayout ActivateKeyboardLayout GetKeyboardType GetKeyboardType InternetOpenUrlA InternetOpenUrlA HttpQueryInfoA HttpQueryInfoA FtpPutFileA FtpPutFileA .text .text `.itext `.itext `.data `.data .idata .idata .rdata .rdata @.reloc @.reloc B.rsrc B.rsrc keybd keybd L `.iT L `.iT ???!???$???'???)???*???)???'???$??? ??? ???!???$???'???)???*???)???'???$??? ??? KERNEL32.DLL KERNEL32.DLL advapi32.dll advapi32.dll AVICAP32.DLL AVICAP32.DLL gdi32.dll gdi32.dll gdiplus.dll gdiplus.dll msacm32.dll msacm32.dll netapi32.dll netapi32.dll ntdll.dll ntdll.dll shell32.dll shell32.dll SHFolder.dll SHFolder.dll URLMON.DLL URLMON.DLL version.dll version.dll wininet.dll wininet.dll winmm.dll winmm.dll WS2_32.DLL WS2_32.DLL wsock32.dll wsock32.dll 66006666 66006666 No help found for %s#No context-sensitive help installed No help found for %s#No context-sensitive help installed No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s Invalid clipboard format Clipboard does not support Icons Invalid clipboard format Clipboard does not support Icons Cannot open clipboard/Menu '%s' is already being used by another form Cannot open clipboard/Menu '%s' is already being used by another form - Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d. - Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d. OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window Not enough timers [email protected] cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group Not enough timers [email protected] cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group Property %s does not exist Property %s does not exist Thread creation error: %s Thread creation error: %s Thread Error: %s (%d) Thread Error: %s (%d) Unsupported clipboard format Unsupported clipboard format Invalid data type for '%s' List capacity out of bounds (%d) Invalid data type for '%s' List capacity out of bounds (%d) List count out of bounds (%d) List count out of bounds (%d) List index out of bounds (%d) Out of memory while expanding memory stream List index out of bounds (%d) Out of memory while expanding memory stream Error reading %s%s%s: %s Error reading %s%s%s: %s Failed to create key %s Failed to create key %s Failed to get data for '%s' Failed to get data for '%s' Failed to set data for '%s' Failed to set data for '%s' Resource %s not found Resource %s not found %s.Seek not implemented$Operation not allowed on sorted list %s.Seek not implemented$Operation not allowed on sorted list Ancestor for '%s' not found Ancestor for '%s' not found Cannot assign a %s to a %s Cannot assign a %s to a %s Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread Class %s not found Class %s not found A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates Cannot create file "%s". %s Cannot create file "%s". %s Cannot open file "%s". %s Cannot open file "%s". %s Invalid stream format$''%s'' is not a valid component name Invalid stream format$''%s'' is not a valid component name External exception %x External exception %x Interface not supported Interface not supported %s (%s, line %d) %s (%s, line %d) Abstract Error?Access violation at address %p in module '%s'. %s of address %p Abstract Error?Access violation at address %p in module '%s'. %s of address %p System Error. Code: %d. System Error. Code: %d. No argument for format '%s'"Variant method calls not supported No argument for format '%s'"Variant method calls not supported Invalid variant operation%Invalid variant operation (%s%.8x) Invalid variant operation%Invalid variant operation (%s%.8x) %s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s) %s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s) Operation not supported Operation not supported Integer overflow Invalid floating point operation Integer overflow Invalid floating point operation Invalid pointer operation Invalid pointer operation Invalid class typecast0Access violation at address %p. %s of address %p Invalid class typecast0Access violation at address %p. %s of address %p Privileged instruction(Exception %s in module %s at %p. Privileged instruction(Exception %s in module %s at %p. Application Error1Format '%s' invalid or incompatible with argument Application Error1Format '%s' invalid or incompatible with argument !'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time !'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time '%s' is not a valid GUID value '%s' is not a valid GUID value I/O error %d I/O error %d 1, 0, 0, 1 1, 0, 0, 1 MSRSAAP.EXE MSRSAAP.EXE 4, 0, 0, 0 4, 0, 0, 0 2.exe_3716_rwx_042F0000_0000A000:
uþP uþP 'þP 'þP O.od] O.od] 2.exe_3716_rwx_06050000_00010000:
.Mfi3 .Mfi3 notepad.exe_2300:
.text .text `.data `.data .rsrc .rsrc @.reloc @.reloc ADVAPI32.dll ADVAPI32.dll KERNEL32.dll KERNEL32.dll NTDLL.DLL NTDLL.DLL GDI32.dll GDI32.dll USER32.dll USER32.dll msvcrt.dll msvcrt.dll COMDLG32.dll COMDLG32.dll SHELL32.dll SHELL32.dll WINSPOOL.DRV WINSPOOL.DRV ole32.dll ole32.dll SHLWAPI.dll SHLWAPI.dll COMCTL32.dll COMCTL32.dll OLEAUT32.dll OLEAUT32.dll VERSION.dll VERSION.dll ntdll.dll ntdll.dll RegCloseKey RegCloseKey RegCreateKeyW RegCreateKeyW RegOpenKeyExW RegOpenKeyExW GetProcessHeap GetProcessHeap SetViewportExtEx SetViewportExtEx GetKeyboardLayout GetKeyboardLayout _amsg_exit _amsg_exit _acmdln _acmdln ShellExecuteExW ShellExecuteExW notepad.pdb notepad.pdb name="Microsoft.Windows.Shell.notepad" name="Microsoft.Windows.Shell.notepad" version="5.1.0.0" version="5.1.0.0" name="Microsoft.Windows.Common-Controls" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" publicKeyToken="6595b64144ccf1df" ===111*! ===111*! '141133!/!(!(!""/"" '141133!/!(!(!""/"" ;;;;4;3423332 ;;;;4;3423332 keYM keYM ,k<.kq> ,k<.kq> .WF"hB .WF"hB dx.Rl dx.Rl V.xOx_T V.xOx_T
/.SETUP /.SETUP %s%c*.txt%c%s%c*.*%c %s%c*.txt%c%s%c*.*%c *.txt *.txt mshelp://windows/?id=5d18d5fb-e737-4a73-b6cc-dccc63720231 mshelp://windows/?id=5d18d5fb-e737-4a73-b6cc-dccc63720231 \StringFileInfo\xx\OriginalFilename \StringFileInfo\xx\OriginalFilename \sppsvc.exe \sppsvc.exe \slui.exe \slui.exe \sppuinotify.dll \sppuinotify.dll Text Documents (*.txt) Text Documents (*.txt) 6.1.7600.16385 (win7_rtm.090713-1255) 6.1.7600.16385 (win7_rtm.090713-1255) NOTEPAD.EXE NOTEPAD.EXE Windows Windows Operating System Operating System 6.1.7600.16385 6.1.7600.16385 iexplore.exe_3724_rwx_00400000_00106000:
`.rsrc `.rsrc kernel32.dll kernel32.dll Windows Windows MSWHEEL_ROLLMSG MSWHEEL_ROLLMSG MSH_WHEELSUPPORT_MSG MSH_WHEELSUPPORT_MSG MSH_SCROLL_LINES_MSG MSH_SCROLL_LINES_MSG $*@@@*[email protected]@@$ *@@* [email protected]@($*)@-$*@@$-*@@$*[email protected]@(*$)@-*[email protected]@*[email protected]@*[email protected]@-* [email protected]$ *@* [email protected]$ *[email protected]$ -*@*- [email protected]($ *)(* $) $*@@@*[email protected]@@$ *@@* [email protected]@($*)@-$*@@$-*@@$*[email protected]@(*$)@-*[email protected]@*[email protected]@*[email protected]@-* [email protected]$ *@* [email protected]$ *[email protected]$ -*@*- [email protected]($ *)(* $) oleaut32.dll oleaut32.dll EVariantBadIndexError EVariantBadIndexError ssShift ssShift htKeyword htKeyword EInvalidOperation EInvalidOperation %s_%d %s_%d EInvalidGraphicOperation EInvalidGraphicOperation SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes %s, ClassID: %s %s, ClassID: %s %s, ProgID: "%s" %s, ProgID: "%s" ole32.dll ole32.dll TUploadFTP TUploadFTP user32.dll user32.dll 1.2.3 1.2.3 BuildImportTable: can't load library: BuildImportTable: can't load library: BuildImportTable: ReallocMemory failed BuildImportTable: ReallocMemory failed BuildImportTable: GetProcAddress failed BuildImportTable: GetProcAddress failed BTMemoryLoadLibary: BuildImportTable failed BTMemoryLoadLibary: BuildImportTable failed BTMemoryGetProcAddress: no export table found BTMemoryGetProcAddress: no export table found BTMemoryGetProcAddress: DLL doesn't export anything BTMemoryGetProcAddress: DLL doesn't export anything BTMemoryGetProcAddress: exported symbol not found BTMemoryGetProcAddress: exported symbol not found 127.0.0.1 127.0.0.1 TDCWebCam TDCWebCam wlanapi.dll wlanapi.dll 80211_SHARED_KEY 80211_SHARED_KEY \Internet Explorer\iexplore.exe \Internet Explorer\iexplore.exe explorer.exe explorer.exe USER32.DLL USER32.DLL uxtheme.dll uxtheme.dll DWMAPI.DLL DWMAPI.DLL clWebSnow clWebSnow clWebFloralWhite clWebFloralWhite clWebLavenderBlush clWebLavenderBlush clWebOldLace clWebOldLace clWebIvory clWebIvory clWebCornSilk clWebCornSilk clWebBeige clWebBeige clWebAntiqueWhite clWebAntiqueWhite clWebWheat clWebWheat clWebAliceBlue clWebAliceBlue clWebGhostWhite clWebGhostWhite clWebLavender clWebLavender clWebSeashell clWebSeashell clWebLightYellow clWebLightYellow clWebPapayaWhip clWebPapayaWhip clWebNavajoWhite clWebNavajoWhite clWebMoccasin clWebMoccasin clWebBurlywood clWebBurlywood clWebAzure clWebAzure clWebMintcream clWebMintcream clWebHoneydew clWebHoneydew clWebLinen clWebLinen clWebLemonChiffon clWebLemonChiffon clWebBlanchedAlmond clWebBlanchedAlmond clWebBisque clWebBisque clWebPeachPuff clWebPeachPuff clWebTan clWebTan clWebYellow clWebYellow clWebDarkOrange clWebDarkOrange clWebRed clWebRed clWebDarkRed clWebDarkRed clWebMaroon clWebMaroon clWebIndianRed clWebIndianRed clWebSalmon clWebSalmon clWebCoral clWebCoral clWebGold clWebGold clWebTomato clWebTomato clWebCrimson clWebCrimson clWebBrown clWebBrown clWebChocolate clWebChocolate clWebSandyBrown clWebSandyBrown clWebLightSalmon clWebLightSalmon clWebLightCoral clWebLightCoral clWebOrange clWebOrange clWebOrangeRed clWebOrangeRed clWebFirebrick clWebFirebrick clWebSaddleBrown clWebSaddleBrown clWebSienna clWebSienna clWebPeru clWebPeru clWebDarkSalmon clWebDarkSalmon clWebRosyBrown clWebRosyBrown clWebPaleGoldenrod clWebPaleGoldenrod clWebLightGoldenrodYellow clWebLightGoldenrodYellow clWebOlive clWebOlive clWebForestGreen clWebForestGreen clWebGreenYellow clWebGreenYellow clWebChartreuse clWebChartreuse clWebLightGreen clWebLightGreen clWebAquamarine clWebAquamarine clWebSeaGreen clWebSeaGreen clWebGoldenRod clWebGoldenRod clWebKhaki clWebKhaki clWebOliveDrab clWebOliveDrab clWebGreen clWebGreen clWebYellowGreen clWebYellowGreen clWebLawnGreen clWebLawnGreen clWebPaleGreen clWebPaleGreen clWebMediumAquamarine clWebMediumAquamarine clWebMediumSeaGreen clWebMediumSeaGreen clWebDarkGoldenRod clWebDarkGoldenRod clWebDarkKhaki clWebDarkKhaki clWebDarkOliveGreen clWebDarkOliveGreen clWebDarkgreen clWebDarkgreen clWebLimeGreen clWebLimeGreen clWebLime clWebLime clWebSpringGreen clWebSpringGreen clWebMediumSpringGreen clWebMediumSpringGreen clWebDarkSeaGreen clWebDarkSeaGreen clWebLightSeaGreen clWebLightSeaGreen clWebPaleTurquoise clWebPaleTurquoise clWebLightCyan clWebLightCyan clWebLightBlue clWebLightBlue clWebLightSkyBlue clWebLightSkyBlue clWebCornFlowerBlue clWebCornFlowerBlue clWebDarkBlue clWebDarkBlue clWebIndigo clWebIndigo clWebMediumTurquoise clWebMediumTurquoise clWebTurquoise clWebTurquoise clWebCyan clWebCyan clWebPowderBlue clWebPowderBlue clWebSkyBlue clWebSkyBlue clWebRoyalBlue clWebRoyalBlue clWebMediumBlue clWebMediumBlue clWebMidnightBlue clWebMidnightBlue clWebDarkTurquoise clWebDarkTurquoise clWebCadetBlue clWebCadetBlue clWebDarkCyan clWebDarkCyan clWebTeal clWebTeal clWebDeepskyBlue clWebDeepskyBlue clWebDodgerBlue clWebDodgerBlue clWebBlue clWebBlue clWebNavy clWebNavy clWebDarkViolet clWebDarkViolet clWebDarkOrchid clWebDarkOrchid clWebMagenta clWebMagenta clWebDarkMagenta clWebDarkMagenta clWebMediumVioletRed clWebMediumVioletRed clWebPaleVioletRed clWebPaleVioletRed clWebBlueViolet clWebBlueViolet clWebMediumOrchid clWebMediumOrchid clWebMediumPurple clWebMediumPurple clWebPurple clWebPurple clWebDeepPink clWebDeepPink clWebLightPink clWebLightPink clWebViolet clWebViolet clWebOrchid clWebOrchid clWebPlum clWebPlum clWebThistle clWebThistle clWebHotPink clWebHotPink clWebPink clWebPink clWebLightSteelBlue clWebLightSteelBlue clWebMediumSlateBlue clWebMediumSlateBlue clWebLightSlateGray clWebLightSlateGray clWebWhite clWebWhite clWebLightgrey clWebLightgrey clWebGray clWebGray clWebSteelBlue clWebSteelBlue clWebSlateBlue clWebSlateBlue clWebSlateGray clWebSlateGray clWebWhiteSmoke clWebWhiteSmoke clWebSilver clWebSilver clWebDimGray clWebDimGray clWebMistyRose clWebMistyRose clWebDarkSlateBlue clWebDarkSlateBlue clWebDarkSlategray clWebDarkSlategray clWebGainsboro clWebGainsboro clWebDarkGray clWebDarkGray clWebBlack clWebBlack comctl32.dll comctl32.dll AutoHotkeys AutoHotkeys \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\ TKeyEvent TKeyEvent TKeyPressEvent TKeyPressEvent HelpKeyword HelpKeyword crSQLWait crSQLWait %s (%s) %s (%s) imm32.dll imm32.dll ssHotTrack ssHotTrack TWindowState TWindowState poProportional poProportional TWMKey TWMKey KeyPreview KeyPreview WindowState WindowState OnKeyDown$ OnKeyDown$ OnKeyPress OnKeyPress OnKeyUp OnKeyUp Uhx%F Uhx%F UhX%F UhX%F Uh %F Uh %F GlassFrame.Bottom GlassFrame.Bottom GlassFrame.Enabled GlassFrame.Enabled GlassFrame.Left GlassFrame.Left GlassFrame.Right GlassFrame.Right GlassFrame.SheetOfGlass GlassFrame.SheetOfGlass GlassFrame.Top GlassFrame.Top System\CurrentControlSet\Control\Keyboard Layouts\%.8x System\CurrentControlSet\Control\Keyboard Layouts\%.8x User32.dll User32.dll PSAPI.dll PSAPI.dll \Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders \Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders *.torrent *.torrent SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Microsoft\Windows\CurrentVersion\Run hkey hkey cmd.exe cmd.exe TSocketPort TSocketPort %d.%d.%d.%d %d.%d.%d.%d 0.0.0.0 0.0.0.0 POST /index.php/1.0 POST /index.php/1.0 BTRESULTHTTP Flood|Http Flood task finished!| BTRESULTHTTP Flood|Http Flood task finished!| BTRESULTVisit URL|finished to visit BTRESULTVisit URL|finished to visit BTERRORVisit URL|An exception occured in the thread| BTERRORVisit URL|An exception occured in the thread| PortScanAdd PortScanAdd BTRESULTUDP Flood|UDP Flood task finished!| BTRESULTUDP Flood|UDP Flood task finished!| FTPPORT FTPPORT FTPPASS FTPPASS FTPUSER FTPUSER FTPHOST FTPHOST FTPROOT FTPROOT FTPUPLOADK FTPUPLOADK FTPSIZE FTPSIZE TCaptureWebcam TCaptureWebcam taskmgr.exe taskmgr.exe ERR|Cannot listen to port, try another one..| ERR|Cannot listen to port, try another one..| UPLOADEXEC UPLOADEXEC UPANDEXEC UPANDEXEC PASSWORD PASSWORD out.txt out.txt tmp.txt tmp.txt Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows NT\CurrentVersion\Winlogon Software\Microsoft\Windows NT\CurrentVersion\Winlogon 127.0.0.1:1604 127.0.0.1:1604 #KCMDDC51#- #KCMDDC51#- 5.3.0 5.3.0 \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ \SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ DC3_FEXEC DC3_FEXEC Windows NT 4.0 Windows NT 4.0 Windows 2000 Windows 2000 Windows XP Windows XP Windows Server 2003 Windows Server 2003 Windows Vista Windows Vista Windows 7 Windows 7 Windows 95 Windows 95 Windows 98 Windows 98 Windows Me Windows Me S-%u- S-%u- Mozilla Mozilla BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...| BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...| BTERRORDownload File| Error on downloading file check if you type the correct url...| BTERRORDownload File| Error on downloading file check if you type the correct url...| notepad.exe notepad.exe KEYNAME KEYNAME %ShortCut# %ShortCut# RELATEDCMD RELATEDCMD ping 127.0.0.1 -n 4 > NUL && " ping 127.0.0.1 -n 4 > NUL && " DRKey DRKey CRKey CRKey DelMSKey DelMSKey InstallHKEY InstallHKEY ActiveOnlineKeylogger ActiveOnlineKeylogger UnActiveOnlineKeylogger UnActiveOnlineKeylogger KeylogOn KeylogOn ActiveOfflineKeylogger ActiveOfflineKeylogger UnActiveOfflineKeylogger UnActiveOfflineKeylogger ActiveOnlineKeyStrokes ActiveOnlineKeyStrokes UnActiveOnlineKeyStrokes UnActiveOnlineKeyStrokes OpenWebPage OpenWebPage tmpprint.txt tmpprint.txt URLUpdate URLUpdate MSGBOX MSGBOX #BOT#VisitUrl #BOT#VisitUrl #BOT#OpenUrl #BOT#OpenUrl HTTP:// HTTP:// hXXp:// hXXp:// BTRESULTOpen URL| BTRESULTOpen URL| Command successfully executed!| Command successfully executed!| #BOT#URLUpdate #BOT#URLUpdate BTERRORUpdate from URL| Error on downloading file check if you type the correct url...| BTERRORUpdate from URL| Error on downloading file check if you type the correct url...| BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...| BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...| #BOT#URLDownload #BOT#URLDownload GetActivePorts GetActivePorts DDOSHTTPFLOOD DDOSHTTPFLOOD DDOSUDPFLOOD DDOSUDPFLOOD %IPPORTSCAN %IPPORTSCAN SAPI.SpVoice SAPI.SpVoice WEBCAMLIVE WEBCAMLIVE WEBCAMSTOP WEBCAMSTOP FTPFILEUPLOAD FTPFILEUPLOAD URLDOWNLOADTOFILE URLDOWNLOADTOFILE FAKEMSG FAKEMSG MSGICON MSGICON MSGTITLE MSGTITLE MSGCORE MSGCORE deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly inflate 1.2.3 Copyright 1995-2005 Mark Adler inflate 1.2.3 Copyright 1995-2005 Mark Adler C:\Users\"%CurrentUserName%"\AppData\Roaming\dclogs\2017-03-31-6.dc C:\Users\"%CurrentUserName%"\AppData\Roaming\dclogs\2017-03-31-6.dc iu2.iu iu2.iu .lym4l .lym4l .lb_/l .lb_/l UntKeylogger UntKeylogger KWindows KWindows UntActivePorts UntActivePorts UntControlKey UntControlKey UntCaptureWebcam UntCaptureWebcam UntWebCam UntWebCam UrlMon UrlMon (UntUploadFTPThread (UntUploadFTPThread UntFTP UntFTP _UntUDPFlood _UntUDPFlood YUntScanPorts YUntScanPorts 0UntPasswordAndData 0UntPasswordAndData XUntHTTPFlood XUntHTTPFlood UntCPU UntCPU WinExec WinExec PeekNamedPipe PeekNamedPipe GetWindowsDirectoryA GetWindowsDirectoryA GetProcessHeap GetProcessHeap GetCPInfo GetCPInfo CreatePipe CreatePipe RegQueryInfoKeyA RegQueryInfoKeyA RegOpenKeyExA RegOpenKeyExA RegOpenKeyA RegOpenKeyA RegFlushKey RegFlushKey RegEnumKeyExA RegEnumKeyExA RegDeleteKeyA RegDeleteKeyA RegCreateKeyExA RegCreateKeyExA RegCreateKeyA RegCreateKeyA RegCloseKey RegCloseKey SetViewportOrgEx SetViewportOrgEx GdiplusShutdown GdiplusShutdown ShellExecuteExA ShellExecuteExA ShellExecuteA ShellExecuteA SHFileOperationA SHFileOperationA URLDownloadToFileA URLDownloadToFileA keybd_event keybd_event VkKeyScanA VkKeyScanA UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExA SetWindowsHookExA MsgWaitForMultipleObjectsEx MsgWaitForMultipleObjectsEx MsgWaitForMultipleObjects MsgWaitForMultipleObjects MapVirtualKeyA MapVirtualKeyA LoadKeyboardLayoutA LoadKeyboardLayoutA GetKeyboardState GetKeyboardState GetKeyboardLayoutNameA GetKeyboardLayoutNameA GetKeyboardLayoutList GetKeyboardLayoutList GetKeyboardLayout GetKeyboardLayout GetKeyState GetKeyState GetKeyNameTextA GetKeyNameTextA ExitWindowsEx ExitWindowsEx EnumWindows EnumWindows EnumThreadWindows EnumThreadWindows EnumChildWindows EnumChildWindows ActivateKeyboardLayout ActivateKeyboardLayout GetKeyboardType GetKeyboardType InternetOpenUrlA InternetOpenUrlA HttpQueryInfoA HttpQueryInfoA FtpPutFileA FtpPutFileA .text .text `.itext `.itext `.data `.data .idata .idata .rdata .rdata @.reloc @.reloc B.rsrc B.rsrc keybd keybd L `.iT L `.iT ???!???$???'???)???*???)???'???$??? ??? ???!???$???'???)???*???)???'???$??? ??? KERNEL32.DLL KERNEL32.DLL advapi32.dll advapi32.dll AVICAP32.DLL AVICAP32.DLL gdi32.dll gdi32.dll gdiplus.dll gdiplus.dll msacm32.dll msacm32.dll netapi32.dll netapi32.dll ntdll.dll ntdll.dll shell32.dll shell32.dll SHFolder.dll SHFolder.dll URLMON.DLL URLMON.DLL version.dll version.dll wininet.dll wininet.dll winmm.dll winmm.dll WS2_32.DLL WS2_32.DLL wsock32.dll wsock32.dll 66006666 66006666 No help found for %s#No context-sensitive help installed No help found for %s#No context-sensitive help installed No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s Invalid clipboard format Clipboard does not support Icons Invalid clipboard format Clipboard does not support Icons Cannot open clipboard/Menu '%s' is already being used by another form Cannot open clipboard/Menu '%s' is already being used by another form - Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d. - Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d. OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window Not enough timers [email protected] cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group Not enough timers [email protected] cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group Property %s does not exist Property %s does not exist Thread creation error: %s Thread creation error: %s Thread Error: %s (%d) Thread Error: %s (%d) Unsupported clipboard format Unsupported clipboard format Invalid data type for '%s' List capacity out of bounds (%d) Invalid data type for '%s' List capacity out of bounds (%d) List count out of bounds (%d) List count out of bounds (%d) List index out of bounds (%d) Out of memory while expanding memory stream List index out of bounds (%d) Out of memory while expanding memory stream Error reading %s%s%s: %s Error reading %s%s%s: %s Failed to create key %s Failed to create key %s Failed to get data for '%s' Failed to get data for '%s' Failed to set data for '%s' Failed to set data for '%s' Resource %s not found Resource %s not found %s.Seek not implemented$Operation not allowed on sorted list %s.Seek not implemented$Operation not allowed on sorted list Ancestor for '%s' not found Ancestor for '%s' not found Cannot assign a %s to a %s Cannot assign a %s to a %s Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread Class %s not found Class %s not found A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates Cannot create file "%s". %s Cannot create file "%s". %s Cannot open file "%s". %s Cannot open file "%s". %s Invalid stream format$''%s'' is not a valid component name Invalid stream format$''%s'' is not a valid component name External exception %x External exception %x Interface not supported Interface not supported %s (%s, line %d) %s (%s, line %d) Abstract Error?Access violation at address %p in module '%s'. %s of address %p Abstract Error?Access violation at address %p in module '%s'. %s of address %p System Error. Code: %d. System Error. Code: %d. No argument for format '%s'"Variant method calls not supported No argument for format '%s'"Variant method calls not supported Invalid variant operation%Invalid variant operation (%s%.8x) Invalid variant operation%Invalid variant operation (%s%.8x) %s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s) %s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s) Operation not supported Operation not supported Integer overflow Invalid floating point operation Integer overflow Invalid floating point operation Invalid pointer operation Invalid pointer operation Invalid class typecast0Access violation at address %p. %s of address %p Invalid class typecast0Access violation at address %p. %s of address %p Privileged instruction(Exception %s in module %s at %p. Privileged instruction(Exception %s in module %s at %p. Application Error1Format '%s' invalid or incompatible with argument Application Error1Format '%s' invalid or incompatible with argument !'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time !'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time '%s' is not a valid GUID value '%s' is not a valid GUID value I/O error %d I/O error %d 1, 0, 0, 1 1, 0, 0, 1 MSRSAAP.EXE MSRSAAP.EXE 4, 0, 0, 0 4, 0, 0, 0 notepad.exe_2300_rwx_00060000_00001000:
kernel32.dll kernel32.dll notepad.exe_2300_rwx_000B0000_00001000:
user32.dll user32.dll notepad.exe_2300_rwx_001A0000_00001000:
C:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe C:\Users\"%CurrentUserName%"\Documents\MSDCSC\msdcsc.exe