Trojan.Win32.Nimnul.fxy (Kaspersky), Trojan.GenericKD.1896400 (AdAware), Backdoor.Win32.Farfli.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b20ab26b621fa49001baa1de0d2e66c5
SHA1: 6ef9a96275e61c134d47c921d775255e7d6d4f65
SHA256: 556a8114206317a669dd381503966fd1a9540463f762663b5996e745678e1851
SSDeep: 3072:WCUw PE ZtBMFMwt0Y9cnBftaI5jmzqj:g9PEYtBEMC07nBF9QW
Size: 113152 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-01 18:33:54
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1040
csslisog.exe:1032
csslisog.exe:192
The Trojan injects its code into the following process(es):
mscorsvw.exe:1912
svchost.exe:1464
svchost.exe:1652
services.exe:760
lsass.exe:772
Explorer.EXE:840
svchost.exe:928
svchost.exe:996
svchost.exe:1080
svchost.exe:1128
svchost.exe:1176
spoolsv.exe:1424
jqs.exe:1952
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (601 bytes)
The process csslisog.exe:192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (601 bytes)
Registry activity
The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"
The process csslisog.exe:1032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 16 22 47 7F 4D 34 9A 1D 80 8F B3 C6 5E 2E D9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process csslisog.exe:192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"UAC_bypassed" = "TRUE"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 52 9A A5 3D 9E 04 96 F5 80 C0 B0 51 6D 18 12"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\wuauserv]
"Start" = "4"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "4"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in USER32.dll:
TranslateMessage
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSASendTo
WSARecvFrom
WSASend
recv
WSARecv
send
closesocket
recvfrom
sendto
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1040
csslisog.exe:1032
csslisog.exe:192 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\csslisog.exe (601 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\swegbgid.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyabgndb.exe (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SweGbgid" = "%Documents and Settings%\%current user%\Local Settings\Application Data\kqmtqgym\swegbgid.exe" - Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 4.34.0.4
Legal Copyright: (C) uukZONAdhA
Legal Trademarks:
Original Filename: RYIhto.exe
Internal Name: RYIhto.exe
File Version: 4.34.0.4
File Description: uukZONAdhA
Comments: uukZONAdhA
Language: Language Neutral
Company Name: Product Name: Product Version: 4.34.0.4Legal Copyright: (C) uukZONAdhALegal Trademarks: Original Filename: RYIhto.exeInternal Name: RYIhto.exeFile Version: 4.34.0.4File Description: uukZONAdhAComments: uukZONAdhALanguage: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 110196 | 110592 | 4.67839 | 1e6f2797f8c9cc1db0f38734457eba06 |
| .rsrc | 122880 | 1344 | 1536 | 2.74649 | ab7da9c8d62db85f05267febe6901e8c |
| .reloc | 131072 | 12 | 512 | 0.070639 | 7e3c0b94b7eec96689e43487d56dedaa |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1464:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_1464_rwx_000C0000_00001000:
|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
svchost.exe_1464_rwx_15110000_00034000:
`.rsrc
`.rsrc
;C6n%XIg
;C6n%XIg
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
Gh.logWj
Gh.logWj
h.logPj
h.logPj
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
kernel32.dll
kernel32.dll
ExitWindowsEx
ExitWindowsEx
user32.dll
user32.dll
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
advapi32.dll
advapi32.dll
modules.dll
modules.dll
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
\\.\pipe\
\\.\pipe\
VWRQRh.exe
VWRQRh.exe
h.exe
h.exe
ws2_32.dll
ws2_32.dll
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
rmnsoft.dll
rmnsoft.dll
google.com:80
google.com:80
bing.com:80
bing.com:80
yahoo.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
\\.\631D2408D44C4f47AC647AB96987D4D5
\\.\631D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
profiles.ini
Profile%d
Profile%d
\cookies.txt
\cookies.txt
\cookies.sqlite
\cookies.sqlite
%APPDATA%\Opera\
%APPDATA%\Opera\
\profile\cookies4.dat
\profile\cookies4.dat
\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Cookies
Chrome\Extension Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
Safari\Cookies.plist
getexec
getexec
complete.dat
complete.dat
SRQVWh.exe
SRQVWh.exe
h.exeVj
h.exeVj
tvh.exe
tvh.exe
PSSSSSSh
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
More information: hXXp://VVV.ibsensoftware.com/
.TNIRPTN.
.TNIRPTN.
com.%s.sdb
com.%s.sdb
%s\cmd.%s.bat
%s\cmd.%s.bat
start "" "%s"
start "" "%s"
"%%windir%%\%s\ntprint.exe"
"%%windir%%\%s\ntprint.exe"
"%%windir%%\system32\sdbinst.exe" "%s"
"%%windir%%\system32\sdbinst.exe" "%s"
"%%windir%%\system32\sdbinst.exe" /q /u "%s"
"%%windir%%\system32\sdbinst.exe" /q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
UAC_bypassed
UAC_bypassed
cmd.exe
cmd.exe
%TEMP%\p.exe
%TEMP%\p.exe
" %TEMP%\p.exe
" %TEMP%\p.exe
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
CheckBypassed ok
CheckBypassed ok
..\p.exe
..\p.exe
loader.exe
loader.exe
_CheckBypassed@0
_CheckBypassed@0
\/{X-X-X-X-XX}
\/{X-X-X-X-XX}
|ZwDelayExecution
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
http\shell\open\command
chrome.exe
chrome.exe
opera.exe
opera.exe
/C ""%s"" %s
/C ""%s"" %s
/C ""%s""
/C ""%s""
svchost.exe
svchost.exe
user32.DLL
user32.DLL
p.exe
p.exe
Rapport
Rapport
:Zone.Identifier
:Zone.Identifier
consent.exe
consent.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
GetProcessHeap
GetProcessHeap
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
ShellExecuteExA
ShellExecuteExA
keybd_event
keybd_event
EnumWindows
EnumWindows
.rdata
.rdata
.rsrc
.rsrc
9Y#.MW
9Y#.MW
)28-2009"}
)28-2009"}
ed.lMorQi
ed.lMorQi
.TNIRP
.TNIRP
s\cmd
s\cmd
=A.IT
=A.IT
PF8-.XU
PF8-.XU
O3$dS7"%U9
O3$dS7"%U9
KERNEL32.DLL
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
2.1.0.3
ntprint.exe
ntprint.exe
RedirectEXE
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat
%temp%\..\..\LocalLow\cmd.%username%.bat
svchost.exe_1464_rwx_20010000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
svchost.exe_1652:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_1652_rwx_000C0000_00001000:
|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
svchost.exe_1652_rwx_15110000_00034000:
`.rsrc
`.rsrc
;C6n%XIg
;C6n%XIg
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
Gh.logWj
Gh.logWj
h.logPj
h.logPj
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
PeekNamedPipe
PeekNamedPipe
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
kernel32.dll
kernel32.dll
ExitWindowsEx
ExitWindowsEx
user32.dll
user32.dll
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
advapi32.dll
advapi32.dll
modules.dll
modules.dll
{X-X-X-X-XX}
{X-X-X-X-XX}
ntdll.dll
ntdll.dll
shlwapi.dll
shlwapi.dll
SHDeleteKeyA
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
shell32.dll
%CommonProgramFiles%
%CommonProgramFiles%
\/*.*
\/*.*
\\.\pipe\
\\.\pipe\
VWRQRh.exe
VWRQRh.exe
h.exe
h.exe
ws2_32.dll
ws2_32.dll
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
gdi32.dll
gdi32.dll
ole32.dll
ole32.dll
rmnsoft.dll
rmnsoft.dll
google.com:80
google.com:80
bing.com:80
bing.com:80
yahoo.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
--%s--
--%s--
%s /%s HTTP/1.1
%s /%s HTTP/1.1
Host: %s
Host: %s
User-Agent: %s
User-Agent: %s
%sAccept-Language: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
Server: Apache/2.2.14
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
\\.\631D2408D44C4f47AC647AB96987D4D5
\\.\631D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
profiles.ini
Profile%d
Profile%d
\cookies.txt
\cookies.txt
\cookies.sqlite
\cookies.sqlite
%APPDATA%\Opera\
%APPDATA%\Opera\
\profile\cookies4.dat
\profile\cookies4.dat
\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Cookies
Chrome\Extension Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
Safari\Cookies.plist
getexec
getexec
complete.dat
complete.dat
SRQVWh.exe
SRQVWh.exe
h.exeVj
h.exeVj
tvh.exe
tvh.exe
PSSSSSSh
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
More information: hXXp://VVV.ibsensoftware.com/
.TNIRPTN.
.TNIRPTN.
com.%s.sdb
com.%s.sdb
%s\cmd.%s.bat
%s\cmd.%s.bat
start "" "%s"
start "" "%s"
"%%windir%%\%s\ntprint.exe"
"%%windir%%\%s\ntprint.exe"
"%%windir%%\system32\sdbinst.exe" "%s"
"%%windir%%\system32\sdbinst.exe" "%s"
"%%windir%%\system32\sdbinst.exe" /q /u "%s"
"%%windir%%\system32\sdbinst.exe" /q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
UAC_bypassed
UAC_bypassed
cmd.exe
cmd.exe
%TEMP%\p.exe
%TEMP%\p.exe
" %TEMP%\p.exe
" %TEMP%\p.exe
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
CheckBypassed ok
CheckBypassed ok
..\p.exe
..\p.exe
loader.exe
loader.exe
_CheckBypassed@0
_CheckBypassed@0
\/{X-X-X-X-XX}
\/{X-X-X-X-XX}
|ZwDelayExecution
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
http\shell\open\command
chrome.exe
chrome.exe
opera.exe
opera.exe
/C ""%s"" %s
/C ""%s"" %s
/C ""%s""
/C ""%s""
svchost.exe
svchost.exe
user32.DLL
user32.DLL
p.exe
p.exe
Rapport
Rapport
:Zone.Identifier
:Zone.Identifier
consent.exe
consent.exe
%Program Files%\Internet Explorer\iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\csslisog.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
GetProcessHeap
GetProcessHeap
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
ShellExecuteExA
ShellExecuteExA
keybd_event
keybd_event
EnumWindows
EnumWindows
.rdata
.rdata
.rsrc
.rsrc
9Y#.MW
9Y#.MW
)28-2009"}
)28-2009"}
ed.lMorQi
ed.lMorQi
.TNIRP
.TNIRP
s\cmd
s\cmd
=A.IT
=A.IT
PF8-.XU
PF8-.XU
O3$dS7"%U9
O3$dS7"%U9
KERNEL32.DLL
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
2.1.0.3
ntprint.exe
ntprint.exe
RedirectEXE
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat
%temp%\..\..\LocalLow\cmd.%username%.bat
svchost.exe_1652_rwx_20010000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
svchost.exe_1652_rwx_20031000_00011000:
0WSSh
0WSSh
h.log
h.log
%USERPROFILE%
%USERPROFILE%
Kernel32.dll
Kernel32.dll
%s %s %s: %s:%d
%s %s %s: %s:%d
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
PeekNamedPipe
PeekNamedPipe
.text
.text
`.rdata
`.rdata
@.data
@.data
.idata
.idata
.reloc
.reloc
ernel32.dllS.
ernel32.dllS.
ls.EnW
ls.EnW
m.div
m.div
svchost.exe_1652_rwx_20051000_000A0000:
i
i
.iniu>
.iniu>
.exeuZH
.exeuZH
=.datuLh
=.datuLh
Q=.bpsuLh
Q=.bpsuLh
.xmluIh
.xmluIh
t%SVP
t%SVP
.iniu
.iniu
.prfu1
.prfu1
h.log
h.log
Q.Rjv
Q.Rjv
H.Qjv
H.Qjv
#$%&'()* ,--
#$%&'()* ,--
-4-4--567
-4-4--567
s%j.Zf
s%j.Zf
j%Xf;
j%Xf;
>%u[f
>%u[f
FtpControl
FtpControl
32bit FTP
32bit FTP
LeapFtp
LeapFtp
SoftFx FTP
SoftFx FTP
ClassicFTP
ClassicFTP
WebSitePublisher
WebSitePublisher
FtpExplorer
FtpExplorer
Core ftp
Core ftp
Coffee cup ftp
Coffee cup ftp
FFFtp
FFFtp
TurboFtp
TurboFtp
SmartFtp
SmartFtp
BulletproofFTP
BulletproofFTP
FtpCommander
FtpCommander
Cute FTP
Cute FTP
WS FTP
WS FTP
Windows/Total commander
Windows/Total commander
PTF://
PTF://
Password
Password
password
password
FtpIniName
FtpIniName
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP\Sites
\%.d.0
\%.d.0
Quick.dat
Quick.dat
port
port
sitemanager.xml
sitemanager.xml
Port
Port
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
History.dat
History.dat
Favorites.dat
Favorites.dat
\Frigate3\FtpSite.XML
\Frigate3\FtpSite.XML
\sites.xml
\sites.xml
\FTPRush\RushSite.xml
\FTPRush\RushSite.xml
SET PASS
SET PASS
NODE: TYPE = FTP
NODE: TYPE = FTP
\BitKinex\bitkinex.ds
\BitKinex\bitkinex.ds
_Password
_Password
FtpUserName
FtpUserName
FtpServer
FtpServer
FtpDirectory
FtpDirectory
FtpDescription
FtpDescription
_FtpPassword
_FtpPassword
SELECT ServerName, Url, ServerUser, ServerPass, RemoteDir FROM "TServers"
SELECT ServerName, Url, ServerUser, ServerPass, RemoteDir FROM "TServers"
SharedSettings.ccs
SharedSettings.ccs
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
sites.dat
sites.dat
LeapFTP
LeapFTP
HostPassword
HostPassword
\32BitFtp.ini
\32BitFtp.ini
PassWord
PassWord
%USERPROFILE%
%USERPROFILE%
Kernel32.dll
Kernel32.dll
sql_trace
sql_trace
sqlite_version
sqlite_version
sqlite_rename_trigger
sqlite_rename_trigger
sqlite_rename_table
sqlite_rename_table
RowKey
RowKey
SQLite format 3
SQLite format 3
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
CREATE TEMP TABLE sqlite_temp_master(
CREATE TEMP TABLE sqlite_temp_master(
ABORTABLEFTEMPORARYADDATABASELECTHENDEFAULTRANSACTIONATURALTERAISEACHECKEYAFTEREFERENCESCAPELSEXCEPTRIGGEREGEXPLAINITIALLYANALYZEXCLUSIVEXISTSTATEMENTANDEFERRABLEATTACHAVINGLOBEFOREIGNOREINDEXAUTOINCREMENTBEGINNERENAMEBETWEENOTNULLIKEBYCASCADEFERREDELETECASECASTCOLLATECOLUMNCOMMITCONFLICTCONSTRAINTERSECTCREATECROSSCURRENT_DATECURRENT_TIMESTAMPLANDESCDETACHDISTINCTDROPRAGMATCHFAILIMITFROMFULLGROUPDATEIFIMMEDIATEINSERTINSTEADINTOFFSETISNULLJOINORDEREPLACEOUTERESTRICTPRIMARYQUERYRIGHTROLLBACKROWHENUNIONUNIQUEUSINGVACUUMVALUESVIEWHEREVIRTUAL
ABORTABLEFTEMPORARYADDATABASELECTHENDEFAULTRANSACTIONATURALTERAISEACHECKEYAFTEREFERENCESCAPELSEXCEPTRIGGEREGEXPLAINITIALLYANALYZEXCLUSIVEXISTSTATEMENTANDEFERRABLEATTACHAVINGLOBEFOREIGNOREINDEXAUTOINCREMENTBEGINNERENAMEBETWEENOTNULLIKEBYCASCADEFERREDELETECASECASTCOLLATECOLUMNCOMMITCONFLICTCONSTRAINTERSECTCREATECROSSCURRENT_DATECURRENT_TIMESTAMPLANDESCDETACHDISTINCTDROPRAGMATCHFAILIMITFROMFULLGROUPDATEIFIMMEDIATEINSERTINSTEADINTOFFSETISNULLJOINORDEREPLACEOUTERESTRICTPRIMARYQUERYRIGHTROLLBACKROWHENUNIONUNIQUEUSINGVACUUMVALUESVIEWHEREVIRTUAL
f){-.gBsu1Z2^
f){-.gBsu1Z2^
3.3.14
3.3.14
Ad-d-d d:d:d
Ad-d-d d:d:d
d:d:d
d:d:d
d-d-d
d-d-d
M@d
M@d
2147483647
2147483647
%s\etilqs_
%s\etilqs_
Outstanding page count goes from %d to %d during this analysis
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Pointer map page %d is referenced
Page %d is never used
Page %d is never used
Unable to malloc %d bytes
Unable to malloc %d bytes
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
Failed to read ptrmap key=%d
freelist leaf count too big on page %d
freelist leaf count too big on page %d
failed to get page %d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
%d of %d pages missing from overflow list starting at %d
2nd reference to page %d
2nd reference to page %d
invalid page number %d
invalid page number %d
Fragmented space is %d byte reported as %d on page %d
Fragmented space is %d byte reported as %d on page %d
Multiple uses for byte %d of page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On page %d at right child:
On tree page %d cell %d:
On tree page %d cell %d:
initPage() returns error code %d
initPage() returns error code %d
unable to get the page. error code=%d
unable to get the page. error code=%d
Page %d:
Page %d:
%s(%d)
%s(%d)
keyinfo(%d
keyinfo(%d
%s-mjX
%s-mjX
Aunable to use function %s in the requested context
Aunable to use function %s in the requested context
Unsupported module operation: xNext
Unsupported module operation: xNext
Unsupported module operation: xColumn
Unsupported module operation: xColumn
Unsupported module operation: xRowid
Unsupported module operation: xRowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
sqlite_master
sqlite_master
sqlite_temp_master
sqlite_temp_master
transaction - SQL statements in progress
transaction - SQL statements in progress
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
not authorized to use function: %s
not authorized to use function: %s
ambiguous column name: %s
ambiguous column name: %s
no such column: %s
no such column: %s
%.*s%Q%s
%.*s%Q%s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d 18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d 18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
table %s may not be altered
table %s may not be altered
sqlite_
sqlite_
there is already another table or index with this name: %s
there is already another table or index with this name: %s
%s OR name=%Q
%s OR name=%Q
UPDATE %Q.%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d,length(sql)) WHERE type = 'table' AND name = %Q
UPDATE %Q.%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d,length(sql)) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
sqlite_stat1
sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
sqlite_detach
sqlite_detach
sqlite_attach
sqlite_attach
unable to open database: %s
unable to open database: %s
database %s is already in use
database %s is already in use
too many attached databases - max %d
too many attached databases - max %d
database %s is locked
database %s is locked
cannot detach database %s
cannot detach database %s
no such database: %s
no such database: %s
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
access to %s.%s.%s is prohibited
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
no such table: %s
no such table: %s
no such table: %s.%s
no such table: %s.%s
object name reserved for internal use: %s
object name reserved for internal use: %s
there is already an index named %s
there is already an index named %s
duplicate column name: %s
duplicate column name: %s
default value of column [%s] is not constant
default value of column [%s] is not constant
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#0, sql=%Q WHERE rowid=#1
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#0, sql=%Q WHERE rowid=#1
CREATE %s %.*s
CREATE %s %.*s
view %s is circularly defined
view %s is circularly defined
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %s.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
table %s may not be dropped
table %s may not be dropped
UPDATE %Q.%s SET rootpage=%d WHERE #0 AND rootpage=#0
UPDATE %Q.%s SET rootpage=%d WHERE #0 AND rootpage=#0
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
table %s has no column named %s
table %s has no column named %s
sqlite_autoindex_
sqlite_autoindex_
index %s already exists
index %s already exists
there is already a table named %s
there is already a table named %s
virtual tables may not be indexed
virtual tables may not be indexed
views may not be indexed
views may not be indexed
table %s may not be indexed
table %s may not be indexed
indexed columns are not unique
indexed columns are not unique
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.%s WHERE name=%Q
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
no such index: %S
unable to identify the object to be reindexed
unable to identify the object to be reindexed
no such collation sequence: %s
no such collation sequence: %s
cannot modify %s because it is a view
cannot modify %s because it is a view
table %s may not be modified
table %s may not be modified
table %S has no column named %s
table %S has no column named %s
%d values for %d columns
%d values for %d columns
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
PRIMARY KEY must be unique
PRIMARY KEY must be unique
error during initialization: %s
error during initialization: %s
no entry point [%s] in shared library [%s]
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
sqlite3_extension_init
automatic extension loading failed: %s
automatic extension loading failed: %s
unsupported encoding: %s
unsupported encoding: %s
*** in database %s ***
*** in database %s ***
foreign_key_list
foreign_key_list
SELECT name, rootpage, sql FROM '%q'.%s
SELECT name, rootpage, sql FROM '%q'.%s
unsupported file format
unsupported file format
database schema is locked: %s
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T%s%T%s%T
unknown or unsupported join type: %T%s%T%s%T
%z:%d
%z:%d
column%d
column%d
%s.%s
%s.%s
sqlite_subquery_%p_
sqlite_subquery_%p_
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
%s BY column number %d out of range - should be between 1 and %d
%s BY column number %d out of range - should be between 1 and %d
SELECTs to the left and right of %s do not have the same number of result columns
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
ORDER BY clause should come after %s not before
ORDER BY term number %d does not match any result column
ORDER BY term number %d does not match any result column
ORDER BY position %d should be between 1 and %d
ORDER BY position %d should be between 1 and %d
sqlite3_get_table() called with two or more incompatible queries
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
no such trigger: %S
no such trigger: %S
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#1
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#1
no such module: %s
no such module: %s
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
vtable constructor failed: %s
%z VIRTUAL TABLE INDEX %d:%s
%z VIRTUAL TABLE INDEX %d:%s
%z USING PRIMARY KEY
%z USING PRIMARY KEY
%z WITH INDEX %s
%z WITH INDEX %s
%z AS %s
%z AS %s
TABLE %s
TABLE %s
B}Tat most %d tables in a join
B}Tat most %d tables in a join
incomplete SQL statement
incomplete SQL statement
kernel lacks large file support
kernel lacks large file support
SQL logic error or missing database
SQL logic error or missing database
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
SOFTWARE\Far2\SavedDialogHistory\FTPHost
SOFTWARE\Far2\SavedDialogHistory\FTPHost
SOFTWARE\Far2\Plugins\FTP\Hosts
SOFTWARE\Far2\Plugins\FTP\Hosts
\wcx_PTF.ini
\wcx_PTF.ini
Software\Ghisler\Windows Commander
Software\Ghisler\Windows Commander
CSMFTPItem
CSMFTPItem
\sm.dat
\sm.dat
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Home
\GlobalSCAPE\CuteFTP Home
\GlobalSCAPE\CuteFTP Lite
\GlobalSCAPE\CuteFTP Lite
\Quick.dat
\Quick.dat
\Sites.dat
\Sites.dat
\FileZilla\sitemanager.xml
\FileZilla\sitemanager.xml
\FileZilla\recentservers.xml
\FileZilla\recentservers.xml
\ftplist.txt
\ftplist.txt
FTP Commander Pro
FTP Commander Pro
FTP Navigator
FTP Navigator
FTP Commander
FTP Commander
FTP Commander Deluxe
FTP Commander Deluxe
Software\BFTP
Software\BFTP
\BulletProof Software\BulletProof FTP Client 2009
\BulletProof Software\BulletProof FTP Client 2009
\BulletProof Software\BulletProof FTP Client
\BulletProof Software\BulletProof FTP Client
\SmartFTP\Client 2.0\Favorites
\SmartFTP\Client 2.0\Favorites
\SmartFTP
\SmartFTP
\TurboFTP
\TurboFTP
\addrbk.dat
\addrbk.dat
Software\TurboFTP
Software\TurboFTP
Software\Sota\FFFTP
Software\Sota\FFFTP
DefaultPassword
DefaultPassword
Software\Sota\FFFTP\Options
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
Software\FTPWare\COREFTP\Sites
\FTP Explorer\profiles.xml
\FTP Explorer\profiles.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
Software\Cryer\WebSitePublisher
Software\Cryer\WebSitePublisher
Software\NCH Software\ClassicFTP\FTPAccounts
Software\NCH Software\ClassicFTP\FTPAccounts
Software\SoftX.org\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
Software\FTPClient\Sites
Software\FTPClient\Sites
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
Software\Dev Zero G\FTP Uploader\FTP Uploader
Software\Dev Zero G\FTP Uploader\FTP Uploader
Software\South River Technologies\WebDrive\Connections
Software\South River Technologies\WebDrive\Connections
klfhuw%$#%fgjlvf
klfhuw%$#%fgjlvf
\NetDrive\NDSites.ini
\NetDrive\NDSites.ini
zcÃ
zcÃ
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
PeekNamedPipe
PeekNamedPipe
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyA
RegCloseKey
RegCloseKey
.flat
.flat
.text
.text
`.rdata
`.rdata
@.data
@.data
.idata
.idata
.asmdata
.asmdata
@.reloc
@.reloc
TPFk/dPipeG
TPFk/dPipeG
;-keXE
;-keXE
.ho"
.ho"
services.exe_760_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
lsass.exe_772_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
Explorer.EXE_840_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
svchost.exe_928_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
svchost.exe_996_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
svchost.exe_1080_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
svchost.exe_1128_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
svchost.exe_1176_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
spoolsv.exe_1424_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
mscorsvw.exe_1912_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
jqs.exe_1952_rwx_20160000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc