Trojan.Generic.12567452_caa9e43553

Trojan.Win32.VB.ctxv (Kaspersky), Trojan.Generic.12567452 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

X X

X X

NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)

NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)

The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist.

The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist.

NOTE: Only the script's own keyboard events are shown

NOTE: Only the script's own keyboard events are shown

(not the user's), because the keyboard hook isn't installed.

(not the user's), because the keyboard hook isn't installed.

Modifiers (Hook's Logical) = %s

Modifiers (Hook's Logical) = %s

Modifiers (Hook's Physical) = %s

Modifiers (Hook's Physical) = %s

Prefix key is down: %s

Prefix key is down: %s

OWarning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.

OWarning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.

"%s" is not a valid key name. The current thread will exit.

"%s" is not a valid key name. The current thread will exit.

"%s" is not allowed as a prefix key.

"%s" is not allowed as a prefix key.

%u hotkeys have been received in the last %ums.

%u hotkeys have been received in the last %ums.

(see #MaxHotkeysPerInterval in the help file)

(see #MaxHotkeysPerInterval in the help file)

Max hotkeys.

Max hotkeys.

The AltTab hotkey "%s" must have exactly one modifier/prefix.

The AltTab hotkey "%s" must have exactly one modifier/prefix.

The AltTab hotkey "%s" must specify which key (L or R).

The AltTab hotkey "%s" must specify which key (L or R).

Nonexistent hotkey variant (IfWin). The current thread will exit.

Nonexistent hotkey variant (IfWin). The current thread will exit.

Nonexistent hotkey. The current thread will exit.

Nonexistent hotkey. The current thread will exit.

SCx

SCx

A%s[%u of %u]: %-1.60s%s

A%s[%u of %u]: %-1.60s%s

: -*.|&^/

: -*.|&^/

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

%s\%s

%s\%s

=/|^,:*&~!() -"'\;`{}

=/|^,:*&~!() -"'\;`{}

timesincepriorhotkey

timesincepriorhotkey

timesincethishotkey

timesincethishotkey

priorhotkey

priorhotkey

thishotkey

thishotkey

subkey

subkey

keydelay

keydelay

detecthiddenwindows

detecthiddenwindows

%s%s%s

%s%s%s

if %s %s %s and %s

if %s %s %s and %s

%s%s %s %s

%s%s %s %s

MbP?u:

MbP?u:

%sGlobal Variables (alphabetical)%s

%sGlobal Variables (alphabetical)%s

Local Variables for %s()%s

Local Variables for %s()%s

Key History has been disabled via #KeyHistory 0.

Key History has been disabled via #KeyHistory 0.

Window: %s

Window: %s

Keybd hook: %s

Keybd hook: %s

Mouse hook: %s

Mouse hook: %s

Enabled Timers: %u of %u (%s)

Enabled Timers: %u of %u (%s)

Interrupted threads: %d%s

Interrupted threads: %d%s

Paused threads: %d of %d (%d layers)

Paused threads: %d of %d (%d layers)

Modifiers (GetKeyState() now) = %s

Modifiers (GetKeyState() now) = %s

AutoHotkey2

AutoHotkey2

%%%s%s%s

%%%s%s%s

Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.

Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.

Critical Error: %s

Critical Error: %s

Specifically: %-1.100s%s

Specifically: %-1.100s%s

%s%s: %-1.500s

%s%s: %-1.500s

in #include file "%s"

in #include file "%s"

Specifically: %s

Specifically: %s

%s (%d) : ==> %s

%s (%d) : ==> %s

Line Text: %-1.100s%s

Line Text: %-1.100s%s

Error at line %u

Error at line %u

Action: %s

Action: %s

Params:

Params:

Verb:

Verb:

.hta"

.hta"

.cmd"

.cmd"

.com"

.com"

.bat"

.bat"

.exe"

.exe"

%s %s

%s %s

System verbs unsupported with RunAs. The current thread will exit.

System verbs unsupported with RunAs. The current thread will exit.

#KeyHistory

#KeyHistory

#MaxThreadsPerHotkey

#MaxThreadsPerHotkey

#MaxHotkeysPerInterval

#MaxHotkeysPerInterval

#HotkeyInterval

#HotkeyInterval

#HotkeyModifierTimeout

#HotkeyModifierTimeout

#InstallKeybdHook

#InstallKeybdHook

=/|^,:*&~!() -

=/|^,:*&~!() -

Too many parameters passed to function.

Too many parameters passed to function.

Too few parameters passed to function.

Too few parameters passed to function.

Caller must pass a variable to this ByRef parameter.

Caller must pass a variable to this ByRef parameter.

/|^,*&~!. -"

/|^,*&~!. -"

Unsupported parameter default.

Unsupported parameter default.

=/|^,:*&~!()"

=/|^,:*&~!()"

"%s" requires that parameter #%u be non-blank.

"%s" requires that parameter #%u be non-blank.

"%s" requires at least %d parameter%s.

"%s" requires at least %d parameter%s.

Invalid hotkey.

Invalid hotkey.

=/|^,:*&~!() -".

=/|^,:*&~!() -".

Unsupported static initializer.

Unsupported static initializer.

Could not extract script from EXE.

Could not extract script from EXE.

Duplicate hotkey.

Duplicate hotkey.

Hotkeys/hotstrings are not allowed inside functions.

Hotkeys/hotstrings are not allowed inside functions.

{Blind}{%s Up}

{Blind}{%s Up}

*%s::

*%s::

*%s up::

*%s up::

{Blind}%s%s{%s DownTemp}

{Blind}%s%s{%s DownTemp}

if not GetKeyState("%s")

if not GetKeyState("%s")

Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.

Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.

=/|^,:

=/|^,:

=/|^,:. -*&!?~

=/|^,:. -*&!?~

Join

Join

>AUTOHOTKEY SCRIPT

>AUTOHOTKEY SCRIPT

EndKey:

EndKey:

SOFTWARE\AutoHotkey

SOFTWARE\AutoHotkey

\\.\%c:

\\.\%c:

\\.\vwin32

\\.\vwin32

open "%s" alias AHK_PlayMe

open "%s" alias AHK_PlayMe

All Files (*.*)

All Files (*.*)

Text Documents (*.txt)

Text Documents (*.txt)

*.txt

*.txt

%s%c%sÊll Files (*.*)%c*.*%c

%s%c%sÊll Files (*.*)%c*.*%c

Select File - %s

Select File - %s

1.0.48.05

1.0.48.05

\AutoHotkey.exe

\AutoHotkey.exe

WIN32_WINDOWS

WIN32_WINDOWS

.DEFAULT\Control Panel\Desktop\ResourceLocale

.DEFAULT\Control Panel\Desktop\ResourceLocale

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Compile error %d at offset %d: %s

Compile error %d at offset %d: %s

%sBottom

%sBottom

%sRight

%sRight

%sTop

%sTop

%sLeft

%sLeft

0xX

0xX

Could not open URL hXXp://VVV.autohotkey.com in default browser.

Could not open URL hXXp://VVV.autohotkey.com in default browser.

hXXp://VVV.autohotkey.com

hXXp://VVV.autohotkey.com

hh.exe

hh.exe

%sAutoHotkey.chm"

%sAutoHotkey.chm"

\AutoHotkey.chm"

\AutoHotkey.chm"

%sAU3_Spy.exe"

%sAU3_Spy.exe"

\AU3_Spy.exe"

\AU3_Spy.exe"

set cd door %s wait

set cd door %s wait

open %s type cdaudio alias cd wait shareable

open %s type cdaudio alias cd wait shareable

set cdaudio door %s wait

set cdaudio door %s wait

Component Doesn't Support This Control Type

Component Doesn't Support This Control Type

Mixer Doesn't Support This Component Type

Mixer Doesn't Support This Component Type

0xX

0xX

Mb@AAutoHotkey v1.0.48.05

Mb@AAutoHotkey v1.0.48.05

Len%d

Len%d

Pos%d

Pos%d

Len%s

Len%s

Pos%s

Pos%s

0.0.0.0

0.0.0.0

InternetOpenUrlA

InternetOpenUrlA

Select Folder - %s

Select Folder - %s

%u.%u.%u.%u

%u.%u.%u.%u

RunAs: Missing advapi32.dll. The current thread will exit.

RunAs: Missing advapi32.dll. The current thread will exit.

%dGui

%dGui

vkX

vkX

AutoHotkeyGUI

AutoHotkeyGUI

Password

Password

Report

Report

msctls_hotkey32

msctls_hotkey32

Button%s

Button%s

&Suspend Hotkeys

&Suspend Hotkeys

Supported only for the tray menu The current thread will exit.

Supported only for the tray menu The current thread will exit.

dddddd

dddddd

dA\\?\

dA\\?\

GdiplusShutdown

GdiplusShutdown

dd

dd

The following %s name contains an illegal character:

The following %s name contains an illegal character:

"%-1.300s"%s

"%-1.300s"%s

The maximum number of MsgBoxes has been reached.

The maximum number of MsgBoxes has been reached.

operand of unlimited repeat could match the empty string

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

POSIX named classes are supported only within a class

erroffset passed as NULL

erroffset passed as NULL

POSIX collating elements are not supported

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

(*VERB) with an argument is not supported

mscoree.dll

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

Please contact the application's support team for more information.

GetProcessWindowStation

GetProcessWindowStation

user32.dll

user32.dll

internal state. The program cannot safely continue execution and must

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

continue execution and must now be terminated.

WSOCK32.dll

WSOCK32.dll

WINMM.dll

WINMM.dll

VERSION.dll

VERSION.dll

COMCTL32.dll

COMCTL32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

GetKeyboardLayout

GetKeyboardLayout

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

RegisterHotKey

RegisterHotKey

UnregisterHotKey

UnregisterHotKey

SetKeyboardState

SetKeyboardState

GetKeyboardState

GetKeyboardState

VkKeyScanExA

VkKeyScanExA

MapVirtualKeyA

MapVirtualKeyA

GetAsyncKeyState

GetAsyncKeyState

GetKeyNameTextA

GetKeyNameTextA

keybd_event

keybd_event

EnumChildWindows

EnumChildWindows

EnumWindows

EnumWindows

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

comdlg32.dll

comdlg32.dll

RegCloseKey

RegCloseKey

RegEnumKeyExA

RegEnumKeyExA

RegQueryInfoKeyA

RegQueryInfoKeyA

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegDeleteKeyA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteExA

ShellExecuteExA

SHFileOperationA

SHFileOperationA

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

GetCPInfo

GetCPInfo

-()[]{}:;'"/\,.?!

-()[]{}:;'"/\,.?!

zcÁ

zcÁ

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data\Charles.exe

%Documents and Settings%\%current user%\Application Data\Charles.exe

O.aMX

O.aMX

version="1.0.48.05"

version="1.0.48.05"

name="Microsoft.Windows.AutoHotkey"

name="Microsoft.Windows.AutoHotkey"

name="Microsoft.Windows.Common-Controls"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

&Lines most recently executed

&Lines most recently executed

&Hotkeys and their methods

&Hotkeys and their methods

&Key history and script info

&Key history and script info

&Web Site

&Web Site

Apple Inc. 9.1.2 Installation

Apple Inc. 9.1.2 Installation

9.1.2

9.1.2

arsiv.exe_1800:

.text

.text

`.rdata

`.rdata

@.data

@.data

@.rsrc

@.rsrc

^SShq

^SShq

%.*s(%d)%s

%.*s(%d)%s

COMCTL32.dll

COMCTL32.dll

SHLWAPI.dll

SHLWAPI.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

COMDLG32.dll

COMDLG32.dll

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

ADVAPI32.dll

ADVAPI32.dll

SHFileOperationW

SHFileOperationW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

WINRAR.SFX

WINRAR.SFX

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

:(,4;;?@

:(,4;;?@

3,45657879

3,45657879

8888888888887

8888888888887

version="1.0.0.0"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

r%.*s(%d)%s

r%.*s(%d)%s

rtmp%d

rtmp%d

Shell.Explorer

Shell.Explorer

%s %s

%s %s

%s %s %s

%s %s %s

GETPASSWORD1

GETPASSWORD1

%s%s%d

%s%s%d

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

%s.%d.tmp

%s.%d.tmp

winrarsfxmappingfile.tmp

winrarsfxmappingfile.tmp

-el -s2 "-d%s" "-p%s" "-sp%s"

-el -s2 "-d%s" "-p%s" "-sp%s"

__tmp_rar_sfx_access_check_%u

__tmp_rar_sfx_access_check_%u

sfxcmd

sfxcmd

riched20.dll

riched20.dll

riched32.dll

riched32.dll

Dosyalar %s klas

Dosyalar %s klas

*%Documents and Settings%\%current user%\Application Data\arsiv.exe

*%Documents and Settings%\%current user%\Application Data\arsiv.exe

%Documents and Settings%\%current user%\Application Data\arsiv.exe

%Documents and Settings%\%current user%\Application Data\arsiv.exe

Enter password

Enter password

&Enter password for the encrypted file:

&Enter password for the encrypted file:

Extracting %s

Extracting %s

Skipping %s

Skipping %s

The file "%s" header is corrupt%The archive comment header is corrupt

The file "%s" header is corrupt%The archive comment header is corrupt

Unknown method in %s

Unknown method in %s

Cannot open %s

Cannot open %s

Cannot create %s

Cannot create %s

Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.

Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.

CRC failed in %s

CRC failed in %s

Packed data CRC failed in %s

Packed data CRC failed in %s

Wrong password for %s5Write error in the file %s. Probably the disk is full

Wrong password for %s5Write error in the file %s. Probably the disk is full

Read error in the file %s

Read error in the file %s

Extracting from %s

Extracting from %s

ErroraErrors encountered while performing the operation

ErroraErrors encountered while performing the operation

Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.

Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.

Extracting files to %s folder$Extracting files to temporary folder

Extracting files to %s folder$Extracting files to temporary folder

=Total path and file name length must not exceed %d characters#Unsupported encryption method in %s

=Total path and file name length must not exceed %d characters#Unsupported encryption method in %s