HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.5550508 (B) (Emsisoft), Trojan.Generic.5550508 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, VirTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6474996438c510d2a5671d142da1409b
SHA1: 468584deab972ff32683f64fb3c55aff7345fde5
SHA256: 0693ea8551b525cd1c3c5b170a8eabb3290ad6073e621432241ffa436a615051
SSDeep: 393216:9z3lLcsE2DAAZClZLgIBuogV7xgYIZ3q/B20:9z1AsEEJUC2YIZ3q520
Size: 12970514 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2010-01-10 04:18:26
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1692
keygen.exe:836
keygen.exe:1452
The Trojan injects its code into the following process(es):
crude.exe:1844
svchost.exe:1712
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\keygen.exe (50052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crude.exe (1577894 bytes)
The process keygen.exe:836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (2105 bytes)
Registry activity
The process crude.exe:1844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 7A 11 93 ED 87 85 48 1E C9 38 80 0B 35 D4 63"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 FE D9 3D 0E 12 91 A0 DC D4 A4 F1 56 BE 3E F2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"Keygen.exe" = "keygen"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"crude.exe" = "WindowsApplication1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process keygen.exe:836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 92 5F 0E 5A C0 84 79 B9 1D 88 3D 97 64 53 CA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"svchost.exe" = "svchost"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process keygen.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 9D 33 3F 9B 3D C7 AB 14 6F FB 74 C8 5D 1B F8"
Dropped PE files
| MD5 | File path |
|---|---|
| 1d26dc9e7b179f9fcac6f7c2f08e5bad | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\svchost.exe |
| 678b2bf7a13b49aca9a828c34c32af38 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\crude.exe |
| 1d26dc9e7b179f9fcac6f7c2f08e5bad | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\keygen.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1692
keygen.exe:836
keygen.exe:1452 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\keygen.exe (50052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\crude.exe (1577894 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (2105 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: CodeMasters
Product Name: CodeMasters
Product Version: 1.5.3.2
Legal Copyright: Copyright (c) 2009
Legal Trademarks: CodeMasters
Original Filename: CodeMasters.exe
Internal Name: CodeMasters.exe
File Version: 1.5.3.2
File Description: CodeMasters
Comments:
Language: English (United States)
Company Name: CodeMastersProduct Name: CodeMastersProduct Version: 1.5.3.2Legal Copyright: Copyright (c) 2009Legal Trademarks: CodeMastersOriginal Filename: CodeMasters.exeInternal Name: CodeMasters.exeFile Version: 1.5.3.2File Description: CodeMastersComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 10980 | 11264 | 3.89725 | 7d620a2f99767cfdf02460bd39eb45d7 |
| .sdata | 24576 | 83 | 512 | 0.804729 | 3ffa4a15fa5e517a46ffd0e7d8692182 |
| .rsrc | 32768 | 137848 | 138240 | 3.43766 | e9225b2cdbd420df479243fbaa70343c |
| .reloc | 172032 | 12 | 512 | 0.056519 | b34a8116867f176d7eb660a098ab03d2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1712:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
SQL error or missing database
SQL error or missing database
An internal logic error in SQLite
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has another row ready
sqlite3_step() has finished executing
sqlite3_step() has finished executing
Unknown SQLite Error Code "
Unknown SQLite Error Code "
ESQLiteException
ESQLiteException
TSQLiteDatabase
TSQLiteDatabase
TSQLiteTable
TSQLiteTable
sqlite3_open
sqlite3_open
sqlite3_errmsg
sqlite3_errmsg
sqlite3_free
sqlite3_free
sqlite3_close
sqlite3_close
sqlite3_last_insert_rowid
sqlite3_last_insert_rowid
sqlite3_total_changes
sqlite3_total_changes
sqlite3_errcode
sqlite3_errcode
sqlite3_bind_text
sqlite3_bind_text
sqlite3_bind_int
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_int64
sqlite3_bind_double
sqlite3_bind_double
sqlite3_bind_null
sqlite3_bind_null
sqlite3_bind_blob
sqlite3_bind_blob
sqlite3_prepare_v2
sqlite3_prepare_v2
sqlite3_step
sqlite3_step
sqlite3_reset
sqlite3_reset
sqlite3_finalize
sqlite3_finalize
sqlite3_prepare
sqlite3_prepare
sqlite3_busy_timeout
sqlite3_busy_timeout
sqlite3_libversion
sqlite3_libversion
sqlite3_create_collation
sqlite3_create_collation
sqlite3_bind_parameter_index
sqlite3_bind_parameter_index
sqlite3_changes
sqlite3_changes
sqlite3_column_count
sqlite3_column_count
sqlite3_column_name
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_decltype
sqlite3_column_type
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_int64
sqlite3_column_double
sqlite3_column_double
sqlite3_column_bytes
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_column_blob
sqlite3_column_text
sqlite3_column_text
Failed to open database "%s" : %s
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Failed to open database "%s" : unknown error
Error [%d]: %s.
Error [%d]: %s.
"%s": %s
"%s": %s
Error executing SQL
Error executing SQL
Could not prepare SQL statement
Could not prepare SQL statement
Error executing SQL statement
Error executing SQL statement
SQLite is Busy
SQLite is Busy
udprec
udprec
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
\Mozilla Firefox\
nss3.dll
nss3.dll
mozcrt19.dll
mozcrt19.dll
sqlite3.dll
sqlite3.dll
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nssutil3.dll
nssutil3.dll
softokn3.dll
softokn3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
userenv.dll
userenv.dll
\Mozilla\Firefox\
\Mozilla\Firefox\
profiles.ini
profiles.ini
\signons3.txt
\signons3.txt
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\profiles.ini
signons.sqlite
signons.sqlite
SELECT * FROM moz_logins
SELECT * FROM moz_logins
encryptedPassword
encryptedPassword
Urlmon.dll
Urlmon.dll
Shell32.dll
Shell32.dll
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
Future Windows version (unknown)
Future Windows version (unknown)
Windows
Windows
UDPPROG1|
UDPPROG1|
UDPStart|
UDPStart|
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Mozilla\Mozilla Firefox\
WEBDL
WEBDL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost.exe
svchost.exe
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
GetCPInfo
GetCPInfo
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
5 5$5(5,5054585
5 5$5(5,5054585
>">*>2>:>
>">*>2>:>
: :$:(:,:0:4:8:<:>
: :$:(:,:0:4:8:<:>
SQLite3
SQLite3
KWindows
KWindows
UrlMon
UrlMon
SQLiteTable3
SQLiteTable3
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
List index out of bounds (%d) Out of memory while expanding memory stream
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
svchost.exe_1712_rwx_00400000_00027000:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
SQL error or missing database
SQL error or missing database
An internal logic error in SQLite
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has another row ready
sqlite3_step() has finished executing
sqlite3_step() has finished executing
Unknown SQLite Error Code "
Unknown SQLite Error Code "
ESQLiteException
ESQLiteException
TSQLiteDatabase
TSQLiteDatabase
TSQLiteTable
TSQLiteTable
sqlite3_open
sqlite3_open
sqlite3_errmsg
sqlite3_errmsg
sqlite3_free
sqlite3_free
sqlite3_close
sqlite3_close
sqlite3_last_insert_rowid
sqlite3_last_insert_rowid
sqlite3_total_changes
sqlite3_total_changes
sqlite3_errcode
sqlite3_errcode
sqlite3_bind_text
sqlite3_bind_text
sqlite3_bind_int
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_int64
sqlite3_bind_double
sqlite3_bind_double
sqlite3_bind_null
sqlite3_bind_null
sqlite3_bind_blob
sqlite3_bind_blob
sqlite3_prepare_v2
sqlite3_prepare_v2
sqlite3_step
sqlite3_step
sqlite3_reset
sqlite3_reset
sqlite3_finalize
sqlite3_finalize
sqlite3_prepare
sqlite3_prepare
sqlite3_busy_timeout
sqlite3_busy_timeout
sqlite3_libversion
sqlite3_libversion
sqlite3_create_collation
sqlite3_create_collation
sqlite3_bind_parameter_index
sqlite3_bind_parameter_index
sqlite3_changes
sqlite3_changes
sqlite3_column_count
sqlite3_column_count
sqlite3_column_name
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_decltype
sqlite3_column_type
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_int64
sqlite3_column_double
sqlite3_column_double
sqlite3_column_bytes
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_column_blob
sqlite3_column_text
sqlite3_column_text
Failed to open database "%s" : %s
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Failed to open database "%s" : unknown error
Error [%d]: %s.
Error [%d]: %s.
"%s": %s
"%s": %s
Error executing SQL
Error executing SQL
Could not prepare SQL statement
Could not prepare SQL statement
Error executing SQL statement
Error executing SQL statement
SQLite is Busy
SQLite is Busy
udprec
udprec
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
\Mozilla Firefox\
nss3.dll
nss3.dll
mozcrt19.dll
mozcrt19.dll
sqlite3.dll
sqlite3.dll
nspr4.dll
nspr4.dll
plc4.dll
plc4.dll
plds4.dll
plds4.dll
nssutil3.dll
nssutil3.dll
softokn3.dll
softokn3.dll
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
userenv.dll
userenv.dll
\Mozilla\Firefox\
\Mozilla\Firefox\
profiles.ini
profiles.ini
\signons3.txt
\signons3.txt
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\profiles.ini
signons.sqlite
signons.sqlite
SELECT * FROM moz_logins
SELECT * FROM moz_logins
encryptedPassword
encryptedPassword
Urlmon.dll
Urlmon.dll
Shell32.dll
Shell32.dll
URLDownloadToFileA
URLDownloadToFileA
ShellExecuteA
ShellExecuteA
Future Windows version (unknown)
Future Windows version (unknown)
Windows
Windows
UDPPROG1|
UDPPROG1|
UDPStart|
UDPStart|
SOFTWARE\Mozilla\Mozilla Firefox\
SOFTWARE\Mozilla\Mozilla Firefox\
WEBDL
WEBDL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost.exe
svchost.exe
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
GetCPInfo
GetCPInfo
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
5 5$5(5,5054585
5 5$5(5,5054585
>">*>2>:>
>">*>2>:>
: :$:(:,:0:4:8:<:>
: :$:(:,:0:4:8:<:>
SQLite3
SQLite3
KWindows
KWindows
UrlMon
UrlMon
SQLiteTable3
SQLiteTable3
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
List index out of bounds (%d) Out of memory while expanding memory stream
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation