Skip to main content

HackTool.Win32.PassView_a012f23bbc


Trojan.Win32.Foxhiex.agc (Kaspersky), Trojan.GenericKD.1723762 (B) (Emsisoft), Trojan.GenericKD.1723762 (AdAware), HackTool.Win32.PassView.FD, GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan, Worm, HackTool, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a012f23bbcb77172737a307004a7ba1c

SHA1: 2cb77abfd06288dd57a91a52febb82074147fa51

SHA256: 853558da06eba9ff1a1fa6dd7bf0e6b0776ebbc0fd4d7a60cf51fbd1dda7aaff

SSDeep: 12288:hieAmmv16NBuWA5MfblVRsTidnQM7P6Bj:hxA/oN6sRV7P6Bj

Size: 479232 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2014-06-18 21:37:13

Analyzed on: WindowsXP SP3 32-bit

Summary: HackTool. Can be used to investigate, analyze or compromise the system security. Some HackTools are multi-purpose programs, while others may have legitimate uses.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer.


Process activity

The HackTool creates the following process(es):

%original file name%.exe:1832
vbc.exe:2480
vbc.exe:2152
oDefrag.exe:1336

The HackTool injects its code into the following process(es):

keygen.exe:264
oDefrag.exe:444

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1832 makes changes in the file system.


The HackTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\keygen.exe (88 bytes)
%Documents and Settings%\%current user%\Application Data\oDefrag.exe (3073 bytes)

The process vbc.exe:2480 makes changes in the file system.


The HackTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RHA1KCPW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\412BSTMB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G9YVKXUN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0J0CAM90\desktop.ini (67 bytes)

The process oDefrag.exe:1336 makes changes in the file system.


The HackTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\csrss.exe (3073 bytes)

The process oDefrag.exe:444 makes changes in the file system.


The HackTool creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
%System%\wbem\Logs\wbemprox.log (150 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (58 bytes)

The HackTool deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (0 bytes)

Registry activity

The process %original file name%.exe:1832 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 3E A5 BC 37 2E D7 A0 96 D4 BD AA A0 F0 6B 60"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"Keygen.exe" = "keygen"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"oDefrag.exe" = "oDefrag"

The HackTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The HackTool modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The HackTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process vbc.exe:2480 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F C4 D8 9D D6 1F C6 88 81 66 50 59 83 A5 4E 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The process vbc.exe:2152 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 BA 5F 1D A0 17 92 46 54 6C 98 C9 DF 84 64 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process keygen.exe:264 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 6A 46 47 9F 69 91 B1 48 7A C9 FE 45 88 B7 6D"

The process oDefrag.exe:1336 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F D9 B5 91 AE C9 80 75 70 48 D9 AA 4C B2 2D 2B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"csrss.exe" = "csrss"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The HackTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the HackTool adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"oDefrag" = "%Documents and Settings%\%current user%\Application Data\oDefrag.exe"

The HackTool modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the HackTool adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"oDefrag" = "%Documents and Settings%\%current user%\Application Data\oDefrag.exe"

The HackTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process oDefrag.exe:444 makes changes in the system registry.


The HackTool creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\oDefrag\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 15 86 67 DB EE C9 15 12 4C F6 65 1C D3 32 D8"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The HackTool deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\oDefrag\DEBUG]
"Trace Level"

Dropped PE files

MD5 File path
640b5a8af03fe3e8c00b8066d97a3e5bc:\Documents and Settings\"%CurrentUserName%"\Application Data\keygen.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1832
    vbc.exe:2480
    vbc.exe:2152
    oDefrag.exe:1336

  2. Delete the original HackTool file.
  3. Delete or disinfect the following files created/modified by the HackTool:

    %Documents and Settings%\%current user%\Application Data\keygen.exe (88 bytes)
    %Documents and Settings%\%current user%\Application Data\oDefrag.exe (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RHA1KCPW\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\412BSTMB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G9YVKXUN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0J0CAM90\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\csrss.exe (3073 bytes)
    %Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
    %System%\wbem\Logs\wbemprox.log (150 bytes)
    %Documents and Settings%\%current user%\Application Data\pidloc.txt (58 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "oDefrag" = "%Documents and Settings%\%current user%\Application Data\oDefrag.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "oDefrag" = "%Documents and Settings%\%current user%\Application Data\oDefrag.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text81924660844669445.541476f3c6af8d45f85b6f19468c2174efd32
.rsrc47513692440960.637497fa1c9db9487d12e00d1c9602ac85720d
.reloc4833281240960.011373aa949fbfe6d1e1a21441221dbbf98749

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://whatismyipaddress.com/66.171.248.172

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Host: whatismyipaddress.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 28 Jun 2014 10:43:22 GMT

Server: Apache/2.2.26 (Unix) DAV/2 PHP/5.4.24 mod_ssl/2.2.26 OpenSSL/0.9.8y

X-Powered-By: PHP/5.4.24

Set-Cookie: pt=f931a00a404b2e0a8aa138a9c855ef5a; expires=Sun, 29-Jun-2014 10:43:22 GMT

Cache-Control: max-age=15

MS-Author-Via: DAV

Vary: Accept-Encoding

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html

29a9..<!doctype html>.<html lang="en">.<head>..<meta charset="windows-1252">..<meta name="robots" content="noarchive">..<title>What Is My IP Address? IP Address Tools and More</title>..<meta name="description" content="IP address lookup, location, proxy detection, email tracing, IP hiding tips, blacklist check, speed test, and forums. Find, get, and show my IP address.">..<meta name="keywords" content="my ip ,ip, address, my, what, is, find, get, show, locate, change, location, how, do, i, ip address, proxy, server, anonymous, hide, conceal, stealth, surf, web, anonymizer, anonymize, changer, privacy, geolocation, geolocate, lookup, look up, locate, trace, track, email, source, headers">..<meta property="fb:admins" content="607824267" />..<link rel="shortcut icon" href="hXXp://cdn.whatismyipaddress.com/favicon.ico">..<link rel="stylesheet" type="text/css" href="hXXp://cdn.whatismyipaddress.com/css/myip_v4_3.css">..<link rel="publisher" href="hXXps://plus.google.com/ whatismyipaddress">..<link rel="canonical" href="hXXp://whatismyipaddress.com">..<script type="text/javascript">if (top.location!= self.location) {top.location = self.location.href;}</script>..<script type='text/javascript'>...var googletag = googletag || {};...googletag.cmd = googletag.cmd || [];...(function() {...var gads = document.createElement('script');...gads.async = true;...gads.type = 'text/javascript';...var useSSL = 'https:' == document.

<<

<<< skipped >>>

Map

The HackTool connects to the servers at the folowing location(s):

Strings from Dumps

keygen.exe_264:

.text

.text

`.rsrc

`.rsrc

t.Ht-Ht(Ht'

t.Ht-Ht(Ht'

gdi32.dll

gdi32.dll

kernel32.dll

kernel32.dll

user32.dll

user32.dll

winmm.dll

winmm.dll

Coded by .......Nemo

Coded by .......Nemo

Protection ...MD5

Protection ...MD5

xy01-CP00-a95b-1ab6-d960-634e-nm14-0628

xy01-CP00-a95b-1ab6-d960-634e-nm14-0628

00000000

00000000

qR.Aquw~

qR.Aquw~

10# # ####1:

10# # ####1:

31#### ####3=

31#### ####3=

91#0## # ###3<</pre><pre>:1100### ###1:</pre><pre>=954422226</pre><pre>*.ASSUq</pre><pre>..ATR.</pre><pre>*...BqU.</pre><pre>.....RptqpUUWpt</pre><pre>%'4666677766664)%</pre><pre>.^ssQ.QUz</pre><pre>%%)2222)2!</pre><pre>.WUUB/RR</pre><pre>%D\arrrz{</pre><pre> .QR%</pre><pre>{s^WpTQTQ.*...AQ......AQ</pre><pre>{psqspppqsqU.QB.. "</pre><pre>.Upu~</pre><pre>..QTs{</pre><pre>VEE CLOSED HIHAT 87.wa</pre><pre>VEE Bassdrum 156.wav</pre><pre>VEE SNARE 145.wav</pre><pre>CF DEEPHSE CRSH 07.wav</pre><pre>%'%x6</pre><b>keygen.exe_264_rwx_00330000_00003000:</b><pre>The procedure %s could not be located in the DLL %s.</pre><pre>The ordinal %d could not be located in the DLL %s.</pre><b>keygen.exe_264_rwx_00401000_00058000:</b><pre>t.Ht-Ht(Ht'</pre><pre>gdi32.dll</pre><pre>kernel32.dll</pre><pre>user32.dll</pre><pre>winmm.dll</pre><pre>Coded by .......Nemo</pre><pre>Protection ...MD5</pre><pre>xy01-CP00-a95b-1ab6-d960-634e-nm14-0628</pre><pre>00000000</pre><pre>qR.Aquw~</pre><pre>10# # ####1:</pre><pre>31#### ####3=</pre><pre>91#0## # ###3<</pre><pre>:1100### ###1:</pre><pre>=954422226</pre><pre>*.ASSUq</pre><pre>..ATR.</pre><pre>*...BqU.</pre><pre>.....RptqpUUWpt</pre><pre>%'4666677766664)%</pre><pre>.^ssQ.QUz</pre><pre>%%)2222)2!</pre><pre>.WUUB/RR</pre><pre>%D\arrrz{</pre><pre> .QR%</pre><pre>{s^WpTQTQ.*...AQ......AQ</pre><pre>{psqspppqsqU.QB.. "</pre><pre>.Upu~</pre><pre>..QTs{</pre><pre>VEE CLOSED HIHAT 87.wa</pre><pre>VEE Bassdrum 156.wav</pre><pre>VEE SNARE 145.wav</pre><pre>CF DEEPHSE CRSH 07.wav</pre><pre>%'%x6</pre><b>oDefrag.exe_444:</b><pre>.text</pre><pre>`.rsrc</pre><pre>@.reloc</pre><pre>lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet</pre><pre>v2.0.50727</pre><pre>CMemoryExecute.dll</pre><pre>CMemoryExecute</pre><pre>PAGE_EXECUTE_READWRITE</pre><pre>.ctor</pre><pre>System.Reflection</pre><pre>System.Runtime.InteropServices</pre><pre>System.Security.Permissions</pre><pre>System.Diagnostics</pre><pre>System.Runtime.CompilerServices</pre><pre>DllImportAttribute</pre><pre>kernel32.dll</pre><pre>ntdll.dll</pre><pre>System.Security</pre><pre>$8fcd4931-91a2-4e18-849b-70de34ab75df</pre><pre>1.0.0.0</pre><pre>System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</pre><pre>C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb</pre><pre>mscoree.dll</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>D$.SPf</pre><pre> 2 34 567</pre><pre>com.apple.Safari</pre><pre>com.apple.WebKit2WebProcess</pre><pre>SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins</pre><pre>"Account","Login Name","Password","Web Site","Comments"</pre><pre>3.7.5</pre><pre>SQLite format 3</pre><pre>CREATE TABLE sqlite_master(</pre><pre>sql text</pre><pre>REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY</pre><pre>SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins</pre><pre>PK11_GetInternalKeySlot</pre><pre>PK11_CheckUserPassword</pre><pre>large file support is disabled</pre><pre>unknown operation</pre><pre>SQL logic error or missing database</pre><pre>foreign_keys</pre><pre>sqlite_compileoption_get</pre><pre>sqlite_compileoption_used</pre><pre>sqlite_source_id</pre><pre>sqlite_version</pre><pre>sqlite_attach</pre><pre>sqlite_detach</pre><pre>sqlite_stat1</pre><pre>sqlite_rename_parent</pre><pre>sqlite_rename_trigger</pre><pre>sqlite_rename_table</pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>%Y-%m-%d</pre><pre>%H:%M:%S</pre><pre>SQLITE_</pre><pre>failed to allocate %u bytes of memory</pre><pre>failed memory resize %u to %u bytes</pre><pre>922337203685477580</pre><pre>API call with %s database connection pointer</pre><pre>%s-shm</pre><pre>%s\etilqs_</pre><pre>OsError 0x%x (%u)</pre><pre>Recovered %d frames from WAL file %s</pre><pre>%s-mjX</pre><pre>foreign key constraint failed</pre><pre>unable to use function %s in the requested context</pre><pre>abort at %d in [%s]: %s</pre><pre>constraint failed at %d in [%s]</pre><pre>cannot open savepoint - SQL statements in progress</pre><pre>no such savepoint: %s</pre><pre>cannot %s savepoint - SQL statements in progress</pre><pre>cannot rollback transaction - SQL statements in progress</pre><pre>cannot commit transaction - SQL statements in progress</pre><pre>sqlite_master</pre><pre>SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid</pre><pre>cannot change %s wal mode from within a transaction</pre><pre>statement aborts at %d: [%s] %s</pre><pre>misuse of aliased aggregate %s</pre><pre>%s: %s.%s.%s</pre><pre>%s: %s.%s</pre><pre>%s: %s</pre><pre>%r %s BY term out of range - should be between 1 and %d</pre><pre>too many terms in %s BY clause</pre><pre>Expression tree is too large (maximum depth %d)</pre><pre>variable number must be between ?1 and ?%d</pre><pre>too many SQL variables</pre><pre>too many columns in %s</pre><pre>oversized integer: %s%s</pre><pre>misuse of aggregate: %s()</pre><pre>%.*s"%w"%s</pre><pre>%s%.*s"%w"</pre><pre>%s OR name=%Q</pre><pre>type='trigger' AND (%s)</pre><pre>there is already another table or index with this name: %s</pre><pre>sqlite_</pre><pre>table %s may not be altered</pre><pre>view %s may not be altered</pre><pre>UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;</pre><pre>UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');</pre><pre>UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;</pre><pre>Cannot add a PRIMARY KEY column</pre><pre>UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q</pre><pre>sqlite_altertab_%s</pre><pre>CREATE TABLE %Q.%s(%s)</pre><pre>DELETE FROM %Q.%s WHERE tbl=%Q</pre><pre>SELECT tbl, idx, stat FROM %Q.sqlite_stat1</pre><pre>invalid name: "%s"</pre><pre>too many attached databases - max %d</pre><pre>database %s is already in use</pre><pre>unable to open database: %s</pre><pre>no such database: %s</pre><pre>cannot detach database %s</pre><pre>database %s is locked</pre><pre>%s %T cannot reference objects in database %s</pre><pre>object name reserved for internal use: %s</pre><pre>there is already an index named %s</pre><pre>too many columns on %s</pre><pre>duplicate column name: %s</pre><pre>default value of column [%s] is not constant</pre><pre>table "%s" has more than one primary key</pre><pre>no such collation sequence: %s</pre><pre>CREATE %s %.*s</pre><pre>UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d</pre><pre>view %s is circularly defined</pre><pre>table %s may not be dropped</pre><pre>use DROP TABLE to delete table %s</pre><pre>use DROP VIEW to delete view %s</pre><pre>DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'</pre><pre>DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q</pre><pre>foreign key on %s should reference only one column of table %T</pre><pre>number of columns in foreign key does not match the number of columns in the referenced table</pre><pre>unknown column "%s" in foreign key definition</pre><pre>indexed columns are not unique</pre><pre>table %s may not be indexed</pre><pre>views may not be indexed</pre><pre>virtual tables may not be indexed</pre><pre>there is already a table named %s</pre><pre>index %s already exists</pre><pre>sqlite_autoindex_%s_%d</pre><pre>table %s has no column named %s</pre><pre>CREATE%s INDEX %.*s</pre><pre>INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);</pre><pre>no such index: %S</pre><pre>index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped</pre><pre>DELETE FROM %Q.%s WHERE name=%Q AND type='index'</pre><pre>DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q</pre><pre>a JOIN clause is required before %s</pre><pre>unable to identify the object to be reindexed</pre><pre>table %s may not be modified</pre><pre>cannot modify %s because it is a view</pre><pre>foreign key mismatch</pre><pre>table %S has %d columns but %d values were supplied</pre><pre>%d values for %d columns</pre><pre>table %S has no column named %s</pre><pre>%s.%s may not be NULL</pre><pre>PRIMARY KEY must be unique</pre><pre>automatic extension loading failed: %s</pre><pre>foreign_key_list</pre><pre>malformed database schema (%s)</pre><pre>%s - %s</pre><pre>unsupported file format</pre><pre>SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid</pre><pre>unknown or unsupported join type: %T %T%s%T</pre><pre>RIGHT and FULL OUTER JOINs are not currently supported</pre><pre>a NATURAL join may not have an ON or USING clause</pre><pre>cannot have both ON and USING clauses in the same join</pre><pre>cannot join using column %s - column not present in both tables</pre><pre>%s.%s</pre><pre>%s:%d</pre><pre>no such index: %s</pre><pre>sqlite_subquery_%p_</pre><pre>no such table: %s</pre><pre>cannot create %s trigger on view: %S</pre><pre>cannot create INSTEAD OF trigger on table: %S</pre><pre>INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')</pre><pre>no such trigger: %S</pre><pre>no such column: %s</pre><pre>cannot VACUUM - SQL statements in progress</pre><pre>PRAGMA vacuum_db.synchronous=OFF</pre><pre>SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0</pre><pre>SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'</pre><pre>SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'</pre><pre>SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0</pre><pre>SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'</pre><pre>SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';</pre><pre>INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)</pre><pre>UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d</pre><pre>vtable constructor failed: %s</pre><pre>vtable constructor did not declare schema: %s</pre><pre>no such module: %s</pre><pre>table %s: xBestIndex returned an invalid plan</pre><pre>at most %d tables in a join</pre><pre>cannot use index: %s</pre><pre>the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers</pre><pre>the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers</pre><pre>unable to close due to unfinished backup operation</pre><pre>unknown database: %s</pre><pre>no such vfs: %s</pre><pre>database corruption at line %d of [%.10s]</pre><pre>misuse at line %d of [%.10s]</pre><pre>cannot open file at line %d of [%.10s]</pre><pre>sqlite3_open</pre><pre>sqlite3_prepare</pre><pre>sqlite3_step</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_int</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_close</pre><pre>sqlite3_exec</pre><pre>f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb</pre><pre>msvcrt.dll</pre><pre>_wcmdln</pre><pre>COMCTL32.dll</pre><pre>VERSION.dll</pre><pre>FindCloseUrlCache</pre><pre>FindNextUrlCacheEntryW</pre><pre>FindFirstUrlCacheEntryW</pre><pre>WININET.dll</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>EnumChildWindows</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>comdlg32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>5JEw%Xg</pre><pre><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>http://www.usertrust.com1</pre><pre>3http://crl.usertrust.com/AddTrustExternalCARoot.crl05</pre><pre>http://ocsp.usertrust.com0</pre><pre>1http://crl.usertrust.com/UTN-USERFirst-Object.crl05</pre><pre>1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t</pre><pre>1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%</pre><pre>https://secure.comodo.net/CPS0A</pre><pre>0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r</pre><pre>0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$</pre><pre>http://ocsp.comodoca.com0</pre><pre>support@nirsoft.net0</pre><pre>t{SSh</pre><pre>v%SSW</pre><pre>Mail PassView</pre><pre>Mozilla\Profiles</pre><pre>Software\Mozilla\Mozilla Thunderbird</pre><pre>%s\Main</pre><pre>sqlite3.dll</pre><pre>nss3.dll</pre><pre>%programfiles%\Mozilla Thunderbird</pre><pre>AddExportHeaderLine</pre><pre>%s %s %s</pre><pre>HTTPMail User Name</pre><pre>SMTP USer Name</pre><pre>HTTPMail Server</pre><pre>SMTP Server</pre><pre>POP3 Password2</pre><pre>IMAP Password2</pre><pre>HTTPMail Password2</pre><pre>SMTP Password2</pre><pre>POP3 Port</pre><pre>IMAP Port</pre><pre>HTTPMail Port</pre><pre>SMTP Port</pre><pre>HTTPMail Secure Connection</pre><pre>SMTP Secure Connection</pre><pre>SMTP Display Name</pre><pre>SMTP Email Address</pre><pre>POP3 Password</pre><pre>IMAP Password</pre><pre>HTTP Password</pre><pre>SMTP Password</pre><pre>HTTP User</pre><pre>SMTP User</pre><pre>HTTP Server URL</pre><pre>HTTP Port</pre><pre>HTTPMail Use SSL</pre><pre>SMTP Use SSL</pre><pre>%s\%s</pre><pre>PopPort</pre><pre>PopPassword</pre><pre>SMTPAccount</pre><pre>SMTPServer</pre><pre>SMTPPort</pre><pre>SMTPLogSecure</pre><pre>SMTPPassword</pre><pre>%s\Accounts</pre><pre>LoginName</pre><pre>SavePasswordText</pre><pre>ESMTPUsername</pre><pre>ESMTPPassword</pre><pre>POP3Password</pre><pre>fb.dat</pre><pre>%s@gmail.com</pre><pre>%s@yahoo.com</pre><pre>Software\Microsoft\Windows Messaging Subsystem\Profiles</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles</pre><pre><meta http-equiv="content-type" content="text/html;charset=%s" /></pre><pre><br /><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p></p></pre><pre>smtp</pre><pre>advapi32.dll</pre><pre>comctl32.dll</pre><pre>*.ini</pre><pre>netmsg.dll</pre><pre>Error %d: %s</pre><pre>%s (%s)</pre><pre>menu_%d</pre><pre>dialog_%d</pre><pre>TranslatorURL</pre><pre>_lng.ini</pre><pre>%-18s: %s</pre><pre>%%-%d.%ds</pre><pre><td bgcolor="s" nowrap>%s</td></pre><pre><td bgcolor="s">%s</td></pre><pre><tr><td%s nowrap><b>%s</b><td bgcolor="s">%s</td></td%s></tr></pre><pre>bgcolor="%s"</pre><pre><font color="%s">%s</font></pre><pre><%s>%s</pre><pre></pre><pre>report.html</pre><pre>*.txt</pre><pre>*.htm;*.html</pre><pre>*.xml</pre><pre>*.csv</pre><pre>Software\NirSoft\MailPassView</pre><pre>MailPassView</pre><pre>/skeepass</pre><pre>/deleteregkey</pre><pre>Failed to load the executable file !</pre><pre>mail.account.account</pre><pre>mail.server</pre><pre>port</pre><pre>mail.identity</pre><pre>signon.signonfilename</pre><pre>mailbox://%s@%s</pre><pre>imap://%s@%s</pre><pre>mailbox://%s</pre><pre>imap://%s</pre><pre>signons.txt</pre><pre>signons.sqlite</pre><pre>prefs.js</pre><pre>Password.NET Messenger Service</pre><pre>User.NET Messenger Service</pre><pre>Passport.Net\*</pre><pre>ps:password</pre><pre>windowslive:name=</pre><pre>Exception %8.8X at address %8.8X in module %s</pre><pre>Stack Data: %s</pre><pre>Code Data: %s</pre><pre>mozsqlite3.dll</pre><pre>psapi.dll</pre><pre>pstorec.dll</pre><pre>5e7e8100-9138-11d1-945a-00c04fc308ff</pre><pre>00000000-0000-0000-0000-000000000000</pre><pre>220D5CD0-853A-11D0-84BC-00C04FD43F8F</pre><pre>220D5CD1-853A-11D0-84BC-00C04FD43F8F</pre><pre>220D5CC1-853A-11D0-84BC-00C04FD43F8F</pre><pre>417E2D75-84BD-11D0-84BB-00C04FD43F8F</pre><pre>shell32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>shlwapi.dll</pre><pre><html><head>%s<title>%s</title></head></html></pre><pre>%s <h3>%s</h3></pre><pre>size="%d"</pre><pre>color="#%s"</pre><pre><font color="%s"></font></pre><pre><table border="1" cellpadding="5"><tr%s></tr%s></table></pre><pre>width="%s"</pre><pre><th%s>%s%s%s</th%s></pre><pre>SOFTWARE\Mozilla</pre><pre>mozilla</pre><pre>%s\bin</pre><pre>PathToExe</pre><pre>\sqlite3.dll</pre><pre>\mozsqlite3.dll</pre><pre>Software\Microsoft\Windows Mail</pre><pre>Software\Microsoft\Windows Live Mail</pre><pre>SMTP_Server</pre><pre>SMTP_User_Name</pre><pre>POP3_Password2</pre><pre>IMAP_Password2</pre><pre>NNTP_Password2</pre><pre>SMTP_Password2</pre><pre>SMTP_Email_Address</pre><pre>SMTP_Port</pre><pre>NNTP_Port</pre><pre>IMAP_Port</pre><pre>POP3_Port</pre><pre>SMTP_Secure_Connection</pre><pre>*.oeaccount</pre><pre>\Microsoft\Windows Mail</pre><pre>\Microsoft\Windows Live Mail</pre><pre>f:\Projects\VS2005\mailpv\Release\mailpv.pdb</pre><pre>_acmdln</pre><pre>RPCRT4.dll</pre><pre>GetWindowsDirectoryA</pre><pre>RegDeleteKeyA</pre><pre>RegOpenKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegEnumKeyExA</pre><pre>ShellExecuteA</pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="NirSoft" type="win32"></assemblyIdentity><description>NirSoft</description><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD</pre><pre>Debugger.exe</pre><pre>Microsoft.VisualBasic</pre><pre>System.Windows.Forms</pre><pre>System.Drawing</pre><pre>System.Management</pre><pre>tapi32.dll</pre><pre>rtm.dll</pre><pre>user32.dll</pre><pre>Debugger.Debugger.resources</pre><pre>Debugger.Resources.resources</pre><pre>Debugger.My</pre><pre>WindowsFormsApplicationBase</pre><pre>Microsoft.VisualBasic.ApplicationServices</pre><pre>System.ComponentModel</pre><pre>System.CodeDom.Compiler</pre><pre>Microsoft.VisualBasic.Devices</pre><pre>m_MyWebServicesObjectProvider</pre><pre>.cctor</pre><pre>get_WebServices</pre><pre>HelpKeywordAttribute</pre><pre>System.ComponentModel.Design</pre><pre>WebServices</pre><pre>Microsoft.VisualBasic.CompilerServices</pre><pre>System.Collections</pre><pre>ContainsKey</pre><pre>InvalidOperationException</pre><pre>MyWebServices</pre><pre>encryptedpassstring</pre><pre>encryptedsmtpstring</pre><pre>portstring</pre><pre>fakeMSGholder</pre><pre>encryptedftphost</pre><pre>encryptedftpuser</pre><pre>encryptedftppass</pre><pre>useftp</pre><pre>websitevisitor</pre><pre>websiteblocker</pre><pre>passstring</pre><pre>smtpstring</pre><pre>ftphost</pre><pre>ftpuser</pre><pre>ftppass</pre><pre>WM_KEYUP</pre><pre>WM_KEYDOWN</pre><pre>WM_SYSKEYDOWN</pre><pre>WM_SYSKEYUP</pre><pre>KeyboardHandle</pre><pre>KeyLog</pre><pre>CleanedPasswordsMAIL</pre><pre>CleanedPasswordsWB</pre><pre>System.IO</pre><pre>get_ExecutablePath</pre><pre>WindowsIdentity</pre><pre>System.Security.Principal</pre><pre>set_WindowState</pre><pre>FormWindowState</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>GetAsyncKeyState</pre><pre>vKey</pre><pre>HookKeyboard</pre><pre>UnhookKeyboard</pre><pre>Operators</pre><pre>get_Keyboard</pre><pre>Keyboard</pre><pre>get_CtrlKeyDown</pre><pre>get_AltKeyDown</pre><pre>KeyboardCallback</pre><pre>System.Threading</pre><pre>System.Collections.Generic</pre><pre>Microsoft.VisualBasic.MyServices</pre><pre>System.Collections.ObjectModel</pre><pre>MsgBox</pre><pre>MsgBoxResult</pre><pre>MsgBoxStyle</pre><pre>set_WindowStyle</pre><pre>ProcessWindowStyle</pre><pre>ForceSteamLogin</pre><pre>System.Net.NetworkInformation</pre><pre>get_OperationalStatus</pre><pre>OperationalStatus</pre><pre>FakemsgInstall</pre><pre>System.Net.Mail</pre><pre>SmtpClient</pre><pre>System.Globalization</pre><pre>set_Port</pre><pre>System.Net</pre><pre>Microsoft.Win32</pre><pre>RegistryKey</pre><pre>OpenSubKey</pre><pre>System.Security.Cryptography</pre><pre>System.Text</pre><pre>set_Key</pre><pre>stealWebroswers</pre><pre>WebClient</pre><pre>readweb</pre><pre>System.IO.Compression</pre><pre>SendLogsFTP</pre><pre>FtpWebRequest</pre><pre>WebRequest</pre><pre>UploadFTP</pre><pre>secretKey</pre><pre>set_KeySize</pre><pre>get_KeySize</pre><pre>System.Net.Sockets</pre><pre>virtualKey</pre><pre>KeyboardHookDelegate</pre><pre>get_Msg</pre><pre>Debugger.My.Resources</pre><pre>System.Resources</pre><pre>get_CMemoryExecute</pre><pre>get_WebBrowserPassView</pre><pre>WebBrowserPassView</pre><pre>System.Configuration</pre><pre>8.0.0.0</pre><pre>My.Computer</pre><pre>My.Application</pre><pre>My.User</pre><pre>My.Forms</pre><pre>My.WebServices</pre><pre>System.Windows.Forms.Form</pre><pre>My.MyProject.Forms</pre><pre>4System.Web.Services.Protocols.SoapHttpClientProtocol</pre><pre>3System.Resources.Tools.StronglyTypedResourceBuilder</pre><pre>4.0.0.0</pre><pre>KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator</pre><pre>10.0.0.0</pre><pre>My.Settings</pre><pre>$e48811ca-8af8-4e73-85dd-2045b9cca73a</pre><pre>_CorExeMain</pre><pre><assemblyIdentity version="1.0.0.0" name="MyApplication.app" /></pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false" /></pre><pre>%%0.ß</pre><pre>Apple Computer\Preferences\keychain.plist</pre><pre>LoadPasswordsIE</pre><pre>LoadPasswordsFirefox</pre><pre>LoadPasswordsChrome</pre><pre>LoadPasswordsOpera</pre><pre>LoadPasswordsSafari</pre><pre>LoadPasswordsSeaMonkey</pre><pre>UseFirefoxProfileFolder</pre><pre>UseFirefoxInstallFolder</pre><pre>UseChromeProfileFolder</pre><pre>UseOperaPasswordFile</pre><pre>FirefoxProfileFolder</pre><pre>FirefoxInstallFolder</pre><pre>ChromeProfileFolder</pre><pre>OperaPasswordFile</pre><pre>Aadvapi32.dll</pre><pre>crypt32.dll</pre><pre>777705555443332</pre><pre>5555443332</pre><pre>5555443332</pre><pre>wand.dat</pre><pre>@nss3.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe</pre><pre>%programfiles%\Sea Monkey</pre><pre>%programfiles%\Mozilla Firefox</pre><pre>-signons.txt</pre><pre>signons2.txt</pre><pre>signons3.txt</pre><pre>@dllhost.exe</pre><pre>taskhost.exe</pre><pre>taskhostex.exe</pre><pre>Microsoft\Windows\WebCache\WebCacheV01.dat</pre><pre>Microsoft\Windows\WebCache\WebCacheV24.dat</pre><pre>index.dat</pre><pre>https://www.google.com/accounts/servicelogin</pre><pre>http://www.facebook.com/</pre><pre>https://login.yahoo.com/config/login</pre><pre>http://</pre><pre>https://</pre><pre>ftp://</pre><pre>@history.dat</pre><pre>places.sqlite</pre><pre>Mozilla\Firefox\Profiles</pre><pre>Mozilla\SeaMonkey\Profiles</pre><pre>Mozilla\SeaMonkey</pre><pre>Mozilla\Firefox</pre><pre>profiles.ini</pre><pre>Profile%d</pre><pre>tntdll.dll</pre><pre>sWeb Data</pre><pre>Login Data</pre><pre>Google\Chrome\User Data</pre><pre>Google\Chrome SxS\User Data</pre><pre>Opera\Opera\wand.dat</pre><pre>Opera\Opera7\profile\wand.dat</pre><pre>Opera</pre><pre>@"%s"</pre><pre>Ashell32.dll</pre><pre>\nss3.dll</pre><pre>.save</pre><pre>vaultcli.dll</pre><pre>abe2869f-9b47-4cd9-a358-c22904dba7f7</pre><pre>Copy &Password</pre><pre>&HTML Report - All Items</pre><pre>HTML R&eport - Selected Items</pre><pre>HTML Report - All Items</pre><pre>HTML Report - Selected Items</pre><pre>Load Passwords From...</pre><pre>Google Chrome</pre><pre>Mozilla Firefox</pre><pre>SeaMonkey</pre><pre>Firefox Options</pre><pre>Master password:</pre><pre>Firefox Profile:</pre><pre>Firefox Installation:</pre><pre>Chrome Options</pre><pre>Opera Options</pre><pre>wand.dat file:</pre><pre>%d Passwords</pre><pre>, %d Selected</pre><pre>Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)</pre><pre>Loading... %d</pre><pre>KeePass csv file</pre><pre>Opera Password File</pre><pre>Firefox 1.x</pre><pre>Firefox 2.x</pre><pre>Firefox 3.0</pre><pre>Firefox</pre><pre>Chrome</pre><pre>Web Browser</pre><pre>Password</pre><pre>Password Strength</pre><pre>Password Field</pre><pre>WebBrowserPassView.exe</pre><pre>www.google.com/Please log in to your Gmail account</pre><pre>www.google.com:443/Please log in to your Gmail account</pre><pre>www.google.com/Please log in to your Google Account</pre><pre>www.google.com:443/Please log in to your Google Account</pre><pre>www.google.com</pre><pre>dWindowsLive:name=*</pre><pre>82BD0E67-9FEA-4748-8672-D5EFE5B779B0</pre><pre>Copy Password</pre><pre>%d items</pre><pre>Select Eudora.ini filename/Select the location of Thunderbird installation</pre><pre>Eudora.ini file</pre><pre>SMTP</pre><pre>Windows Mail</pre><pre>Windows Live Mail</pre><pre>Server Port</pre><pre>SMTP Server Port</pre><pre>Mail Password Recovery</pre><pre>mailpv.exe</pre><pre>3, 7 #,)</pre><pre>MessageBoxIcon.Error</pre><pre>noftp</pre><pre>filename.exe</pre><pre>http://www.example.com/directory/file.exe</pre><pre>Disablecmd</pre><pre>\Windows Update.exe</pre><pre>\WindowsUpdate.exe</pre><pre>SysInfo.txt</pre><pre>\pid.txt</pre><pre>\pidloc.txt</pre><pre>\Mozilla\Firefox\Profiles</pre><pre>127.0.0.1</pre><pre>ping -n 1 -w 3000 1.1.1.1</pre><pre>cmd.exe</pre><pre>\SteamAppData.vdf</pre><pre>\ClientRegistry.blob</pre><pre>MessageBoxIcon.Exclamation</pre><pre>Keylogger Enabled:</pre><pre>Operating System:</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced</pre><pre>autorun.inf</pre><pre>open=Sys.exe</pre><pre>Sys.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update</pre><pre>C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><pre>\bitcoin\wallet.dat</pre><pre>_wallet.dat</pre><pre>wallet.dat</pre><pre>Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><pre>holdermail.txt"</pre><pre>holdermail.txt</pre><pre>Operating System Intel Recovery</pre><pre>Operating System Platform:</pre><pre>Operating System Version:</pre><pre>WEB Browser Password Recovery</pre><pre>Mail Messenger Password Recovery</pre><pre>Jdownloader Password Recovery</pre><pre>holderwb.txt"</pre><pre>holderwb.txt</pre><pre>C:\Users\</pre><pre>_Pin0.jpeg</pre><pre>_Pin1.jpeg</pre><pre>_Pin2.jpeg</pre><pre>_Pin3.jpeg</pre><pre>_Pin4.jpeg</pre><pre>Steals the Wallet.DAT file that holds the users bitcoin currency</pre><pre>\.minecraft\lastlogin</pre><pre>There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor</pre><pre>Predator Pain v14 - Key Recorder - [</pre><pre>Keylogger Log</pre><pre>.jpeg</pre><pre>Predator_Pain_v14_KeyLog_</pre><pre>http://whatismyipaddress.com/</pre><pre>Debugger.Resources</pre><pre>:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><b>oDefrag.exe_444_rwx_00400000_00084000:</b><pre>.text</pre><pre>`.rsrc</pre><pre>@.reloc</pre><pre>lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet</pre><pre>v2.0.50727</pre><pre>CMemoryExecute.dll</pre><pre>CMemoryExecute</pre><pre>PAGE_EXECUTE_READWRITE</pre><pre>.ctor</pre><pre>System.Reflection</pre><pre>System.Runtime.InteropServices</pre><pre>System.Security.Permissions</pre><pre>System.Diagnostics</pre><pre>System.Runtime.CompilerServices</pre><pre>DllImportAttribute</pre><pre>kernel32.dll</pre><pre>ntdll.dll</pre><pre>System.Security</pre><pre>$8fcd4931-91a2-4e18-849b-70de34ab75df</pre><pre>1.0.0.0</pre><pre>System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</pre><pre>C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb</pre><pre>mscoree.dll</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>D$.SPf</pre><pre> 2 34 567</pre><pre>com.apple.Safari</pre><pre>com.apple.WebKit2WebProcess</pre><pre>SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins</pre><pre>"Account","Login Name","Password","Web Site","Comments"</pre><pre>3.7.5</pre><pre>SQLite format 3</pre><pre>CREATE TABLE sqlite_master(</pre><pre>sql text</pre><pre>REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY</pre><pre>SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins</pre><pre>PK11_GetInternalKeySlot</pre><pre>PK11_CheckUserPassword</pre><pre>large file support is disabled</pre><pre>unknown operation</pre><pre>SQL logic error or missing database</pre><pre>foreign_keys</pre><pre>sqlite_compileoption_get</pre><pre>sqlite_compileoption_used</pre><pre>sqlite_source_id</pre><pre>sqlite_version</pre><pre>sqlite_attach</pre><pre>sqlite_detach</pre><pre>sqlite_stat1</pre><pre>sqlite_rename_parent</pre><pre>sqlite_rename_trigger</pre><pre>sqlite_rename_table</pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>%Y-%m-%d</pre><pre>%H:%M:%S</pre><pre>SQLITE_</pre><pre>failed to allocate %u bytes of memory</pre><pre>failed memory resize %u to %u bytes</pre><pre>922337203685477580</pre><pre>API call with %s database connection pointer</pre><pre>%s-shm</pre><pre>%s\etilqs_</pre><pre>OsError 0x%x (%u)</pre><pre>Recovered %d frames from WAL file %s</pre><pre>%s-mjX</pre><pre>foreign key constraint failed</pre><pre>unable to use function %s in the requested context</pre><pre>abort at %d in [%s]: %s</pre><pre>constraint failed at %d in [%s]</pre><pre>cannot open savepoint - SQL statements in progress</pre><pre>no such savepoint: %s</pre><pre>cannot %s savepoint - SQL statements in progress</pre><pre>cannot rollback transaction - SQL statements in progress</pre><pre>cannot commit transaction - SQL statements in progress</pre><pre>sqlite_master</pre><pre>SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid</pre><pre>cannot change %s wal mode from within a transaction</pre><pre>statement aborts at %d: [%s] %s</pre><pre>misuse of aliased aggregate %s</pre><pre>%s: %s.%s.%s</pre><pre>%s: %s.%s</pre><pre>%s: %s</pre><pre>%r %s BY term out of range - should be between 1 and %d</pre><pre>too many terms in %s BY clause</pre><pre>Expression tree is too large (maximum depth %d)</pre><pre>variable number must be between ?1 and ?%d</pre><pre>too many SQL variables</pre><pre>too many columns in %s</pre><pre>oversized integer: %s%s</pre><pre>misuse of aggregate: %s()</pre><pre>%.*s"%w"%s</pre><pre>%s%.*s"%w"</pre><pre>%s OR name=%Q</pre><pre>type='trigger' AND (%s)</pre><pre>there is already another table or index with this name: %s</pre><pre>sqlite_</pre><pre>table %s may not be altered</pre><pre>view %s may not be altered</pre><pre>UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;</pre><pre>UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');</pre><pre>UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;</pre><pre>Cannot add a PRIMARY KEY column</pre><pre>UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q</pre><pre>sqlite_altertab_%s</pre><pre>CREATE TABLE %Q.%s(%s)</pre><pre>DELETE FROM %Q.%s WHERE tbl=%Q</pre><pre>SELECT tbl, idx, stat FROM %Q.sqlite_stat1</pre><pre>invalid name: "%s"</pre><pre>too many attached databases - max %d</pre><pre>database %s is already in use</pre><pre>unable to open database: %s</pre><pre>no such database: %s</pre><pre>cannot detach database %s</pre><pre>database %s is locked</pre><pre>%s %T cannot reference objects in database %s</pre><pre>object name reserved for internal use: %s</pre><pre>there is already an index named %s</pre><pre>too many columns on %s</pre><pre>duplicate column name: %s</pre><pre>default value of column [%s] is not constant</pre><pre>table "%s" has more than one primary key</pre><pre>no such collation sequence: %s</pre><pre>CREATE %s %.*s</pre><pre>UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d</pre><pre>view %s is circularly defined</pre><pre>table %s may not be dropped</pre><pre>use DROP TABLE to delete table %s</pre><pre>use DROP VIEW to delete view %s</pre><pre>DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'</pre><pre>DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q</pre><pre>foreign key on %s should reference only one column of table %T</pre><pre>number of columns in foreign key does not match the number of columns in the referenced table</pre><pre>unknown column "%s" in foreign key definition</pre><pre>indexed columns are not unique</pre><pre>table %s may not be indexed</pre><pre>views may not be indexed</pre><pre>virtual tables may not be indexed</pre><pre>there is already a table named %s</pre><pre>index %s already exists</pre><pre>sqlite_autoindex_%s_%d</pre><pre>table %s has no column named %s</pre><pre>CREATE%s INDEX %.*s</pre><pre>INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);</pre><pre>no such index: %S</pre><pre>index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped</pre><pre>DELETE FROM %Q.%s WHERE name=%Q AND type='index'</pre><pre>DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q</pre><pre>a JOIN clause is required before %s</pre><pre>unable to identify the object to be reindexed</pre><pre>table %s may not be modified</pre><pre>cannot modify %s because it is a view</pre><pre>foreign key mismatch</pre><pre>table %S has %d columns but %d values were supplied</pre><pre>%d values for %d columns</pre><pre>table %S has no column named %s</pre><pre>%s.%s may not be NULL</pre><pre>PRIMARY KEY must be unique</pre><pre>automatic extension loading failed: %s</pre><pre>foreign_key_list</pre><pre>malformed database schema (%s)</pre><pre>%s - %s</pre><pre>unsupported file format</pre><pre>SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid</pre><pre>unknown or unsupported join type: %T %T%s%T</pre><pre>RIGHT and FULL OUTER JOINs are not currently supported</pre><pre>a NATURAL join may not have an ON or USING clause</pre><pre>cannot have both ON and USING clauses in the same join</pre><pre>cannot join using column %s - column not present in both tables</pre><pre>%s.%s</pre><pre>%s:%d</pre><pre>no such index: %s</pre><pre>sqlite_subquery_%p_</pre><pre>no such table: %s</pre><pre>cannot create %s trigger on view: %S</pre><pre>cannot create INSTEAD OF trigger on table: %S</pre><pre>INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')</pre><pre>no such trigger: %S</pre><pre>no such column: %s</pre><pre>cannot VACUUM - SQL statements in progress</pre><pre>PRAGMA vacuum_db.synchronous=OFF</pre><pre>SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0</pre><pre>SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'</pre><pre>SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'</pre><pre>SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0</pre><pre>SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'</pre><pre>SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';</pre><pre>INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)</pre><pre>UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d</pre><pre>vtable constructor failed: %s</pre><pre>vtable constructor did not declare schema: %s</pre><pre>no such module: %s</pre><pre>table %s: xBestIndex returned an invalid plan</pre><pre>at most %d tables in a join</pre><pre>cannot use index: %s</pre><pre>the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers</pre><pre>the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers</pre><pre>unable to close due to unfinished backup operation</pre><pre>unknown database: %s</pre><pre>no such vfs: %s</pre><pre>database corruption at line %d of [%.10s]</pre><pre>misuse at line %d of [%.10s]</pre><pre>cannot open file at line %d of [%.10s]</pre><pre>sqlite3_open</pre><pre>sqlite3_prepare</pre><pre>sqlite3_step</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_int</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_close</pre><pre>sqlite3_exec</pre><pre>f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb</pre><pre>msvcrt.dll</pre><pre>_wcmdln</pre><pre>COMCTL32.dll</pre><pre>VERSION.dll</pre><pre>FindCloseUrlCache</pre><pre>FindNextUrlCacheEntryW</pre><pre>FindFirstUrlCacheEntryW</pre><pre>WININET.dll</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>EnumChildWindows</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>comdlg32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>5JEw%Xg</pre><pre><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>http://www.usertrust.com1</pre><pre>3http://crl.usertrust.com/AddTrustExternalCARoot.crl05</pre><pre>http://ocsp.usertrust.com0</pre><pre>1http://crl.usertrust.com/UTN-USERFirst-Object.crl05</pre><pre>1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t</pre><pre>1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%</pre><pre>https://secure.comodo.net/CPS0A</pre><pre>0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r</pre><pre>0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$</pre><pre>http://ocsp.comodoca.com0</pre><pre>support@nirsoft.net0</pre><pre>t{SSh</pre><pre>v%SSW</pre><pre>Mail PassView</pre><pre>Mozilla\Profiles</pre><pre>Software\Mozilla\Mozilla Thunderbird</pre><pre>%s\Main</pre><pre>sqlite3.dll</pre><pre>nss3.dll</pre><pre>%programfiles%\Mozilla Thunderbird</pre><pre>AddExportHeaderLine</pre><pre>%s %s %s</pre><pre>HTTPMail User Name</pre><pre>SMTP USer Name</pre><pre>HTTPMail Server</pre><pre>SMTP Server</pre><pre>POP3 Password2</pre><pre>IMAP Password2</pre><pre>HTTPMail Password2</pre><pre>SMTP Password2</pre><pre>POP3 Port</pre><pre>IMAP Port</pre><pre>HTTPMail Port</pre><pre>SMTP Port</pre><pre>HTTPMail Secure Connection</pre><pre>SMTP Secure Connection</pre><pre>SMTP Display Name</pre><pre>SMTP Email Address</pre><pre>POP3 Password</pre><pre>IMAP Password</pre><pre>HTTP Password</pre><pre>SMTP Password</pre><pre>HTTP User</pre><pre>SMTP User</pre><pre>HTTP Server URL</pre><pre>HTTP Port</pre><pre>HTTPMail Use SSL</pre><pre>SMTP Use SSL</pre><pre>%s\%s</pre><pre>PopPort</pre><pre>PopPassword</pre><pre>SMTPAccount</pre><pre>SMTPServer</pre><pre>SMTPPort</pre><pre>SMTPLogSecure</pre><pre>SMTPPassword</pre><pre>%s\Accounts</pre><pre>LoginName</pre><pre>SavePasswordText</pre><pre>ESMTPUsername</pre><pre>ESMTPPassword</pre><pre>POP3Password</pre><pre>fb.dat</pre><pre>%s@gmail.com</pre><pre>%s@yahoo.com</pre><pre>Software\Microsoft\Windows Messaging Subsystem\Profiles</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles</pre><pre><meta http-equiv="content-type" content="text/html;charset=%s" /></pre><pre><br /><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p></p></pre><pre>smtp</pre><pre>advapi32.dll</pre><pre>comctl32.dll</pre><pre>*.ini</pre><pre>netmsg.dll</pre><pre>Error %d: %s</pre><pre>%s (%s)</pre><pre>menu_%d</pre><pre>dialog_%d</pre><pre>TranslatorURL</pre><pre>_lng.ini</pre><pre>%-18s: %s</pre><pre>%%-%d.%ds</pre><pre><td bgcolor="s" nowrap>%s</td></pre><pre><td bgcolor="s">%s</td></pre><pre><tr><td%s nowrap><b>%s</b><td bgcolor="s">%s</td></td%s></tr></pre><pre>bgcolor="%s"</pre><pre><font color="%s">%s</font></pre><pre><%s>%s</pre><pre></pre><pre>report.html</pre><pre>*.txt</pre><pre>*.htm;*.html</pre><pre>*.xml</pre><pre>*.csv</pre><pre>Software\NirSoft\MailPassView</pre><pre>MailPassView</pre><pre>/skeepass</pre><pre>/deleteregkey</pre><pre>Failed to load the executable file !</pre><pre>mail.account.account</pre><pre>mail.server</pre><pre>port</pre><pre>mail.identity</pre><pre>signon.signonfilename</pre><pre>mailbox://%s@%s</pre><pre>imap://%s@%s</pre><pre>mailbox://%s</pre><pre>imap://%s</pre><pre>signons.txt</pre><pre>signons.sqlite</pre><pre>prefs.js</pre><pre>Password.NET Messenger Service</pre><pre>User.NET Messenger Service</pre><pre>Passport.Net\*</pre><pre>ps:password</pre><pre>windowslive:name=</pre><pre>Exception %8.8X at address %8.8X in module %s</pre><pre>Stack Data: %s</pre><pre>Code Data: %s</pre><pre>mozsqlite3.dll</pre><pre>psapi.dll</pre><pre>pstorec.dll</pre><pre>5e7e8100-9138-11d1-945a-00c04fc308ff</pre><pre>00000000-0000-0000-0000-000000000000</pre><pre>220D5CD0-853A-11D0-84BC-00C04FD43F8F</pre><pre>220D5CD1-853A-11D0-84BC-00C04FD43F8F</pre><pre>220D5CC1-853A-11D0-84BC-00C04FD43F8F</pre><pre>417E2D75-84BD-11D0-84BB-00C04FD43F8F</pre><pre>shell32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>shlwapi.dll</pre><pre><html><head>%s<title>%s</title></head></html></pre><pre>%s <h3>%s</h3></pre><pre>size="%d"</pre><pre>color="#%s"</pre><pre><font color="%s"></font></pre><pre><table border="1" cellpadding="5"><tr%s></tr%s></table></pre><pre>width="%s"</pre><pre><th%s>%s%s%s</th%s></pre><pre>SOFTWARE\Mozilla</pre><pre>mozilla</pre><pre>%s\bin</pre><pre>PathToExe</pre><pre>\sqlite3.dll</pre><pre>\mozsqlite3.dll</pre><pre>Software\Microsoft\Windows Mail</pre><pre>Software\Microsoft\Windows Live Mail</pre><pre>SMTP_Server</pre><pre>SMTP_User_Name</pre><pre>POP3_Password2</pre><pre>IMAP_Password2</pre><pre>NNTP_Password2</pre><pre>SMTP_Password2</pre><pre>SMTP_Email_Address</pre><pre>SMTP_Port</pre><pre>NNTP_Port</pre><pre>IMAP_Port</pre><pre>POP3_Port</pre><pre>SMTP_Secure_Connection</pre><pre>*.oeaccount</pre><pre>\Microsoft\Windows Mail</pre><pre>\Microsoft\Windows Live Mail</pre><pre>f:\Projects\VS2005\mailpv\Release\mailpv.pdb</pre><pre>_acmdln</pre><pre>RPCRT4.dll</pre><pre>GetWindowsDirectoryA</pre><pre>RegDeleteKeyA</pre><pre>RegOpenKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegEnumKeyExA</pre><pre>ShellExecuteA</pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="NirSoft" type="win32"></assemblyIdentity><description>NirSoft</description><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD</pre><pre>Debugger.exe</pre><pre>Microsoft.VisualBasic</pre><pre>System.Windows.Forms</pre><pre>System.Drawing</pre><pre>System.Management</pre><pre>tapi32.dll</pre><pre>rtm.dll</pre><pre>user32.dll</pre><pre>Debugger.Debugger.resources</pre><pre>Debugger.Resources.resources</pre><pre>Debugger.My</pre><pre>WindowsFormsApplicationBase</pre><pre>Microsoft.VisualBasic.ApplicationServices</pre><pre>System.ComponentModel</pre><pre>System.CodeDom.Compiler</pre><pre>Microsoft.VisualBasic.Devices</pre><pre>m_MyWebServicesObjectProvider</pre><pre>.cctor</pre><pre>get_WebServices</pre><pre>HelpKeywordAttribute</pre><pre>System.ComponentModel.Design</pre><pre>WebServices</pre><pre>Microsoft.VisualBasic.CompilerServices</pre><pre>System.Collections</pre><pre>ContainsKey</pre><pre>InvalidOperationException</pre><pre>MyWebServices</pre><pre>encryptedpassstring</pre><pre>encryptedsmtpstring</pre><pre>portstring</pre><pre>fakeMSGholder</pre><pre>encryptedftphost</pre><pre>encryptedftpuser</pre><pre>encryptedftppass</pre><pre>useftp</pre><pre>websitevisitor</pre><pre>websiteblocker</pre><pre>passstring</pre><pre>smtpstring</pre><pre>ftphost</pre><pre>ftpuser</pre><pre>ftppass</pre><pre>WM_KEYUP</pre><pre>WM_KEYDOWN</pre><pre>WM_SYSKEYDOWN</pre><pre>WM_SYSKEYUP</pre><pre>KeyboardHandle</pre><pre>KeyLog</pre><pre>CleanedPasswordsMAIL</pre><pre>CleanedPasswordsWB</pre><pre>System.IO</pre><pre>get_ExecutablePath</pre><pre>WindowsIdentity</pre><pre>System.Security.Principal</pre><pre>set_WindowState</pre><pre>FormWindowState</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>GetAsyncKeyState</pre><pre>vKey</pre><pre>HookKeyboard</pre><pre>UnhookKeyboard</pre><pre>Operators</pre><pre>get_Keyboard</pre><pre>Keyboard</pre><pre>get_CtrlKeyDown</pre><pre>get_AltKeyDown</pre><pre>KeyboardCallback</pre><pre>System.Threading</pre><pre>System.Collections.Generic</pre><pre>Microsoft.VisualBasic.MyServices</pre><pre>System.Collections.ObjectModel</pre><pre>MsgBox</pre><pre>MsgBoxResult</pre><pre>MsgBoxStyle</pre><pre>set_WindowStyle</pre><pre>ProcessWindowStyle</pre><pre>ForceSteamLogin</pre><pre>System.Net.NetworkInformation</pre><pre>get_OperationalStatus</pre><pre>OperationalStatus</pre><pre>FakemsgInstall</pre><pre>System.Net.Mail</pre><pre>SmtpClient</pre><pre>System.Globalization</pre><pre>set_Port</pre><pre>System.Net</pre><pre>Microsoft.Win32</pre><pre>RegistryKey</pre><pre>OpenSubKey</pre><pre>System.Security.Cryptography</pre><pre>System.Text</pre><pre>set_Key</pre><pre>stealWebroswers</pre><pre>WebClient</pre><pre>readweb</pre><pre>System.IO.Compression</pre><pre>SendLogsFTP</pre><pre>FtpWebRequest</pre><pre>WebRequest</pre><pre>UploadFTP</pre><pre>secretKey</pre><pre>set_KeySize</pre><pre>get_KeySize</pre><pre>System.Net.Sockets</pre><pre>virtualKey</pre><pre>KeyboardHookDelegate</pre><pre>get_Msg</pre><pre>Debugger.My.Resources</pre><pre>System.Resources</pre><pre>get_CMemoryExecute</pre><pre>get_WebBrowserPassView</pre><pre>WebBrowserPassView</pre><pre>System.Configuration</pre><pre>8.0.0.0</pre><pre>My.Computer</pre><pre>My.Application</pre><pre>My.User</pre><pre>My.Forms</pre><pre>My.WebServices</pre><pre>System.Windows.Forms.Form</pre><pre>My.MyProject.Forms</pre><pre>4System.Web.Services.Protocols.SoapHttpClientProtocol</pre><pre>3System.Resources.Tools.StronglyTypedResourceBuilder</pre><pre>4.0.0.0</pre><pre>KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator</pre><pre>10.0.0.0</pre><pre>My.Settings</pre><pre>$e48811ca-8af8-4e73-85dd-2045b9cca73a</pre><pre>_CorExeMain</pre><pre><assemblyIdentity version="1.0.0.0" name="MyApplication.app" /></pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false" /></pre><pre>%%0.ß</pre><pre>Apple Computer\Preferences\keychain.plist</pre><pre>LoadPasswordsIE</pre><pre>LoadPasswordsFirefox</pre><pre>LoadPasswordsChrome</pre><pre>LoadPasswordsOpera</pre><pre>LoadPasswordsSafari</pre><pre>LoadPasswordsSeaMonkey</pre><pre>UseFirefoxProfileFolder</pre><pre>UseFirefoxInstallFolder</pre><pre>UseChromeProfileFolder</pre><pre>UseOperaPasswordFile</pre><pre>FirefoxProfileFolder</pre><pre>FirefoxInstallFolder</pre><pre>ChromeProfileFolder</pre><pre>OperaPasswordFile</pre><pre>Aadvapi32.dll</pre><pre>crypt32.dll</pre><pre>777705555443332</pre><pre>5555443332</pre><pre>5555443332</pre><pre>wand.dat</pre><pre>@nss3.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe</pre><pre>%programfiles%\Sea Monkey</pre><pre>%programfiles%\Mozilla Firefox</pre><pre>-signons.txt</pre><pre>signons2.txt</pre><pre>signons3.txt</pre><pre>@dllhost.exe</pre><pre>taskhost.exe</pre><pre>taskhostex.exe</pre><pre>Microsoft\Windows\WebCache\WebCacheV01.dat</pre><pre>Microsoft\Windows\WebCache\WebCacheV24.dat</pre><pre>index.dat</pre><pre>https://www.google.com/accounts/servicelogin</pre><pre>http://www.facebook.com/</pre><pre>https://login.yahoo.com/config/login</pre><pre>http://</pre><pre>https://</pre><pre>ftp://</pre><pre>@history.dat</pre><pre>places.sqlite</pre><pre>Mozilla\Firefox\Profiles</pre><pre>Mozilla\SeaMonkey\Profiles</pre><pre>Mozilla\SeaMonkey</pre><pre>Mozilla\Firefox</pre><pre>profiles.ini</pre><pre>Profile%d</pre><pre>tntdll.dll</pre><pre>sWeb Data</pre><pre>Login Data</pre><pre>Google\Chrome\User Data</pre><pre>Google\Chrome SxS\User Data</pre><pre>Opera\Opera\wand.dat</pre><pre>Opera\Opera7\profile\wand.dat</pre><pre>Opera</pre><pre>@"%s"</pre><pre>Ashell32.dll</pre><pre>\nss3.dll</pre><pre>.save</pre><pre>vaultcli.dll</pre><pre>abe2869f-9b47-4cd9-a358-c22904dba7f7</pre><pre>Copy &Password</pre><pre>&HTML Report - All Items</pre><pre>HTML R&eport - Selected Items</pre><pre>HTML Report - All Items</pre><pre>HTML Report - Selected Items</pre><pre>Load Passwords From...</pre><pre>Google Chrome</pre><pre>Mozilla Firefox</pre><pre>SeaMonkey</pre><pre>Firefox Options</pre><pre>Master password:</pre><pre>Firefox Profile:</pre><pre>Firefox Installation:</pre><pre>Chrome Options</pre><pre>Opera Options</pre><pre>wand.dat file:</pre><pre>%d Passwords</pre><pre>, %d Selected</pre><pre>Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)</pre><pre>Loading... %d</pre><pre>KeePass csv file</pre><pre>Opera Password File</pre><pre>Firefox 1.x</pre><pre>Firefox 2.x</pre><pre>Firefox 3.0</pre><pre>Firefox</pre><pre>Chrome</pre><pre>Web Browser</pre><pre>Password</pre><pre>Password Strength</pre><pre>Password Field</pre><pre>WebBrowserPassView.exe</pre><pre>www.google.com/Please log in to your Gmail account</pre><pre>www.google.com:443/Please log in to your Gmail account</pre><pre>www.google.com/Please log in to your Google Account</pre><pre>www.google.com:443/Please log in to your Google Account</pre><pre>www.google.com</pre><pre>dWindowsLive:name=*</pre><pre>82BD0E67-9FEA-4748-8672-D5EFE5B779B0</pre><pre>Copy Password</pre><pre>%d items</pre><pre>Select Eudora.ini filename/Select the location of Thunderbird installation</pre><pre>Eudora.ini file</pre><pre>SMTP</pre><pre>Windows Mail</pre><pre>Windows Live Mail</pre><pre>Server Port</pre><pre>SMTP Server Port</pre><pre>Mail Password Recovery</pre><pre>mailpv.exe</pre><pre>3, 7 #,)</pre><pre>MessageBoxIcon.Error</pre><pre>noftp</pre><pre>filename.exe</pre><pre>http://www.example.com/directory/file.exe</pre><pre>Disablecmd</pre><pre>\Windows Update.exe</pre><pre>\WindowsUpdate.exe</pre><pre>SysInfo.txt</pre><pre>\pid.txt</pre><pre>\pidloc.txt</pre><pre>\Mozilla\Firefox\Profiles</pre><pre>127.0.0.1</pre><pre>ping -n 1 -w 3000 1.1.1.1</pre><pre>cmd.exe</pre><pre>\SteamAppData.vdf</pre><pre>\ClientRegistry.blob</pre><pre>MessageBoxIcon.Exclamation</pre><pre>Keylogger Enabled:</pre><pre>Operating System:</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced</pre><pre>autorun.inf</pre><pre>open=Sys.exe</pre><pre>Sys.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update</pre><pre>C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><pre>\bitcoin\wallet.dat</pre><pre>_wallet.dat</pre><pre>wallet.dat</pre><pre>Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><pre>holdermail.txt"</pre><pre>holdermail.txt</pre><pre>Operating System Intel Recovery</pre><pre>Operating System Platform:</pre><pre>Operating System Version:</pre><pre>WEB Browser Password Recovery</pre><pre>Mail Messenger Password Recovery</pre><pre>Jdownloader Password Recovery</pre><pre>holderwb.txt"</pre><pre>holderwb.txt</pre><pre>C:\Users\</pre><pre>_Pin0.jpeg</pre><pre>_Pin1.jpeg</pre><pre>_Pin2.jpeg</pre><pre>_Pin3.jpeg</pre><pre>_Pin4.jpeg</pre><pre>Steals the Wallet.DAT file that holds the users bitcoin currency</pre><pre>\.minecraft\lastlogin</pre><pre>There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor</pre><pre>Predator Pain v14 - Key Recorder - [</pre><pre>Keylogger Log</pre><pre>.jpeg</pre><pre>Predator_Pain_v14_KeyLog_</pre><pre>http://whatismyipaddress.com/</pre><pre>Debugger.Resources</pre><pre>:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><b>oDefrag.exe_444_rwx_675A6000_00003000:</b><pre>.Qg<-Qg><pre>*Rg`.Rg|)RgL Rg</pre></-Qg></pre></pre>