Gen.Trojan.Relhis.1_3eec2744ac

by malwarelabrobot on November 22nd, 2014 in Malware Descriptions.

FakeAlert-SecurityTool.gf (McAfee), Gen:Trojan.Relhis.1 (AdAware), Trojan-PSW.Win32.FTPAgent.FD, Kelihos.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3eec2744ac6331afdfd695e99c541976
SHA1: cd9597621d4cbe1c539165163f6ef706b7f91c3f
SHA256: 263b96cef4dac57e60472e4cd3ec754e3515a669510b53762385ee516a3a2707
SSDeep: 12288:4Co4VOQHuT2WgJiCShSfAzXXtZWuF0TW2myNcJfxLWeZOIueKGq3GEr5/mYZEuTU:4F8uSWmhShSkXXt85mZBxaHhXJGEr5hf
Size: 771584 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:528

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:528 makes changes in the file system.
The Trojan deletes the following file(s):

C:\tmp.exe (0 bytes)

Registry activity

The process %original file name%.exe:528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 C7 EB 9D 2C AF CB D4 56 B8 D6 A7 25 37 E2 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"DirCompletedBefore" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 61 00 02 01 10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"ComputerName" = "XP2"
"EnableStationQueries" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"LocalLocalizedRecord" = "47 80 F9 7F 82 80 DA 11 C1 98 F7 97 97 0D F7 60"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"ItemSavedCurrent" = "80"
"HeightSavedShow" = "00 00 00 00 00 00 00 00"

"VersionCompressedMin" = "DFuGVtrni4DfZdAZi0AciIM2cQY5eIKcn5I LZ5bIxa0WlkP3uPPqGsp3bO1xrMMbQ=="

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"UserName" = "%CurrentUserName%"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SonyAgent" = "c:\%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 6028 6144 2.72069 25330919456819fd7126aae94732c4b4
.rdata 12288 1040 1536 2.61063 368bae941cb8c50b3d2ee87918721f66
.data 16384 1380352 512 0 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 1396736 762042 762368 5.53339 932b920d720368c4c0594fcbd8a8e811

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_528:

h.wYZS
t.WWj
f90u%S
3|$<3|$0
.QZ^&
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Can't terminate a sub-expression with an alternation operator |.
A regular expression can start with the alternation operator |.
Alternation operators are not allowed inside a DEFINE block.
More than one alternation operator | was encountered inside a conditional expression.
A repetition operator cannot be applied to a zero-width assertion.
Invalid alternation operators within (?...) block.
The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.
Found a closing repetition operator } with no corresponding {.
The repeat operator " " cannot start a regular expression.
The repeat operator "?" cannot start a regular expression.
The repeat operator "*" cannot start a regular expression.
right-curly-bracket
left-curly-bracket
0123456789
Unmatched quantified repeat operator { or \{.
Invalid preceding regular expression prior to repetition operator.
StreamTransformation: this object does't support a special last block
BufferedTransformation: this object doesn't support multiple channels
is not a valid key length
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
KeySize
InvertibleRSAFunction: computational error during private key operation
PK_Signer: key too short for this signature scheme
: message too long for this public key
TF_SignerBase: the recoverable message part is too long for the given key and algorithm
TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
<4,$?7/'
(3-!0,1'8"5.*2$
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
boost::filesystem::directory_iterator::operator  
kernel32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
?#%X.y
operator
GetProcessWindowStation
USER32.DLL
login
Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre
Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3
Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv:1.8.1.7) Gecko Firefox/2.0
Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4
Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4)
Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1)
Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)
Microsoft Internet Explorer/1.0 (Windows 95)
asio.misc
asio.misc error
thread.entry_event
thread.exit_event
255.255.255.255
0.0.0.0
127.0.0.1
%d.%m.%Y %H:%M:%S
%a, %d %b %Y %H:%M:%S GMT
.text
h.rdata
H.data
.rsrc
B.reloc
DriverEntry: TCP-IP not found, quitting.
DriverEntry: Adapters not found in the registry, try to copy the bindings of TCP-IP.
DriverEntry: OS Version: %d.%d
Device %d = %ws
Status of %x querying key value
Status of %x querying key value for size
OpenKey Failed, %d!
Key name=%ws
Status of %x opening %ws
Mac %u = %ws
Tcpip bind value not REG_MULTI_SZ but %u
Querying key value result len = %u but previous len = %u
IoCreateDevice status = %x
NPF_IoControl: BIOCQUERYOID completed, BytesWritten = %u
NPF_IoControl: Bogus return from NdisRequest (query): Bytes Written (%u) > InfoBufferLength (%u)!!
NPF_IoControl: BIOCSETOID completed, BytesRead = %u
NPF_IoControl: Error installing the BPF filter. The filter contains TME extensions, not supported on 64bit platforms.
NPF_IoControl: Operative instructions=%u
KeGetCurrentIrql() == PASSIVE_LEVEL
e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\openclos.c
NPF_Open: Opened Instances: %u
NPF_Open: Opened the device, Status=%x
NPF_Cleanup: Opened Instances: %u
Received on CPU %d
HeaderBufferSize=%u, LookAheadBuffer=%p, LookaheadBufferSize=%u, PacketSize=%u
NPF_Write: Max frame size = %u, packet size = %u
NPF_Write: Another Send operation is in progress, aborting.
NPF: BufferedWrite, UserBuff=%p, Size=%u
e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\bin\i386\npf.pdb
ZwQueryValueKey
ZwEnumerateKey
ZwOpenKey
ntoskrnl.exe
HAL.dll
NDIS.SYS
0$0)02090
hXXp://ocsp.verisign.com0
"hXXp://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,
hXXps://VVV.verisign.com/rpa01
hXXp://crl.verisign.com/pca3.crl0
.Class 3 Public Primary Certification Authority
/hXXp://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0?
3hXXp://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
`.rdata
@.data
@.reloc
L$.Qf
mscoree.dll
.mixcrt
KERNEL32.DLL
@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.110.2.2 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.10 2008-10-06 15:38:39 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.112.2.12 2008-09-22 20:16:01 guy Exp $ (LBL)
4.1.1
WinPcap version %s, based on %s
WinPcap version %s (packet.dll version %s), based on %s
@(#) $Header: /tcpdump/master/libpcap/pcap-win32.c,v 1.34.2.8 2008-05-21 22:11:26 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/optimize.c,v 1.90.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/nametoaddr.c,v 1.82.2.1 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/inet.c,v 1.75.2.4 2008-04-20 18:19:24 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.99.2.2 2007/11/18 02:04:55 guy Exp $ (LBL)
$$$88$$$8
"#-./0123
@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/fad-win32.c,v 1.15 2007/09/25 20:34:36 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/etherent.c,v 1.23 2006/10/04 18:09:22 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_image.c,v 1.27.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf/net/bpf_filter.c,v 1.45.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_dump.c,v 1.14.4.1 2008/01/02 04:22:16 guy Exp $ (LBL)
%u %u %u %u
{ 0x%x, %d, %d, 0xx },
[x   %d]
#0x%x
4*([%d]&0xf)
M[%d]
(d) %-8s %-16s jt %d
jf %d
(d) %-8s %s
malloc: %s
PacketGetAdapterNames: %s
pcap_compile cannot generate filters for a TurboCap port when the PPI linktype is used.
unknown data link type %d
unsupported protocol over mpls
IEEE 802.15.4 link-layer type filtering not implemented
'tcp' modifier applied to %s
'sctp' modifier applied to %s
'udp' modifier applied to %s
'icmp' modifier applied to %s
'igmp' modifier applied to %s
'igrp' modifier applied to %s
'pim' modifier applied to %s
'vrrp' modifier applied to %s
'icmp6' modifier applied to %s
'ah' modifier applied to %s
'esp' modifier applied to %s
'esis' modifier applied to %s
'isis' modifier applied to %s
'clnp' modifier applied to %s
'stp' modifier applied to %s
'netbeui' modifier applied to %s
'radio' modifier applied to %s
'ip' modifier applied to ip6 %s
'rarp' modifier applied to ip6 %s
'arp' modifier applied to ip6 %s
'decnet' modifier applied to ip6 %s
unknown ip proto '%s'
unknown ether proto '%s'
unknown osi proto '%s'
'protochain' not supported with 802.11
unsupported proto to gen_protochain
'udp proto' is bogus
'tcp proto' is bogus
unknown network '%s'
unknown ether host '%s'
unknown FDDI host '%s'
unknown token ring host '%s'
unknown 802.11 host '%s'
unknown Fibre Channel host '%s'
only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name
unknown host '%s'
unknown host '%s'%s
illegal qualifier of 'port'
unknown port '%s'
port '%s' is tcp
port '%s' is sctp
port '%s' is udp
illegal qualifier of 'portrange'
unknown port in range '%s'
port in range '%s' is tcp
port in range '%s' is sctp
port in range '%s' is udp
'gateway' not supported in this configuration
unknown protocol: %s
non-network bits set in "%s mask %s"
non-network bits set in "%s/%d"
invalid ip6 address %s
%s resolved to multiple address
mask length must be <= %u
ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel
unsupported index operation
IPv6 upper-layer protocol is not supported by proto[x]
only link-layer/IP broadcast filters supported
link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel
inbound/outbound not supported on linktype %d
libpcap was compiled without pf support
libpcap was compiled on a machine without pf support
802.11 link-layer types supported only on 802.11
frame direction supported only with 802.11 headers
aid supported only on ARCnet
no VLAN support for data link type %d
no MPLS support for data link type %d
'vpi' supported only on raw ATM
'vci' supported only on raw ATM
'callref' supported only on raw ATM
'metac' supported only on raw ATM
'bcc' supported only on raw ATM
'oam4sc' supported only on raw ATM
'oam4ec' supported only on raw ATM
'sc' supported only on raw ATM
'ilmic' supported only on raw ATM
'lane' supported only on raw ATM
'llc' supported only on raw ATM
'fisu' supported only on MTP2
'lssu' supported only on MTP2
'msu' supported only on MTP2
'sio' supported only on SS7
sio value %u too big; max value = 255
'opc' supported only on SS7
opc value %u too big; max value = 16383
'dpc' supported only on SS7
dpc value %u too big; max value = 16383
'sls' supported only on SS7
sls value %u too big; max value = 15
'oam' supported only on raw ATM
'oamf4' supported only on raw ATM
'connectmsg' supported only on raw ATM
'metaconnect' supported only on raw ATM
'port' modifier applied to ip host
'portrange' modifier applied to ip host
%d-%d
%d.%d
malformed decnet address '%s'
decnet name support not included, '%s' cannot be translated
%s for block-local relative jump: off=%d
malloc() failed: %s
%s '%s' %s
Error when listing files: does folder '%s' exist?
%s '%s' %s %s
[%[1234567890:.]]:%[^/]/%s
[%[1234567890:.]]/%s
%[^/:]:%[^/]/%s
%[^/]/%s
Source type not supported
getaddrinfo() %s
(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
TcApi.dll
TcQueryPortList
TcFreePortList
TcPortGetName
TcPortGetDescription
TcPacketsBufferCreate
TcPacketsBufferDestroy
TcPacketsBufferQueryNextPacket
TcPacketsBufferCommitNextPacket
Error opening TurboCap adapter: %s
Error enabling reception on a TurboCap instance: %s
Error setting the read timeout a TurboCap instance: %s
Getting the non blocking status is not available for TurboCap ports
Setting the non blocking status is not available for TurboCap ports
send error: the TurboCap API does not support packets larger than 64k
send error: TcPacketsBufferCreate failure: %s (x)
send error: TcInstanceTransmitPackets failure: %s (x)
send error: TcPacketsBufferCommitNextPacket failure: %s (x)
read error, TcInstanceReceivePackets failure: %s (x)
read error, TcPacketsBufferQueryNextPacket failure: %s (x)
TurboCap error setting the mintocopy: %s (x)
Mode %u not supported by TurboCap devices. TurboCap only supports capture.
TurboCap error in TcInstanceQueryStatistics: %s (x)
TurboCap error in TcStatisticsQueryValue: %s (x)
setfilter, unable to install the filter: %s
PacketGetStats error: %s
Error opening adapter: %s
Cannot determine the network type: %s
Error calling PacketSetMinToCopy: %s
Driver error: cannot set bpf filter: %s
PacketSetReadTimeout: %s
IEEE 802.15.4 with non-ASK PHY data
Bluetooth HCI UART transport layer plus pseudo-header
IEEE 802.15.4
IEEE 802.15.4 with Linux padding
Bluetooth HCI UART transport layer
Juniper Passive Monitor PIC
can't perform operation on activated capture
%s: %s
%s is not one of the DLTs supported by this device
DLT %d is not one of the DLTs supported by this device
That device doesn't support promiscuous mode
That device doesn't support monitor mode
That operation is supported only in monitor mode
Unknown error: %d
Sending packets isn't supported on savefiles
Setting direction is not supported on savefiles
error reading dump file: %s
truncated dump file; tried to read %u captured bytes, only got %lu
Can't write to %s: %s
%s: link-layer type %d isn't supported in savefiles
bogus IPv6 address %s
bogus ethernet address %s
illegal token: %s
illegal char '%c'
%sUnable to get the exact error message
%s%s (code %d)
%s (code %d)
Is the server properly installed on %s? connect() failed: %s
getaddrinfo(): socket type not supported
getaddrinfo(): multicast addresses are not valid when using TCP streams
Cannot retrieve the extended statistics from a file or a TurboCap port
PacketGetStatsEx error: %s
Cannot transmit a queue to an offline capture or to a TurboCap port
Impossible to set user buffer while reading from a file or on a TurboCap port
Error: invalid size %d
live dump needs a physical interface supported by the NPF driver
wrong interface type. A physical interface supported by the NPF driver is needed
e:\releases\winpcap_4_1_0_1753\winpcap\wpcap\PRJ\Release\x86\wpcap.pdb
WS2_32.dll
packet.dll
KERNEL32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
wpcap.dll
> >$>(>,>
: :$:(:,:0:4:
7*848=8`8
?'?,?0?4?]?
3 3<3@3`3
.Xa6(
Export
system32\drivers\NPF.sys
SYSTEM\CurrentControlSet\Services\%s
\\.\%s
\\.\Global\%s
npp\ndisnpp.dll
e:\releases\winpcap_4_1_0_1753\winpcap\packetNtx\Dll\Project\Release\x86\Packet.pdb
VERSION.dll
NPPTools.dll
iphlpapi.dll
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
1"1 141;1
435:5`5|5
0&10191\1
9.:4:8:<:@:
= =@=`=|=
SimpleKeyingInterface: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
CryptoMaterial: this object does not support precomputation
GeneratableCryptoMaterial: this object does not support key/parameter generation
PK_MessageEncodingMethod: this signature scheme does not support message recovery
/index.html
HTTP/1.1
text/html; charset=windows-1251
<p>The requested URL
keybex3
HTTP/1.1
/dev/index.html
oparle.com
C:\boost\include\boost-1_47\boost/exception/detail/exception_ptr.hpp
Keys3
Appkey
webscanx
hkcmd
firefox
em_exec
\tmp.exe
*.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mozilla/5.0 (Windows; U; Windows NT
; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17
%d.%d.%d.%d
!#$%&'* -/=?^_`{|}~
.in-addr.arpa
: Maximum attempts exeeds
: failed to connect to smtp server "
%s, %d %s %d d:d:d %cdd
dddddd
ddddd
x.8lx$.8lx$x@%s
----=_NextPart_d_X_.8lX..8lX
F/c "start Í%\
&& %windir%\explorer Í%\
%SystemRoot%\system32\shell32.dll
Shortcut to Sony.lnk
sony.exe
npf.sys
Packet.dll
( tcp dst port 21 ) or ( tcp dst port 110 ) or ( tcp dst port 25 )
smtp
pop3_smtp
HostPassword
SET PASS
CSMFTPItem
DefaultPassword
Port
Password
[email protected]
ftpx
Login
PORT
klfhuw%$#%fgjlvf
[email protected]
S:"Password"
D:"Transfer Port"
Not a smartftp unicode string
Invalid smartftp record type
Invalid smartftp record version
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
%Documents and Settings%
\Application Data\Bitcoin\wallet.dat
C:\Users
\AppData\Roaming\Bitcoin\wallet.dat
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AV?$SimpleKeyedTransformation@VStreamTransformation@CryptoPP@@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.PAVRSAFunction@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
.PAVInvertibleRSAFunction@CryptoPP@@
.?AVInvalidKeyLength@PK_SignatureScheme@CryptoPP@@
.?AVKeyTooShort@PK_SignatureScheme@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@VARC4_Base@Weak1@CryptoPP@@V123@@CryptoPP@@VARC4_Base@Weak1@2@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@VARC4_Base@Weak1@CryptoPP@@V123@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$00$0BAA@$00$03$0A@@CryptoPP@@
.?AVwindows_file_codecvt@@
zcÁ
.?AV?$typeid_wrapper@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AVmonkey_gzip@monkeys@@
.?AVmoniker_helper@monkeys@@
.?AVmonkey_swap_nibbles@monkeys@@
.?AVmonkey_xor@monkeys@@
.?AVmonkey_running_xor@monkeys@@
.?AVmonkey_swap@monkeys@@
.?AVmonkey_reverse@monkeys@@
.?AVmonkey_roll_n@monkeys@@
.?AVmonkey_time_stamp@monkeys@@
.?AVmonkey_bits_pack@monkeys@@
.?AV?$typeid_wrapper@V?$socket_acceptor_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AV?$typeid_wrapper@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@
.?AU?$token_finderF@UTIsSep@?1???$parse_multi_line@$0IAA@@ftp_parser@@YAXAAY0IAA@$$CB_WIAAV?$vector@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V?$allocator@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@std@@@Z@@detail@algorithm@boost@@
c:\%original file name%.exe
%WinDir%
%System%\drivers\
%System%\
CreateIoCompletionPort
GetWindowsDirectoryA
GetSystemWindowsDirectoryA
GetWindowsDirectoryW
RegEnumKeyExW
RegOpenKeyW
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
HttpOpenRequestA
HttpQueryInfoA
InternetCrackUrlW
HttpSendRequestA
%d%h%
3,#9'/($*
]<%cW
.-/&00((00
.# #.11..&###
!&#### ###)))58)
##5.045 )
#3#x%uF5 
####66## .
&####*'@ 
 <   ##5## ( ##
.Zd3pe~
.reloc
DNSAPI.dll
IPHLPAPI.DLL
MSWSOCK.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
WININET.dll
,G.WG>
Nh%x(
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Linkage
npf.sys (NT5/6 x86) Kernel Driver
4.1.0.1753
5755555555
5555555
577777555555
0000001111111
11111122222222
6666668
88888888
,-./0123456789
$567$$=>
.pqrst
$%&'()* ,
wpcap.dll Dynamic Link Library - based on libpcap 1.0rel0b branch (20091008)
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
TcpIp
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
drivers\NPF.sys
airpcap.dll
\StringFileInfo\xx\FileVersion
PACKET.DLL
packet.dll (NT5) Dynamic Link Library
\32BitFtp.ini
B\BitKinex\bitkinex.ds
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BulletProof Software\BulletProof FTP Client 2010\Options
Software\BPFTP
\BulletProof Software\BulletProof FTP Client 2009\sites\Bookmarks\
\BulletProof Software\BulletProof FTP Client\2010\sites\Bookmarks\
\BulletProof Software\BulletProof FTP Client 2009\Default.bps
\BulletProof Software\BulletProof FTP Client\2010\Default.bps
y.dat
Software\BPFTP\Bullet Proof FTP
Software\NCH Software\ClassicFTP\FTPAccounts
_Password
Software\FTPWare\COREFTP\Sites
ISOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
CUTEFTP
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
sm.dat
smdata.dat
tree.dat
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
\GPSoftware\Directory Opus\Layouts\System\default.oll
pass="
<ftp>@!
</ftp>
crypt32.dll
FAR Manager FTP
SOFTWARE\Far\Plugins\FTP\Hosts
SOFTWARE\Far2\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
PTF://
FSoftware\Sota\FFFTP
Software\Sota\FFFTP\Options
\FileZilla.xml
\FileZilla\sitemanager.xml
\FileZilla\recentservers.xml
filezilla.xml
sitemanager.xml
recentservers.xml
Server.Host
Server.Port
Server.User
Server.Pass
G\FlashFXP\3\Sites.dat
\FlashFXP\3\Quick.dat
\FlashFXP\3\History.dat
\FlashFXP\4\Sites.dat
\FlashFXP\4\Quick.dat
\FlashFXP\4\History.dat
\Sites.dat
\Quick.dat
\History.dat
History.dat
Quick.dat
_FtpPassword
FtpUserName
FtpServer
FtpDescription
\Frigate3\FtpSite.XML
pFTP Commander
FTP Commander Pro
FTP Navigator
FTP Commander Deluxe
\ftplist.txt
FTPCON
Software\FTP Explorer\Profiles
\FTP Explorer\profiles.xml
\FTPRush\RushSite.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
\sites.xml
LEAPFTP
\sites.dat
\NetDrive\NDSites.ini
IWindows/Total Commander
BulletProof FTP Client
TurboFTP
WebSitePublisher
SoftX FTP Client
LeapFTP
32bit FTP
FTP Control
CuteFTP
WS_FTP
FFFTP
Core FTP
WebDrive
Classic FTP
FTP Explorer
SmartFTP
FTPRush
Frigate3 FTP
\SmartFTP\Client 2.0\Favorites\
\SmartFTP\Favorites.dat
\SmartFTP\History.dat
\SmartFTP\Client 2.0\Favorites\Favorites.dat
advapi32.dll
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
.installpath
Software\TurboFTP
\addrbk.dat
\TurboFTP\addrbk.dat
Software\South River Technologies\WebDrive\Connections
PassWord
ISoftware\Cryer\WebSitePublisher
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP Home\Sites
\win.ini
\Ipswitch\WS_FTP
password
\wcx_PTF.ini
Software\Ghisler\Windows Commander
FtpIniName

%original file name%.exe_528_rwx_00401000_001FE000:

h.wYZS
t.WWj
f90u%S
3|$<3|$0
.QZ^&
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Can't terminate a sub-expression with an alternation operator |.
A regular expression can start with the alternation operator |.
Alternation operators are not allowed inside a DEFINE block.
More than one alternation operator | was encountered inside a conditional expression.
A repetition operator cannot be applied to a zero-width assertion.
Invalid alternation operators within (?...) block.
The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.
Found a closing repetition operator } with no corresponding {.
The repeat operator " " cannot start a regular expression.
The repeat operator "?" cannot start a regular expression.
The repeat operator "*" cannot start a regular expression.
right-curly-bracket
left-curly-bracket
0123456789
Unmatched quantified repeat operator { or \{.
Invalid preceding regular expression prior to repetition operator.
StreamTransformation: this object does't support a special last block
BufferedTransformation: this object doesn't support multiple channels
is not a valid key length
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
KeySize
InvertibleRSAFunction: computational error during private key operation
PK_Signer: key too short for this signature scheme
: message too long for this public key
TF_SignerBase: the recoverable message part is too long for the given key and algorithm
TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
<4,$?7/'
(3-!0,1'8"5.*2$
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
boost::filesystem::directory_iterator::operator  
kernel32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
?#%X.y
operator
GetProcessWindowStation
USER32.DLL
login
Mozilla/5.0 (Windows; U; Windows NT 6.1; ja; rv:1.9.2a1pre) Gecko/20090403 Firefox/3.6a1pre
Mozilla/5.0 (X11; U; Linux x86_64; cy; rv:1.9.1b3) Gecko/20090327 Fedora/3.1-0.11.beta3.fc11 Firefox/3.1b3
Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6 ; nl; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; es-AR; rv:1.9) Gecko/2008051206 Firefox/3.0
Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
Mozilla/5.0 (Windows; U; Windows NT 6.0; zh-HK; rv:1.8.1.7) Gecko Firefox/2.0
Mozilla/5.0 (Windows; U; Win95; it; rv:1.8.1) Gecko/20061010 Firefox/2.0
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Mozilla/5.0 (ZX-81; U; CP/M86; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Mozilla/5.0 (X11; U; NetBSD alpha; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1
Mozilla/5.0 (X11; I; SunOS sun4u; en-GB; rv:1.7.8) Gecko/20050713 Firefox/1.0.4
Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.5) Gecko/20041222 Firefox/1.0 (Debian package 1.0-4)
Mozilla/5.0 (Windows; U; Win 9x 4.90; rv:1.7) Gecko/20041103 Firefox/0.9.3
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr; rv:1.7) Gecko/20040624 Firefox/0.9
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; Tablet PC 2.0; OfficeLiveConnector.1.3; OfficeLivePatch.1.3; MS-RTC LM 8; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; x64; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)
Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)
Mozilla/2.0 (compatible; MSIE 3.0; Windows 3.1)
Mozilla/1.22 (compatible; MSIE 1.5; Windows NT)
Microsoft Internet Explorer/1.0 (Windows 95)
asio.misc
asio.misc error
thread.entry_event
thread.exit_event
255.255.255.255
0.0.0.0
127.0.0.1
%d.%m.%Y %H:%M:%S
%a, %d %b %Y %H:%M:%S GMT
.text
h.rdata
H.data
.rsrc
B.reloc
DriverEntry: TCP-IP not found, quitting.
DriverEntry: Adapters not found in the registry, try to copy the bindings of TCP-IP.
DriverEntry: OS Version: %d.%d
Device %d = %ws
Status of %x querying key value
Status of %x querying key value for size
OpenKey Failed, %d!
Key name=%ws
Status of %x opening %ws
Mac %u = %ws
Tcpip bind value not REG_MULTI_SZ but %u
Querying key value result len = %u but previous len = %u
IoCreateDevice status = %x
NPF_IoControl: BIOCQUERYOID completed, BytesWritten = %u
NPF_IoControl: Bogus return from NdisRequest (query): Bytes Written (%u) > InfoBufferLength (%u)!!
NPF_IoControl: BIOCSETOID completed, BytesRead = %u
NPF_IoControl: Error installing the BPF filter. The filter contains TME extensions, not supported on 64bit platforms.
NPF_IoControl: Operative instructions=%u
KeGetCurrentIrql() == PASSIVE_LEVEL
e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\openclos.c
NPF_Open: Opened Instances: %u
NPF_Open: Opened the device, Status=%x
NPF_Cleanup: Opened Instances: %u
Received on CPU %d
HeaderBufferSize=%u, LookAheadBuffer=%p, LookaheadBufferSize=%u, PacketSize=%u
NPF_Write: Max frame size = %u, packet size = %u
NPF_Write: Another Send operation is in progress, aborting.
NPF: BufferedWrite, UserBuff=%p, Size=%u
e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\bin\i386\npf.pdb
ZwQueryValueKey
ZwEnumerateKey
ZwOpenKey
ntoskrnl.exe
HAL.dll
NDIS.SYS
0$0)02090
hXXp://ocsp.verisign.com0
"hXXp://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,
hXXps://VVV.verisign.com/rpa01
hXXp://crl.verisign.com/pca3.crl0
.Class 3 Public Primary Certification Authority
/hXXp://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0?
3hXXp://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
`.rdata
@.data
@.reloc
L$.Qf
mscoree.dll
.mixcrt
KERNEL32.DLL
@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.110.2.2 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.10 2008-10-06 15:38:39 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.112.2.12 2008-09-22 20:16:01 guy Exp $ (LBL)
4.1.1
WinPcap version %s, based on %s
WinPcap version %s (packet.dll version %s), based on %s
@(#) $Header: /tcpdump/master/libpcap/pcap-win32.c,v 1.34.2.8 2008-05-21 22:11:26 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/optimize.c,v 1.90.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/nametoaddr.c,v 1.82.2.1 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/inet.c,v 1.75.2.4 2008-04-20 18:19:24 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.99.2.2 2007/11/18 02:04:55 guy Exp $ (LBL)
$$$88$$$8
"#-./0123
@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/fad-win32.c,v 1.15 2007/09/25 20:34:36 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/etherent.c,v 1.23 2006/10/04 18:09:22 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_image.c,v 1.27.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf/net/bpf_filter.c,v 1.45.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_dump.c,v 1.14.4.1 2008/01/02 04:22:16 guy Exp $ (LBL)
%u %u %u %u
{ 0x%x, %d, %d, 0xx },
[x   %d]
#0x%x
4*([%d]&0xf)
M[%d]
(d) %-8s %-16s jt %d
jf %d
(d) %-8s %s
malloc: %s
PacketGetAdapterNames: %s
pcap_compile cannot generate filters for a TurboCap port when the PPI linktype is used.
unknown data link type %d
unsupported protocol over mpls
IEEE 802.15.4 link-layer type filtering not implemented
'tcp' modifier applied to %s
'sctp' modifier applied to %s
'udp' modifier applied to %s
'icmp' modifier applied to %s
'igmp' modifier applied to %s
'igrp' modifier applied to %s
'pim' modifier applied to %s
'vrrp' modifier applied to %s
'icmp6' modifier applied to %s
'ah' modifier applied to %s
'esp' modifier applied to %s
'esis' modifier applied to %s
'isis' modifier applied to %s
'clnp' modifier applied to %s
'stp' modifier applied to %s
'netbeui' modifier applied to %s
'radio' modifier applied to %s
'ip' modifier applied to ip6 %s
'rarp' modifier applied to ip6 %s
'arp' modifier applied to ip6 %s
'decnet' modifier applied to ip6 %s
unknown ip proto '%s'
unknown ether proto '%s'
unknown osi proto '%s'
'protochain' not supported with 802.11
unsupported proto to gen_protochain
'udp proto' is bogus
'tcp proto' is bogus
unknown network '%s'
unknown ether host '%s'
unknown FDDI host '%s'
unknown token ring host '%s'
unknown 802.11 host '%s'
unknown Fibre Channel host '%s'
only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name
unknown host '%s'
unknown host '%s'%s
illegal qualifier of 'port'
unknown port '%s'
port '%s' is tcp
port '%s' is sctp
port '%s' is udp
illegal qualifier of 'portrange'
unknown port in range '%s'
port in range '%s' is tcp
port in range '%s' is sctp
port in range '%s' is udp
'gateway' not supported in this configuration
unknown protocol: %s
non-network bits set in "%s mask %s"
non-network bits set in "%s/%d"
invalid ip6 address %s
%s resolved to multiple address
mask length must be <= %u
ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel
unsupported index operation
IPv6 upper-layer protocol is not supported by proto[x]
only link-layer/IP broadcast filters supported
link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel
inbound/outbound not supported on linktype %d
libpcap was compiled without pf support
libpcap was compiled on a machine without pf support
802.11 link-layer types supported only on 802.11
frame direction supported only with 802.11 headers
aid supported only on ARCnet
no VLAN support for data link type %d
no MPLS support for data link type %d
'vpi' supported only on raw ATM
'vci' supported only on raw ATM
'callref' supported only on raw ATM
'metac' supported only on raw ATM
'bcc' supported only on raw ATM
'oam4sc' supported only on raw ATM
'oam4ec' supported only on raw ATM
'sc' supported only on raw ATM
'ilmic' supported only on raw ATM
'lane' supported only on raw ATM
'llc' supported only on raw ATM
'fisu' supported only on MTP2
'lssu' supported only on MTP2
'msu' supported only on MTP2
'sio' supported only on SS7
sio value %u too big; max value = 255
'opc' supported only on SS7
opc value %u too big; max value = 16383
'dpc' supported only on SS7
dpc value %u too big; max value = 16383
'sls' supported only on SS7
sls value %u too big; max value = 15
'oam' supported only on raw ATM
'oamf4' supported only on raw ATM
'connectmsg' supported only on raw ATM
'metaconnect' supported only on raw ATM
'port' modifier applied to ip host
'portrange' modifier applied to ip host
%d-%d
%d.%d
malformed decnet address '%s'
decnet name support not included, '%s' cannot be translated
%s for block-local relative jump: off=%d
malloc() failed: %s
%s '%s' %s
Error when listing files: does folder '%s' exist?
%s '%s' %s %s
[%[1234567890:.]]:%[^/]/%s
[%[1234567890:.]]/%s
%[^/:]:%[^/]/%s
%[^/]/%s
Source type not supported
getaddrinfo() %s
(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
TcApi.dll
TcQueryPortList
TcFreePortList
TcPortGetName
TcPortGetDescription
TcPacketsBufferCreate
TcPacketsBufferDestroy
TcPacketsBufferQueryNextPacket
TcPacketsBufferCommitNextPacket
Error opening TurboCap adapter: %s
Error enabling reception on a TurboCap instance: %s
Error setting the read timeout a TurboCap instance: %s
Getting the non blocking status is not available for TurboCap ports
Setting the non blocking status is not available for TurboCap ports
send error: the TurboCap API does not support packets larger than 64k
send error: TcPacketsBufferCreate failure: %s (x)
send error: TcInstanceTransmitPackets failure: %s (x)
send error: TcPacketsBufferCommitNextPacket failure: %s (x)
read error, TcInstanceReceivePackets failure: %s (x)
read error, TcPacketsBufferQueryNextPacket failure: %s (x)
TurboCap error setting the mintocopy: %s (x)
Mode %u not supported by TurboCap devices. TurboCap only supports capture.
TurboCap error in TcInstanceQueryStatistics: %s (x)
TurboCap error in TcStatisticsQueryValue: %s (x)
setfilter, unable to install the filter: %s
PacketGetStats error: %s
Error opening adapter: %s
Cannot determine the network type: %s
Error calling PacketSetMinToCopy: %s
Driver error: cannot set bpf filter: %s
PacketSetReadTimeout: %s
IEEE 802.15.4 with non-ASK PHY data
Bluetooth HCI UART transport layer plus pseudo-header
IEEE 802.15.4
IEEE 802.15.4 with Linux padding
Bluetooth HCI UART transport layer
Juniper Passive Monitor PIC
can't perform operation on activated capture
%s: %s
%s is not one of the DLTs supported by this device
DLT %d is not one of the DLTs supported by this device
That device doesn't support promiscuous mode
That device doesn't support monitor mode
That operation is supported only in monitor mode
Unknown error: %d
Sending packets isn't supported on savefiles
Setting direction is not supported on savefiles
error reading dump file: %s
truncated dump file; tried to read %u captured bytes, only got %lu
Can't write to %s: %s
%s: link-layer type %d isn't supported in savefiles
bogus IPv6 address %s
bogus ethernet address %s
illegal token: %s
illegal char '%c'
%sUnable to get the exact error message
%s%s (code %d)
%s (code %d)
Is the server properly installed on %s? connect() failed: %s
getaddrinfo(): socket type not supported
getaddrinfo(): multicast addresses are not valid when using TCP streams
Cannot retrieve the extended statistics from a file or a TurboCap port
PacketGetStatsEx error: %s
Cannot transmit a queue to an offline capture or to a TurboCap port
Impossible to set user buffer while reading from a file or on a TurboCap port
Error: invalid size %d
live dump needs a physical interface supported by the NPF driver
wrong interface type. A physical interface supported by the NPF driver is needed
e:\releases\winpcap_4_1_0_1753\winpcap\wpcap\PRJ\Release\x86\wpcap.pdb
WS2_32.dll
packet.dll
KERNEL32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
wpcap.dll
> >$>(>,>
: :$:(:,:0:4:
7*848=8`8
?'?,?0?4?]?
3 3<3@3`3
.Xa6(
Export
system32\drivers\NPF.sys
SYSTEM\CurrentControlSet\Services\%s
\\.\%s
\\.\Global\%s
npp\ndisnpp.dll
e:\releases\winpcap_4_1_0_1753\winpcap\packetNtx\Dll\Project\Release\x86\Packet.pdb
VERSION.dll
NPPTools.dll
iphlpapi.dll
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
1"1 141;1
435:5`5|5
0&10191\1
9.:4:8:<:@:
= =@=`=|=
SimpleKeyingInterface: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
CryptoMaterial: this object does not support precomputation
GeneratableCryptoMaterial: this object does not support key/parameter generation
PK_MessageEncodingMethod: this signature scheme does not support message recovery
/index.html
HTTP/1.1
text/html; charset=windows-1251
<p>The requested URL
keybex3
HTTP/1.1
/dev/index.html
oparle.com
C:\boost\include\boost-1_47\boost/exception/detail/exception_ptr.hpp
Keys3
Appkey
webscanx
hkcmd
firefox
em_exec
\tmp.exe
*.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mozilla/5.0 (Windows; U; Windows NT
; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17
%d.%d.%d.%d
!#$%&'* -/=?^_`{|}~
.in-addr.arpa
: Maximum attempts exeeds
: failed to connect to smtp server "
%s, %d %s %d d:d:d %cdd
dddddd
ddddd
x.8lx$.8lx$x@%s
----=_NextPart_d_X_.8lX..8lX
F/c "start Í%\
&& %windir%\explorer Í%\
%SystemRoot%\system32\shell32.dll
Shortcut to Sony.lnk
sony.exe
npf.sys
Packet.dll
( tcp dst port 21 ) or ( tcp dst port 110 ) or ( tcp dst port 25 )
smtp
pop3_smtp
HostPassword
SET PASS
CSMFTPItem
DefaultPassword
Port
Password
[email protected]
ftpx
Login
PORT
klfhuw%$#%fgjlvf
[email protected]
S:"Password"
D:"Transfer Port"
Not a smartftp unicode string
Invalid smartftp record type
Invalid smartftp record version
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
%Documents and Settings%
\Application Data\Bitcoin\wallet.dat
C:\Users
\AppData\Roaming\Bitcoin\wallet.dat
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AV?$SimpleKeyedTransformation@VStreamTransformation@CryptoPP@@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.PAVRSAFunction@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
.PAVInvertibleRSAFunction@CryptoPP@@
.?AVInvalidKeyLength@PK_SignatureScheme@CryptoPP@@
.?AVKeyTooShort@PK_SignatureScheme@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@VARC4_Base@Weak1@CryptoPP@@V123@@CryptoPP@@VARC4_Base@Weak1@2@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@VARC4_Base@Weak1@CryptoPP@@V123@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$00$0BAA@$00$03$0A@@CryptoPP@@
.?AVwindows_file_codecvt@@
zcÁ
.?AV?$typeid_wrapper@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AVmonkey_gzip@monkeys@@
.?AVmoniker_helper@monkeys@@
.?AVmonkey_swap_nibbles@monkeys@@
.?AVmonkey_xor@monkeys@@
.?AVmonkey_running_xor@monkeys@@
.?AVmonkey_swap@monkeys@@
.?AVmonkey_reverse@monkeys@@
.?AVmonkey_roll_n@monkeys@@
.?AVmonkey_time_stamp@monkeys@@
.?AVmonkey_bits_pack@monkeys@@
.?AV?$typeid_wrapper@V?$socket_acceptor_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AV?$typeid_wrapper@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@
.?AU?$token_finderF@UTIsSep@?1???$parse_multi_line@$0IAA@@ftp_parser@@YAXAAY0IAA@$$CB_WIAAV?$vector@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V?$allocator@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@std@@@Z@@detail@algorithm@boost@@
c:\%original file name%.exe
%WinDir%
%System%\drivers\
%System%\
CreateIoCompletionPort
GetWindowsDirectoryA
GetSystemWindowsDirectoryA
GetWindowsDirectoryW
RegEnumKeyExW
RegOpenKeyW
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
HttpOpenRequestA
HttpQueryInfoA
InternetCrackUrlW
HttpSendRequestA
%d%h%
3,#9'/($*
]<%cW
.-/&00((00
.# #.11..&###
!&#### ###)))58)
##5.045 )
#3#x%uF5 
####66## .
&####*'@ 
 <   ##5## ( ##
.Zd3pe~
.reloc
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Linkage
npf.sys (NT5/6 x86) Kernel Driver
4.1.0.1753
5755555555
5555555
577777555555
0000001111111
11111122222222
6666668
88888888
,-./0123456789
$567$$=>
.pqrst
$%&'()* ,
wpcap.dll Dynamic Link Library - based on libpcap 1.0rel0b branch (20091008)
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
TcpIp
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
drivers\NPF.sys
airpcap.dll
\StringFileInfo\xx\FileVersion
PACKET.DLL
packet.dll (NT5) Dynamic Link Library
\32BitFtp.ini
B\BitKinex\bitkinex.ds
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BulletProof Software\BulletProof FTP Client 2010\Options
Software\BPFTP
\BulletProof Software\BulletProof FTP Client 2009\sites\Bookmarks\
\BulletProof Software\BulletProof FTP Client\2010\sites\Bookmarks\
\BulletProof Software\BulletProof FTP Client 2009\Default.bps
\BulletProof Software\BulletProof FTP Client\2010\Default.bps
y.dat
Software\BPFTP\Bullet Proof FTP
Software\NCH Software\ClassicFTP\FTPAccounts
_Password
Software\FTPWare\COREFTP\Sites
ISOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
CUTEFTP
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
sm.dat
smdata.dat
tree.dat
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
\GPSoftware\Directory Opus\Layouts\System\default.oll
pass="
<ftp>@!
</ftp>
crypt32.dll
FAR Manager FTP
SOFTWARE\Far\Plugins\FTP\Hosts
SOFTWARE\Far2\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
PTF://
FSoftware\Sota\FFFTP
Software\Sota\FFFTP\Options
\FileZilla.xml
\FileZilla\sitemanager.xml
\FileZilla\recentservers.xml
filezilla.xml
sitemanager.xml
recentservers.xml
Server.Host
Server.Port
Server.User
Server.Pass
G\FlashFXP\3\Sites.dat
\FlashFXP\3\Quick.dat
\FlashFXP\3\History.dat
\FlashFXP\4\Sites.dat
\FlashFXP\4\Quick.dat
\FlashFXP\4\History.dat
\Sites.dat
\Quick.dat
\History.dat
History.dat
Quick.dat
_FtpPassword
FtpUserName
FtpServer
FtpDescription
\Frigate3\FtpSite.XML
pFTP Commander
FTP Commander Pro
FTP Navigator
FTP Commander Deluxe
\ftplist.txt
FTPCON
Software\FTP Explorer\Profiles
\FTP Explorer\profiles.xml
\FTPRush\RushSite.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
\sites.xml
LEAPFTP
\sites.dat
\NetDrive\NDSites.ini
IWindows/Total Commander
BulletProof FTP Client
TurboFTP
WebSitePublisher
SoftX FTP Client
LeapFTP
32bit FTP
FTP Control
CuteFTP
WS_FTP
FFFTP
Core FTP
WebDrive
Classic FTP
FTP Explorer
SmartFTP
FTPRush
Frigate3 FTP
\SmartFTP\Client 2.0\Favorites\
\SmartFTP\Favorites.dat
\SmartFTP\History.dat
\SmartFTP\Client 2.0\Favorites\Favorites.dat
advapi32.dll
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
.installpath
Software\TurboFTP
\addrbk.dat
\TurboFTP\addrbk.dat
Software\South River Technologies\WebDrive\Connections
PassWord
ISoftware\Cryer\WebSitePublisher
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP Home\Sites
\win.ini
\Ipswitch\WS_FTP
password
\wcx_PTF.ini
Software\Ghisler\Windows Commander
FtpIniName

%original file name%.exe_528_rwx_00A80000_00001000:

Kernel32.dll
hrt.dhmsvcT

%original file name%.exe_528_rwx_00AA0000_00001000:

Kernel32.dll
hrt.dhmsvcT


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SonyAgent" = "c:\%original file name%.exe"

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now