Trojan.Win32.Foxhiex.agc (Kaspersky), Trojan.GenericKD.1723762 (B) (Emsisoft), Trojan.GenericKD.1723762 (AdAware), HackTool.Win32.PassView.FD, GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan, Worm, HackTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a012f23bbcb77172737a307004a7ba1c
SHA1: 2cb77abfd06288dd57a91a52febb82074147fa51
SHA256: 853558da06eba9ff1a1fa6dd7bf0e6b0776ebbc0fd4d7a60cf51fbd1dda7aaff
SSDeep: 12288:hieAmmv16NBuWA5MfblVRsTidnQM7P6Bj:hxA/oN6sRV7P6Bj
Size: 479232 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-18 21:37:13
Analyzed on: WindowsXP SP3 32-bit
Summary: HackTool. Can be used to investigate, analyze or compromise the system security. Some HackTools are multi-purpose programs, while others may have legitimate uses.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The HackTool creates the following process(es):
%original file name%.exe:1832
vbc.exe:2480
vbc.exe:2152
oDefrag.exe:1336
The HackTool injects its code into the following process(es):
keygen.exe:264
oDefrag.exe:444
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1832 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\keygen.exe (88 bytes)
%Documents and Settings%\%current user%\Application Data\oDefrag.exe (3073 bytes)
The process vbc.exe:2480 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RHA1KCPW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\412BSTMB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G9YVKXUN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0J0CAM90\desktop.ini (67 bytes)
The process oDefrag.exe:1336 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\csrss.exe (3073 bytes)
The process oDefrag.exe:444 makes changes in the file system.
The HackTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
%System%\wbem\Logs\wbemprox.log (150 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (58 bytes)
The HackTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (0 bytes)
Registry activity
The process %original file name%.exe:1832 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 3E A5 BC 37 2E D7 A0 96 D4 BD AA A0 F0 6B 60"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"Keygen.exe" = "keygen"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"oDefrag.exe" = "oDefrag"
The HackTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The HackTool modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The HackTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process vbc.exe:2480 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F C4 D8 9D D6 1F C6 88 81 66 50 59 83 A5 4E 3C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
The process vbc.exe:2152 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 BA 5F 1D A0 17 92 46 54 6C 98 C9 DF 84 64 54"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process keygen.exe:264 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 6A 46 47 9F 69 91 B1 48 7A C9 FE 45 88 B7 6D"
The process oDefrag.exe:1336 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F D9 B5 91 AE C9 80 75 70 48 D9 AA 4C B2 2D 2B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"csrss.exe" = "csrss"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The HackTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the HackTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"oDefrag" = "%Documents and Settings%\%current user%\Application Data\oDefrag.exe"
The HackTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the HackTool adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"oDefrag" = "%Documents and Settings%\%current user%\Application Data\oDefrag.exe"
The HackTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process oDefrag.exe:444 makes changes in the system registry.
The HackTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\oDefrag\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 15 86 67 DB EE C9 15 12 4C F6 65 1C D3 32 D8"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The HackTool deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\oDefrag\DEBUG]
"Trace Level"
Dropped PE files
MD5 | File path |
---|---|
640b5a8af03fe3e8c00b8066d97a3e5b | c:\Documents and Settings\"%CurrentUserName%"\Application Data\keygen.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the HackTool's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1832
vbc.exe:2480
vbc.exe:2152
oDefrag.exe:1336 - Delete the original HackTool file.
- Delete or disinfect the following files created/modified by the HackTool:
%Documents and Settings%\%current user%\Application Data\keygen.exe (88 bytes)
%Documents and Settings%\%current user%\Application Data\oDefrag.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RHA1KCPW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\412BSTMB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G9YVKXUN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0J0CAM90\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\csrss.exe (3073 bytes)
%Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
%System%\wbem\Logs\wbemprox.log (150 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (58 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"oDefrag" = "%Documents and Settings%\%current user%\Application Data\oDefrag.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"oDefrag" = "%Documents and Settings%\%current user%\Application Data\oDefrag.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 466084 | 466944 | 5.54147 | 6f3c6af8d45f85b6f19468c2174efd32 |
.rsrc | 475136 | 924 | 4096 | 0.637497 | fa1c9db9487d12e00d1c9602ac85720d |
.reloc | 483328 | 12 | 4096 | 0.011373 | aa949fbfe6d1e1a21441221dbbf98749 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://whatismyipaddress.com/ | 66.171.248.172 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
Host: whatismyipaddress.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 28 Jun 2014 10:43:22 GMT
Server: Apache/2.2.26 (Unix) DAV/2 PHP/5.4.24 mod_ssl/2.2.26 OpenSSL/0.9.8y
X-Powered-By: PHP/5.4.24
Set-Cookie: pt=f931a00a404b2e0a8aa138a9c855ef5a; expires=Sun, 29-Jun-2014 10:43:22 GMT
Cache-Control: max-age=15
MS-Author-Via: DAV
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
29a9..<!doctype html>.<html lang="en">.<head>..<meta charset="windows-1252">..<meta name="robots" content="noarchive">..<title>What Is My IP Address? IP Address Tools and More</title>..<meta name="description" content="IP address lookup, location, proxy detection, email tracing, IP hiding tips, blacklist check, speed test, and forums. Find, get, and show my IP address.">..<meta name="keywords" content="my ip ,ip, address, my, what, is, find, get, show, locate, change, location, how, do, i, ip address, proxy, server, anonymous, hide, conceal, stealth, surf, web, anonymizer, anonymize, changer, privacy, geolocation, geolocate, lookup, look up, locate, trace, track, email, source, headers">..<meta property="fb:admins" content="607824267" />..<link rel="shortcut icon" href="hXXp://cdn.whatismyipaddress.com/favicon.ico">..<link rel="stylesheet" type="text/css" href="hXXp://cdn.whatismyipaddress.com/css/myip_v4_3.css">..<link rel="publisher" href="hXXps://plus.google.com/ whatismyipaddress">..<link rel="canonical" href="hXXp://whatismyipaddress.com">..<script type="text/javascript">if (top.location!= self.location) {top.location = self.location.href;}</script>..<script type='text/javascript'>...var googletag = googletag || {};...googletag.cmd = googletag.cmd || [];...(function() {...var gads = document.createElement('script');...gads.async = true;...gads.type = 'text/javascript';...var useSSL = 'https:' == document.
<<
<<< skipped >>>
Map
The HackTool connects to the servers at the folowing location(s):
Strings from Dumps
keygen.exe_264:
.text
.text
`.rsrc
`.rsrc
t.Ht-Ht(Ht'
t.Ht-Ht(Ht'
gdi32.dll
gdi32.dll
kernel32.dll
kernel32.dll
user32.dll
user32.dll
winmm.dll
winmm.dll
Coded by .......Nemo
Coded by .......Nemo
Protection ...MD5
Protection ...MD5
xy01-CP00-a95b-1ab6-d960-634e-nm14-0628
xy01-CP00-a95b-1ab6-d960-634e-nm14-0628
00000000
00000000
qR.Aquw~
qR.Aquw~
10# # ####1:
10# # ####1:
31#### ####3=
31#### ####3=
91#0## # ###3<</pre><pre>:1100### ###1:</pre><pre>=954422226</pre><pre>*.ASSUq</pre><pre>..ATR.</pre><pre>*...BqU.</pre><pre>.....RptqpUUWpt</pre><pre>%'4666677766664)%</pre><pre>.^ssQ.QUz</pre><pre>%%)2222)2!</pre><pre>.WUUB/RR</pre><pre>%D\arrrz{</pre><pre> .QR%</pre><pre>{s^WpTQTQ.*...AQ......AQ</pre><pre>{psqspppqsqU.QB.. "</pre><pre>.Upu~</pre><pre>..QTs{</pre><pre>VEE CLOSED HIHAT 87.wa</pre><pre>VEE Bassdrum 156.wav</pre><pre>VEE SNARE 145.wav</pre><pre>CF DEEPHSE CRSH 07.wav</pre><pre>%'%x6</pre><b>keygen.exe_264_rwx_00330000_00003000:</b><pre>The procedure %s could not be located in the DLL %s.</pre><pre>The ordinal %d could not be located in the DLL %s.</pre><b>keygen.exe_264_rwx_00401000_00058000:</b><pre>t.Ht-Ht(Ht'</pre><pre>gdi32.dll</pre><pre>kernel32.dll</pre><pre>user32.dll</pre><pre>winmm.dll</pre><pre>Coded by .......Nemo</pre><pre>Protection ...MD5</pre><pre>xy01-CP00-a95b-1ab6-d960-634e-nm14-0628</pre><pre>00000000</pre><pre>qR.Aquw~</pre><pre>10# # ####1:</pre><pre>31#### ####3=</pre><pre>91#0## # ###3<</pre><pre>:1100### ###1:</pre><pre>=954422226</pre><pre>*.ASSUq</pre><pre>..ATR.</pre><pre>*...BqU.</pre><pre>.....RptqpUUWpt</pre><pre>%'4666677766664)%</pre><pre>.^ssQ.QUz</pre><pre>%%)2222)2!</pre><pre>.WUUB/RR</pre><pre>%D\arrrz{</pre><pre> .QR%</pre><pre>{s^WpTQTQ.*...AQ......AQ</pre><pre>{psqspppqsqU.QB.. "</pre><pre>.Upu~</pre><pre>..QTs{</pre><pre>VEE CLOSED HIHAT 87.wa</pre><pre>VEE Bassdrum 156.wav</pre><pre>VEE SNARE 145.wav</pre><pre>CF DEEPHSE CRSH 07.wav</pre><pre>%'%x6</pre><b>oDefrag.exe_444:</b><pre>.text</pre><pre>`.rsrc</pre><pre>@.reloc</pre><pre>lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet</pre><pre>v2.0.50727</pre><pre>CMemoryExecute.dll</pre><pre>CMemoryExecute</pre><pre>PAGE_EXECUTE_READWRITE</pre><pre>.ctor</pre><pre>System.Reflection</pre><pre>System.Runtime.InteropServices</pre><pre>System.Security.Permissions</pre><pre>System.Diagnostics</pre><pre>System.Runtime.CompilerServices</pre><pre>DllImportAttribute</pre><pre>kernel32.dll</pre><pre>ntdll.dll</pre><pre>System.Security</pre><pre>$8fcd4931-91a2-4e18-849b-70de34ab75df</pre><pre>1.0.0.0</pre><pre>System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</pre><pre>C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb</pre><pre>mscoree.dll</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>D$.SPf</pre><pre> 2 34 567</pre><pre>com.apple.Safari</pre><pre>com.apple.WebKit2WebProcess</pre><pre>SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins</pre><pre>"Account","Login Name","Password","Web Site","Comments"</pre><pre>3.7.5</pre><pre>SQLite format 3</pre><pre>CREATE TABLE sqlite_master(</pre><pre>sql text</pre><pre>REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY</pre><pre>SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins</pre><pre>PK11_GetInternalKeySlot</pre><pre>PK11_CheckUserPassword</pre><pre>large file support is disabled</pre><pre>unknown operation</pre><pre>SQL logic error or missing database</pre><pre>foreign_keys</pre><pre>sqlite_compileoption_get</pre><pre>sqlite_compileoption_used</pre><pre>sqlite_source_id</pre><pre>sqlite_version</pre><pre>sqlite_attach</pre><pre>sqlite_detach</pre><pre>sqlite_stat1</pre><pre>sqlite_rename_parent</pre><pre>sqlite_rename_trigger</pre><pre>sqlite_rename_table</pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>%Y-%m-%d</pre><pre>%H:%M:%S</pre><pre>SQLITE_</pre><pre>failed to allocate %u bytes of memory</pre><pre>failed memory resize %u to %u bytes</pre><pre>922337203685477580</pre><pre>API call with %s database connection pointer</pre><pre>%s-shm</pre><pre>%s\etilqs_</pre><pre>OsError 0x%x (%u)</pre><pre>Recovered %d frames from WAL file %s</pre><pre>%s-mjX</pre><pre>foreign key constraint failed</pre><pre>unable to use function %s in the requested context</pre><pre>abort at %d in [%s]: %s</pre><pre>constraint failed at %d in [%s]</pre><pre>cannot open savepoint - SQL statements in progress</pre><pre>no such savepoint: %s</pre><pre>cannot %s savepoint - SQL statements in progress</pre><pre>cannot rollback transaction - SQL statements in progress</pre><pre>cannot commit transaction - SQL statements in progress</pre><pre>sqlite_master</pre><pre>SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid</pre><pre>cannot change %s wal mode from within a transaction</pre><pre>statement aborts at %d: [%s] %s</pre><pre>misuse of aliased aggregate %s</pre><pre>%s: %s.%s.%s</pre><pre>%s: %s.%s</pre><pre>%s: %s</pre><pre>%r %s BY term out of range - should be between 1 and %d</pre><pre>too many terms in %s BY clause</pre><pre>Expression tree is too large (maximum depth %d)</pre><pre>variable number must be between ?1 and ?%d</pre><pre>too many SQL variables</pre><pre>too many columns in %s</pre><pre>oversized integer: %s%s</pre><pre>misuse of aggregate: %s()</pre><pre>%.*s"%w"%s</pre><pre>%s%.*s"%w"</pre><pre>%s OR name=%Q</pre><pre>type='trigger' AND (%s)</pre><pre>there is already another table or index with this name: %s</pre><pre>sqlite_</pre><pre>table %s may not be altered</pre><pre>view %s may not be altered</pre><pre>UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;</pre><pre>UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');</pre><pre>UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;</pre><pre>Cannot add a PRIMARY KEY column</pre><pre>UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q</pre><pre>sqlite_altertab_%s</pre><pre>CREATE TABLE %Q.%s(%s)</pre><pre>DELETE FROM %Q.%s WHERE tbl=%Q</pre><pre>SELECT tbl, idx, stat FROM %Q.sqlite_stat1</pre><pre>invalid name: "%s"</pre><pre>too many attached databases - max %d</pre><pre>database %s is already in use</pre><pre>unable to open database: %s</pre><pre>no such database: %s</pre><pre>cannot detach database %s</pre><pre>database %s is locked</pre><pre>%s %T cannot reference objects in database %s</pre><pre>object name reserved for internal use: %s</pre><pre>there is already an index named %s</pre><pre>too many columns on %s</pre><pre>duplicate column name: %s</pre><pre>default value of column [%s] is not constant</pre><pre>table "%s" has more than one primary key</pre><pre>no such collation sequence: %s</pre><pre>CREATE %s %.*s</pre><pre>UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d</pre><pre>view %s is circularly defined</pre><pre>table %s may not be dropped</pre><pre>use DROP TABLE to delete table %s</pre><pre>use DROP VIEW to delete view %s</pre><pre>DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'</pre><pre>DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q</pre><pre>foreign key on %s should reference only one column of table %T</pre><pre>number of columns in foreign key does not match the number of columns in the referenced table</pre><pre>unknown column "%s" in foreign key definition</pre><pre>indexed columns are not unique</pre><pre>table %s may not be indexed</pre><pre>views may not be indexed</pre><pre>virtual tables may not be indexed</pre><pre>there is already a table named %s</pre><pre>index %s already exists</pre><pre>sqlite_autoindex_%s_%d</pre><pre>table %s has no column named %s</pre><pre>CREATE%s INDEX %.*s</pre><pre>INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);</pre><pre>no such index: %S</pre><pre>index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped</pre><pre>DELETE FROM %Q.%s WHERE name=%Q AND type='index'</pre><pre>DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q</pre><pre>a JOIN clause is required before %s</pre><pre>unable to identify the object to be reindexed</pre><pre>table %s may not be modified</pre><pre>cannot modify %s because it is a view</pre><pre>foreign key mismatch</pre><pre>table %S has %d columns but %d values were supplied</pre><pre>%d values for %d columns</pre><pre>table %S has no column named %s</pre><pre>%s.%s may not be NULL</pre><pre>PRIMARY KEY must be unique</pre><pre>automatic extension loading failed: %s</pre><pre>foreign_key_list</pre><pre>malformed database schema (%s)</pre><pre>%s - %s</pre><pre>unsupported file format</pre><pre>SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid</pre><pre>unknown or unsupported join type: %T %T%s%T</pre><pre>RIGHT and FULL OUTER JOINs are not currently supported</pre><pre>a NATURAL join may not have an ON or USING clause</pre><pre>cannot have both ON and USING clauses in the same join</pre><pre>cannot join using column %s - column not present in both tables</pre><pre>%s.%s</pre><pre>%s:%d</pre><pre>no such index: %s</pre><pre>sqlite_subquery_%p_</pre><pre>no such table: %s</pre><pre>cannot create %s trigger on view: %S</pre><pre>cannot create INSTEAD OF trigger on table: %S</pre><pre>INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')</pre><pre>no such trigger: %S</pre><pre>no such column: %s</pre><pre>cannot VACUUM - SQL statements in progress</pre><pre>PRAGMA vacuum_db.synchronous=OFF</pre><pre>SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0</pre><pre>SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'</pre><pre>SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'</pre><pre>SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0</pre><pre>SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'</pre><pre>SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';</pre><pre>INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)</pre><pre>UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d</pre><pre>vtable constructor failed: %s</pre><pre>vtable constructor did not declare schema: %s</pre><pre>no such module: %s</pre><pre>table %s: xBestIndex returned an invalid plan</pre><pre>at most %d tables in a join</pre><pre>cannot use index: %s</pre><pre>the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers</pre><pre>the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers</pre><pre>unable to close due to unfinished backup operation</pre><pre>unknown database: %s</pre><pre>no such vfs: %s</pre><pre>database corruption at line %d of [%.10s]</pre><pre>misuse at line %d of [%.10s]</pre><pre>cannot open file at line %d of [%.10s]</pre><pre>sqlite3_open</pre><pre>sqlite3_prepare</pre><pre>sqlite3_step</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_int</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_close</pre><pre>sqlite3_exec</pre><pre>f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb</pre><pre>msvcrt.dll</pre><pre>_wcmdln</pre><pre>COMCTL32.dll</pre><pre>VERSION.dll</pre><pre>FindCloseUrlCache</pre><pre>FindNextUrlCacheEntryW</pre><pre>FindFirstUrlCacheEntryW</pre><pre>WININET.dll</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>EnumChildWindows</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>comdlg32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>5JEw%Xg</pre><pre><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>http://www.usertrust.com1</pre><pre>3http://crl.usertrust.com/AddTrustExternalCARoot.crl05</pre><pre>http://ocsp.usertrust.com0</pre><pre>1http://crl.usertrust.com/UTN-USERFirst-Object.crl05</pre><pre>1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t</pre><pre>1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%</pre><pre>https://secure.comodo.net/CPS0A</pre><pre>0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r</pre><pre>0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$</pre><pre>http://ocsp.comodoca.com0</pre><pre>support@nirsoft.net0</pre><pre>t{SSh</pre><pre>v%SSW</pre><pre>Mail PassView</pre><pre>Mozilla\Profiles</pre><pre>Software\Mozilla\Mozilla Thunderbird</pre><pre>%s\Main</pre><pre>sqlite3.dll</pre><pre>nss3.dll</pre><pre>%programfiles%\Mozilla Thunderbird</pre><pre>AddExportHeaderLine</pre><pre>%s %s %s</pre><pre>HTTPMail User Name</pre><pre>SMTP USer Name</pre><pre>HTTPMail Server</pre><pre>SMTP Server</pre><pre>POP3 Password2</pre><pre>IMAP Password2</pre><pre>HTTPMail Password2</pre><pre>SMTP Password2</pre><pre>POP3 Port</pre><pre>IMAP Port</pre><pre>HTTPMail Port</pre><pre>SMTP Port</pre><pre>HTTPMail Secure Connection</pre><pre>SMTP Secure Connection</pre><pre>SMTP Display Name</pre><pre>SMTP Email Address</pre><pre>POP3 Password</pre><pre>IMAP Password</pre><pre>HTTP Password</pre><pre>SMTP Password</pre><pre>HTTP User</pre><pre>SMTP User</pre><pre>HTTP Server URL</pre><pre>HTTP Port</pre><pre>HTTPMail Use SSL</pre><pre>SMTP Use SSL</pre><pre>%s\%s</pre><pre>PopPort</pre><pre>PopPassword</pre><pre>SMTPAccount</pre><pre>SMTPServer</pre><pre>SMTPPort</pre><pre>SMTPLogSecure</pre><pre>SMTPPassword</pre><pre>%s\Accounts</pre><pre>LoginName</pre><pre>SavePasswordText</pre><pre>ESMTPUsername</pre><pre>ESMTPPassword</pre><pre>POP3Password</pre><pre>fb.dat</pre><pre>%s@gmail.com</pre><pre>%s@yahoo.com</pre><pre>Software\Microsoft\Windows Messaging Subsystem\Profiles</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles</pre><pre><meta http-equiv="content-type" content="text/html;charset=%s" /></pre><pre><br /><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p></p></pre><pre>smtp</pre><pre>advapi32.dll</pre><pre>comctl32.dll</pre><pre>*.ini</pre><pre>netmsg.dll</pre><pre>Error %d: %s</pre><pre>%s (%s)</pre><pre>menu_%d</pre><pre>dialog_%d</pre><pre>TranslatorURL</pre><pre>_lng.ini</pre><pre>%-18s: %s</pre><pre>%%-%d.%ds</pre><pre><td bgcolor="s" nowrap>%s</td></pre><pre><td bgcolor="s">%s</td></pre><pre><tr><td%s nowrap><b>%s</b><td bgcolor="s">%s</td></td%s></tr></pre><pre>bgcolor="%s"</pre><pre><font color="%s">%s</font></pre><pre><%s>%s</pre><pre></pre><pre>report.html</pre><pre>*.txt</pre><pre>*.htm;*.html</pre><pre>*.xml</pre><pre>*.csv</pre><pre>Software\NirSoft\MailPassView</pre><pre>MailPassView</pre><pre>/skeepass</pre><pre>/deleteregkey</pre><pre>Failed to load the executable file !</pre><pre>mail.account.account</pre><pre>mail.server</pre><pre>port</pre><pre>mail.identity</pre><pre>signon.signonfilename</pre><pre>mailbox://%s@%s</pre><pre>imap://%s@%s</pre><pre>mailbox://%s</pre><pre>imap://%s</pre><pre>signons.txt</pre><pre>signons.sqlite</pre><pre>prefs.js</pre><pre>Password.NET Messenger Service</pre><pre>User.NET Messenger Service</pre><pre>Passport.Net\*</pre><pre>ps:password</pre><pre>windowslive:name=</pre><pre>Exception %8.8X at address %8.8X in module %s</pre><pre>Stack Data: %s</pre><pre>Code Data: %s</pre><pre>mozsqlite3.dll</pre><pre>psapi.dll</pre><pre>pstorec.dll</pre><pre>5e7e8100-9138-11d1-945a-00c04fc308ff</pre><pre>00000000-0000-0000-0000-000000000000</pre><pre>220D5CD0-853A-11D0-84BC-00C04FD43F8F</pre><pre>220D5CD1-853A-11D0-84BC-00C04FD43F8F</pre><pre>220D5CC1-853A-11D0-84BC-00C04FD43F8F</pre><pre>417E2D75-84BD-11D0-84BB-00C04FD43F8F</pre><pre>shell32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>shlwapi.dll</pre><pre><html><head>%s<title>%s</title></head></html></pre><pre>%s <h3>%s</h3></pre><pre>size="%d"</pre><pre>color="#%s"</pre><pre><font color="%s"></font></pre><pre><table border="1" cellpadding="5"><tr%s></tr%s></table></pre><pre>width="%s"</pre><pre><th%s>%s%s%s</th%s></pre><pre>SOFTWARE\Mozilla</pre><pre>mozilla</pre><pre>%s\bin</pre><pre>PathToExe</pre><pre>\sqlite3.dll</pre><pre>\mozsqlite3.dll</pre><pre>Software\Microsoft\Windows Mail</pre><pre>Software\Microsoft\Windows Live Mail</pre><pre>SMTP_Server</pre><pre>SMTP_User_Name</pre><pre>POP3_Password2</pre><pre>IMAP_Password2</pre><pre>NNTP_Password2</pre><pre>SMTP_Password2</pre><pre>SMTP_Email_Address</pre><pre>SMTP_Port</pre><pre>NNTP_Port</pre><pre>IMAP_Port</pre><pre>POP3_Port</pre><pre>SMTP_Secure_Connection</pre><pre>*.oeaccount</pre><pre>\Microsoft\Windows Mail</pre><pre>\Microsoft\Windows Live Mail</pre><pre>f:\Projects\VS2005\mailpv\Release\mailpv.pdb</pre><pre>_acmdln</pre><pre>RPCRT4.dll</pre><pre>GetWindowsDirectoryA</pre><pre>RegDeleteKeyA</pre><pre>RegOpenKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegEnumKeyExA</pre><pre>ShellExecuteA</pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="NirSoft" type="win32"></assemblyIdentity><description>NirSoft</description><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD</pre><pre>Debugger.exe</pre><pre>Microsoft.VisualBasic</pre><pre>System.Windows.Forms</pre><pre>System.Drawing</pre><pre>System.Management</pre><pre>tapi32.dll</pre><pre>rtm.dll</pre><pre>user32.dll</pre><pre>Debugger.Debugger.resources</pre><pre>Debugger.Resources.resources</pre><pre>Debugger.My</pre><pre>WindowsFormsApplicationBase</pre><pre>Microsoft.VisualBasic.ApplicationServices</pre><pre>System.ComponentModel</pre><pre>System.CodeDom.Compiler</pre><pre>Microsoft.VisualBasic.Devices</pre><pre>m_MyWebServicesObjectProvider</pre><pre>.cctor</pre><pre>get_WebServices</pre><pre>HelpKeywordAttribute</pre><pre>System.ComponentModel.Design</pre><pre>WebServices</pre><pre>Microsoft.VisualBasic.CompilerServices</pre><pre>System.Collections</pre><pre>ContainsKey</pre><pre>InvalidOperationException</pre><pre>MyWebServices</pre><pre>encryptedpassstring</pre><pre>encryptedsmtpstring</pre><pre>portstring</pre><pre>fakeMSGholder</pre><pre>encryptedftphost</pre><pre>encryptedftpuser</pre><pre>encryptedftppass</pre><pre>useftp</pre><pre>websitevisitor</pre><pre>websiteblocker</pre><pre>passstring</pre><pre>smtpstring</pre><pre>ftphost</pre><pre>ftpuser</pre><pre>ftppass</pre><pre>WM_KEYUP</pre><pre>WM_KEYDOWN</pre><pre>WM_SYSKEYDOWN</pre><pre>WM_SYSKEYUP</pre><pre>KeyboardHandle</pre><pre>KeyLog</pre><pre>CleanedPasswordsMAIL</pre><pre>CleanedPasswordsWB</pre><pre>System.IO</pre><pre>get_ExecutablePath</pre><pre>WindowsIdentity</pre><pre>System.Security.Principal</pre><pre>set_WindowState</pre><pre>FormWindowState</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>GetAsyncKeyState</pre><pre>vKey</pre><pre>HookKeyboard</pre><pre>UnhookKeyboard</pre><pre>Operators</pre><pre>get_Keyboard</pre><pre>Keyboard</pre><pre>get_CtrlKeyDown</pre><pre>get_AltKeyDown</pre><pre>KeyboardCallback</pre><pre>System.Threading</pre><pre>System.Collections.Generic</pre><pre>Microsoft.VisualBasic.MyServices</pre><pre>System.Collections.ObjectModel</pre><pre>MsgBox</pre><pre>MsgBoxResult</pre><pre>MsgBoxStyle</pre><pre>set_WindowStyle</pre><pre>ProcessWindowStyle</pre><pre>ForceSteamLogin</pre><pre>System.Net.NetworkInformation</pre><pre>get_OperationalStatus</pre><pre>OperationalStatus</pre><pre>FakemsgInstall</pre><pre>System.Net.Mail</pre><pre>SmtpClient</pre><pre>System.Globalization</pre><pre>set_Port</pre><pre>System.Net</pre><pre>Microsoft.Win32</pre><pre>RegistryKey</pre><pre>OpenSubKey</pre><pre>System.Security.Cryptography</pre><pre>System.Text</pre><pre>set_Key</pre><pre>stealWebroswers</pre><pre>WebClient</pre><pre>readweb</pre><pre>System.IO.Compression</pre><pre>SendLogsFTP</pre><pre>FtpWebRequest</pre><pre>WebRequest</pre><pre>UploadFTP</pre><pre>secretKey</pre><pre>set_KeySize</pre><pre>get_KeySize</pre><pre>System.Net.Sockets</pre><pre>virtualKey</pre><pre>KeyboardHookDelegate</pre><pre>get_Msg</pre><pre>Debugger.My.Resources</pre><pre>System.Resources</pre><pre>get_CMemoryExecute</pre><pre>get_WebBrowserPassView</pre><pre>WebBrowserPassView</pre><pre>System.Configuration</pre><pre>8.0.0.0</pre><pre>My.Computer</pre><pre>My.Application</pre><pre>My.User</pre><pre>My.Forms</pre><pre>My.WebServices</pre><pre>System.Windows.Forms.Form</pre><pre>My.MyProject.Forms</pre><pre>4System.Web.Services.Protocols.SoapHttpClientProtocol</pre><pre>3System.Resources.Tools.StronglyTypedResourceBuilder</pre><pre>4.0.0.0</pre><pre>KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator</pre><pre>10.0.0.0</pre><pre>My.Settings</pre><pre>$e48811ca-8af8-4e73-85dd-2045b9cca73a</pre><pre>_CorExeMain</pre><pre><assemblyIdentity version="1.0.0.0" name="MyApplication.app" /></pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false" /></pre><pre>%%0.ß</pre><pre>Apple Computer\Preferences\keychain.plist</pre><pre>LoadPasswordsIE</pre><pre>LoadPasswordsFirefox</pre><pre>LoadPasswordsChrome</pre><pre>LoadPasswordsOpera</pre><pre>LoadPasswordsSafari</pre><pre>LoadPasswordsSeaMonkey</pre><pre>UseFirefoxProfileFolder</pre><pre>UseFirefoxInstallFolder</pre><pre>UseChromeProfileFolder</pre><pre>UseOperaPasswordFile</pre><pre>FirefoxProfileFolder</pre><pre>FirefoxInstallFolder</pre><pre>ChromeProfileFolder</pre><pre>OperaPasswordFile</pre><pre>Aadvapi32.dll</pre><pre>crypt32.dll</pre><pre>777705555443332</pre><pre>5555443332</pre><pre>5555443332</pre><pre>wand.dat</pre><pre>@nss3.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe</pre><pre>%programfiles%\Sea Monkey</pre><pre>%programfiles%\Mozilla Firefox</pre><pre>-signons.txt</pre><pre>signons2.txt</pre><pre>signons3.txt</pre><pre>@dllhost.exe</pre><pre>taskhost.exe</pre><pre>taskhostex.exe</pre><pre>Microsoft\Windows\WebCache\WebCacheV01.dat</pre><pre>Microsoft\Windows\WebCache\WebCacheV24.dat</pre><pre>index.dat</pre><pre>https://www.google.com/accounts/servicelogin</pre><pre>http://www.facebook.com/</pre><pre>https://login.yahoo.com/config/login</pre><pre>http://</pre><pre>https://</pre><pre>ftp://</pre><pre>@history.dat</pre><pre>places.sqlite</pre><pre>Mozilla\Firefox\Profiles</pre><pre>Mozilla\SeaMonkey\Profiles</pre><pre>Mozilla\SeaMonkey</pre><pre>Mozilla\Firefox</pre><pre>profiles.ini</pre><pre>Profile%d</pre><pre>tntdll.dll</pre><pre>sWeb Data</pre><pre>Login Data</pre><pre>Google\Chrome\User Data</pre><pre>Google\Chrome SxS\User Data</pre><pre>Opera\Opera\wand.dat</pre><pre>Opera\Opera7\profile\wand.dat</pre><pre>Opera</pre><pre>@"%s"</pre><pre>Ashell32.dll</pre><pre>\nss3.dll</pre><pre>.save</pre><pre>vaultcli.dll</pre><pre>abe2869f-9b47-4cd9-a358-c22904dba7f7</pre><pre>Copy &Password</pre><pre>&HTML Report - All Items</pre><pre>HTML R&eport - Selected Items</pre><pre>HTML Report - All Items</pre><pre>HTML Report - Selected Items</pre><pre>Load Passwords From...</pre><pre>Google Chrome</pre><pre>Mozilla Firefox</pre><pre>SeaMonkey</pre><pre>Firefox Options</pre><pre>Master password:</pre><pre>Firefox Profile:</pre><pre>Firefox Installation:</pre><pre>Chrome Options</pre><pre>Opera Options</pre><pre>wand.dat file:</pre><pre>%d Passwords</pre><pre>, %d Selected</pre><pre>Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)</pre><pre>Loading... %d</pre><pre>KeePass csv file</pre><pre>Opera Password File</pre><pre>Firefox 1.x</pre><pre>Firefox 2.x</pre><pre>Firefox 3.0</pre><pre>Firefox</pre><pre>Chrome</pre><pre>Web Browser</pre><pre>Password</pre><pre>Password Strength</pre><pre>Password Field</pre><pre>WebBrowserPassView.exe</pre><pre>www.google.com/Please log in to your Gmail account</pre><pre>www.google.com:443/Please log in to your Gmail account</pre><pre>www.google.com/Please log in to your Google Account</pre><pre>www.google.com:443/Please log in to your Google Account</pre><pre>www.google.com</pre><pre>dWindowsLive:name=*</pre><pre>82BD0E67-9FEA-4748-8672-D5EFE5B779B0</pre><pre>Copy Password</pre><pre>%d items</pre><pre>Select Eudora.ini filename/Select the location of Thunderbird installation</pre><pre>Eudora.ini file</pre><pre>SMTP</pre><pre>Windows Mail</pre><pre>Windows Live Mail</pre><pre>Server Port</pre><pre>SMTP Server Port</pre><pre>Mail Password Recovery</pre><pre>mailpv.exe</pre><pre>3, 7 #,)</pre><pre>MessageBoxIcon.Error</pre><pre>noftp</pre><pre>filename.exe</pre><pre>http://www.example.com/directory/file.exe</pre><pre>Disablecmd</pre><pre>\Windows Update.exe</pre><pre>\WindowsUpdate.exe</pre><pre>SysInfo.txt</pre><pre>\pid.txt</pre><pre>\pidloc.txt</pre><pre>\Mozilla\Firefox\Profiles</pre><pre>127.0.0.1</pre><pre>ping -n 1 -w 3000 1.1.1.1</pre><pre>cmd.exe</pre><pre>\SteamAppData.vdf</pre><pre>\ClientRegistry.blob</pre><pre>MessageBoxIcon.Exclamation</pre><pre>Keylogger Enabled:</pre><pre>Operating System:</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced</pre><pre>autorun.inf</pre><pre>open=Sys.exe</pre><pre>Sys.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update</pre><pre>C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><pre>\bitcoin\wallet.dat</pre><pre>_wallet.dat</pre><pre>wallet.dat</pre><pre>Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><pre>holdermail.txt"</pre><pre>holdermail.txt</pre><pre>Operating System Intel Recovery</pre><pre>Operating System Platform:</pre><pre>Operating System Version:</pre><pre>WEB Browser Password Recovery</pre><pre>Mail Messenger Password Recovery</pre><pre>Jdownloader Password Recovery</pre><pre>holderwb.txt"</pre><pre>holderwb.txt</pre><pre>C:\Users\</pre><pre>_Pin0.jpeg</pre><pre>_Pin1.jpeg</pre><pre>_Pin2.jpeg</pre><pre>_Pin3.jpeg</pre><pre>_Pin4.jpeg</pre><pre>Steals the Wallet.DAT file that holds the users bitcoin currency</pre><pre>\.minecraft\lastlogin</pre><pre>There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor</pre><pre>Predator Pain v14 - Key Recorder - [</pre><pre>Keylogger Log</pre><pre>.jpeg</pre><pre>Predator_Pain_v14_KeyLog_</pre><pre>http://whatismyipaddress.com/</pre><pre>Debugger.Resources</pre><pre>:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><b>oDefrag.exe_444_rwx_00400000_00084000:</b><pre>.text</pre><pre>`.rsrc</pre><pre>@.reloc</pre><pre>lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet</pre><pre>v2.0.50727</pre><pre>CMemoryExecute.dll</pre><pre>CMemoryExecute</pre><pre>PAGE_EXECUTE_READWRITE</pre><pre>.ctor</pre><pre>System.Reflection</pre><pre>System.Runtime.InteropServices</pre><pre>System.Security.Permissions</pre><pre>System.Diagnostics</pre><pre>System.Runtime.CompilerServices</pre><pre>DllImportAttribute</pre><pre>kernel32.dll</pre><pre>ntdll.dll</pre><pre>System.Security</pre><pre>$8fcd4931-91a2-4e18-849b-70de34ab75df</pre><pre>1.0.0.0</pre><pre>System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</pre><pre>C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb</pre><pre>mscoree.dll</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>D$.SPf</pre><pre> 2 34 567</pre><pre>com.apple.Safari</pre><pre>com.apple.WebKit2WebProcess</pre><pre>SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins</pre><pre>"Account","Login Name","Password","Web Site","Comments"</pre><pre>3.7.5</pre><pre>SQLite format 3</pre><pre>CREATE TABLE sqlite_master(</pre><pre>sql text</pre><pre>REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY</pre><pre>SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins</pre><pre>PK11_GetInternalKeySlot</pre><pre>PK11_CheckUserPassword</pre><pre>large file support is disabled</pre><pre>unknown operation</pre><pre>SQL logic error or missing database</pre><pre>foreign_keys</pre><pre>sqlite_compileoption_get</pre><pre>sqlite_compileoption_used</pre><pre>sqlite_source_id</pre><pre>sqlite_version</pre><pre>sqlite_attach</pre><pre>sqlite_detach</pre><pre>sqlite_stat1</pre><pre>sqlite_rename_parent</pre><pre>sqlite_rename_trigger</pre><pre>sqlite_rename_table</pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>%Y-%m-%d</pre><pre>%H:%M:%S</pre><pre>SQLITE_</pre><pre>failed to allocate %u bytes of memory</pre><pre>failed memory resize %u to %u bytes</pre><pre>922337203685477580</pre><pre>API call with %s database connection pointer</pre><pre>%s-shm</pre><pre>%s\etilqs_</pre><pre>OsError 0x%x (%u)</pre><pre>Recovered %d frames from WAL file %s</pre><pre>%s-mjX</pre><pre>foreign key constraint failed</pre><pre>unable to use function %s in the requested context</pre><pre>abort at %d in [%s]: %s</pre><pre>constraint failed at %d in [%s]</pre><pre>cannot open savepoint - SQL statements in progress</pre><pre>no such savepoint: %s</pre><pre>cannot %s savepoint - SQL statements in progress</pre><pre>cannot rollback transaction - SQL statements in progress</pre><pre>cannot commit transaction - SQL statements in progress</pre><pre>sqlite_master</pre><pre>SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid</pre><pre>cannot change %s wal mode from within a transaction</pre><pre>statement aborts at %d: [%s] %s</pre><pre>misuse of aliased aggregate %s</pre><pre>%s: %s.%s.%s</pre><pre>%s: %s.%s</pre><pre>%s: %s</pre><pre>%r %s BY term out of range - should be between 1 and %d</pre><pre>too many terms in %s BY clause</pre><pre>Expression tree is too large (maximum depth %d)</pre><pre>variable number must be between ?1 and ?%d</pre><pre>too many SQL variables</pre><pre>too many columns in %s</pre><pre>oversized integer: %s%s</pre><pre>misuse of aggregate: %s()</pre><pre>%.*s"%w"%s</pre><pre>%s%.*s"%w"</pre><pre>%s OR name=%Q</pre><pre>type='trigger' AND (%s)</pre><pre>there is already another table or index with this name: %s</pre><pre>sqlite_</pre><pre>table %s may not be altered</pre><pre>view %s may not be altered</pre><pre>UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;</pre><pre>UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');</pre><pre>UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;</pre><pre>Cannot add a PRIMARY KEY column</pre><pre>UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q</pre><pre>sqlite_altertab_%s</pre><pre>CREATE TABLE %Q.%s(%s)</pre><pre>DELETE FROM %Q.%s WHERE tbl=%Q</pre><pre>SELECT tbl, idx, stat FROM %Q.sqlite_stat1</pre><pre>invalid name: "%s"</pre><pre>too many attached databases - max %d</pre><pre>database %s is already in use</pre><pre>unable to open database: %s</pre><pre>no such database: %s</pre><pre>cannot detach database %s</pre><pre>database %s is locked</pre><pre>%s %T cannot reference objects in database %s</pre><pre>object name reserved for internal use: %s</pre><pre>there is already an index named %s</pre><pre>too many columns on %s</pre><pre>duplicate column name: %s</pre><pre>default value of column [%s] is not constant</pre><pre>table "%s" has more than one primary key</pre><pre>no such collation sequence: %s</pre><pre>CREATE %s %.*s</pre><pre>UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d</pre><pre>view %s is circularly defined</pre><pre>table %s may not be dropped</pre><pre>use DROP TABLE to delete table %s</pre><pre>use DROP VIEW to delete view %s</pre><pre>DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'</pre><pre>DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q</pre><pre>foreign key on %s should reference only one column of table %T</pre><pre>number of columns in foreign key does not match the number of columns in the referenced table</pre><pre>unknown column "%s" in foreign key definition</pre><pre>indexed columns are not unique</pre><pre>table %s may not be indexed</pre><pre>views may not be indexed</pre><pre>virtual tables may not be indexed</pre><pre>there is already a table named %s</pre><pre>index %s already exists</pre><pre>sqlite_autoindex_%s_%d</pre><pre>table %s has no column named %s</pre><pre>CREATE%s INDEX %.*s</pre><pre>INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);</pre><pre>no such index: %S</pre><pre>index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped</pre><pre>DELETE FROM %Q.%s WHERE name=%Q AND type='index'</pre><pre>DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q</pre><pre>a JOIN clause is required before %s</pre><pre>unable to identify the object to be reindexed</pre><pre>table %s may not be modified</pre><pre>cannot modify %s because it is a view</pre><pre>foreign key mismatch</pre><pre>table %S has %d columns but %d values were supplied</pre><pre>%d values for %d columns</pre><pre>table %S has no column named %s</pre><pre>%s.%s may not be NULL</pre><pre>PRIMARY KEY must be unique</pre><pre>automatic extension loading failed: %s</pre><pre>foreign_key_list</pre><pre>malformed database schema (%s)</pre><pre>%s - %s</pre><pre>unsupported file format</pre><pre>SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid</pre><pre>unknown or unsupported join type: %T %T%s%T</pre><pre>RIGHT and FULL OUTER JOINs are not currently supported</pre><pre>a NATURAL join may not have an ON or USING clause</pre><pre>cannot have both ON and USING clauses in the same join</pre><pre>cannot join using column %s - column not present in both tables</pre><pre>%s.%s</pre><pre>%s:%d</pre><pre>no such index: %s</pre><pre>sqlite_subquery_%p_</pre><pre>no such table: %s</pre><pre>cannot create %s trigger on view: %S</pre><pre>cannot create INSTEAD OF trigger on table: %S</pre><pre>INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')</pre><pre>no such trigger: %S</pre><pre>no such column: %s</pre><pre>cannot VACUUM - SQL statements in progress</pre><pre>PRAGMA vacuum_db.synchronous=OFF</pre><pre>SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0</pre><pre>SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'</pre><pre>SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'</pre><pre>SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0</pre><pre>SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'</pre><pre>SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';</pre><pre>INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)</pre><pre>UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d</pre><pre>vtable constructor failed: %s</pre><pre>vtable constructor did not declare schema: %s</pre><pre>no such module: %s</pre><pre>table %s: xBestIndex returned an invalid plan</pre><pre>at most %d tables in a join</pre><pre>cannot use index: %s</pre><pre>the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers</pre><pre>the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers</pre><pre>unable to close due to unfinished backup operation</pre><pre>unknown database: %s</pre><pre>no such vfs: %s</pre><pre>database corruption at line %d of [%.10s]</pre><pre>misuse at line %d of [%.10s]</pre><pre>cannot open file at line %d of [%.10s]</pre><pre>sqlite3_open</pre><pre>sqlite3_prepare</pre><pre>sqlite3_step</pre><pre>sqlite3_column_text</pre><pre>sqlite3_column_int</pre><pre>sqlite3_column_int64</pre><pre>sqlite3_finalize</pre><pre>sqlite3_close</pre><pre>sqlite3_exec</pre><pre>f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb</pre><pre>msvcrt.dll</pre><pre>_wcmdln</pre><pre>COMCTL32.dll</pre><pre>VERSION.dll</pre><pre>FindCloseUrlCache</pre><pre>FindNextUrlCacheEntryW</pre><pre>FindFirstUrlCacheEntryW</pre><pre>WININET.dll</pre><pre>GetWindowsDirectoryW</pre><pre>KERNEL32.dll</pre><pre>EnumChildWindows</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>comdlg32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>5JEw%Xg</pre><pre><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>http://www.usertrust.com1</pre><pre>3http://crl.usertrust.com/AddTrustExternalCARoot.crl05</pre><pre>http://ocsp.usertrust.com0</pre><pre>1http://crl.usertrust.com/UTN-USERFirst-Object.crl05</pre><pre>1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t</pre><pre>1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%</pre><pre>https://secure.comodo.net/CPS0A</pre><pre>0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r</pre><pre>0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$</pre><pre>http://ocsp.comodoca.com0</pre><pre>support@nirsoft.net0</pre><pre>t{SSh</pre><pre>v%SSW</pre><pre>Mail PassView</pre><pre>Mozilla\Profiles</pre><pre>Software\Mozilla\Mozilla Thunderbird</pre><pre>%s\Main</pre><pre>sqlite3.dll</pre><pre>nss3.dll</pre><pre>%programfiles%\Mozilla Thunderbird</pre><pre>AddExportHeaderLine</pre><pre>%s %s %s</pre><pre>HTTPMail User Name</pre><pre>SMTP USer Name</pre><pre>HTTPMail Server</pre><pre>SMTP Server</pre><pre>POP3 Password2</pre><pre>IMAP Password2</pre><pre>HTTPMail Password2</pre><pre>SMTP Password2</pre><pre>POP3 Port</pre><pre>IMAP Port</pre><pre>HTTPMail Port</pre><pre>SMTP Port</pre><pre>HTTPMail Secure Connection</pre><pre>SMTP Secure Connection</pre><pre>SMTP Display Name</pre><pre>SMTP Email Address</pre><pre>POP3 Password</pre><pre>IMAP Password</pre><pre>HTTP Password</pre><pre>SMTP Password</pre><pre>HTTP User</pre><pre>SMTP User</pre><pre>HTTP Server URL</pre><pre>HTTP Port</pre><pre>HTTPMail Use SSL</pre><pre>SMTP Use SSL</pre><pre>%s\%s</pre><pre>PopPort</pre><pre>PopPassword</pre><pre>SMTPAccount</pre><pre>SMTPServer</pre><pre>SMTPPort</pre><pre>SMTPLogSecure</pre><pre>SMTPPassword</pre><pre>%s\Accounts</pre><pre>LoginName</pre><pre>SavePasswordText</pre><pre>ESMTPUsername</pre><pre>ESMTPPassword</pre><pre>POP3Password</pre><pre>fb.dat</pre><pre>%s@gmail.com</pre><pre>%s@yahoo.com</pre><pre>Software\Microsoft\Windows Messaging Subsystem\Profiles</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles</pre><pre><meta http-equiv="content-type" content="text/html;charset=%s" /></pre><pre><br /><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p></p></pre><pre>smtp</pre><pre>advapi32.dll</pre><pre>comctl32.dll</pre><pre>*.ini</pre><pre>netmsg.dll</pre><pre>Error %d: %s</pre><pre>%s (%s)</pre><pre>menu_%d</pre><pre>dialog_%d</pre><pre>TranslatorURL</pre><pre>_lng.ini</pre><pre>%-18s: %s</pre><pre>%%-%d.%ds</pre><pre><td bgcolor="s" nowrap>%s</td></pre><pre><td bgcolor="s">%s</td></pre><pre><tr><td%s nowrap><b>%s</b><td bgcolor="s">%s</td></td%s></tr></pre><pre>bgcolor="%s"</pre><pre><font color="%s">%s</font></pre><pre><%s>%s</pre><pre></pre><pre>report.html</pre><pre>*.txt</pre><pre>*.htm;*.html</pre><pre>*.xml</pre><pre>*.csv</pre><pre>Software\NirSoft\MailPassView</pre><pre>MailPassView</pre><pre>/skeepass</pre><pre>/deleteregkey</pre><pre>Failed to load the executable file !</pre><pre>mail.account.account</pre><pre>mail.server</pre><pre>port</pre><pre>mail.identity</pre><pre>signon.signonfilename</pre><pre>mailbox://%s@%s</pre><pre>imap://%s@%s</pre><pre>mailbox://%s</pre><pre>imap://%s</pre><pre>signons.txt</pre><pre>signons.sqlite</pre><pre>prefs.js</pre><pre>Password.NET Messenger Service</pre><pre>User.NET Messenger Service</pre><pre>Passport.Net\*</pre><pre>ps:password</pre><pre>windowslive:name=</pre><pre>Exception %8.8X at address %8.8X in module %s</pre><pre>Stack Data: %s</pre><pre>Code Data: %s</pre><pre>mozsqlite3.dll</pre><pre>psapi.dll</pre><pre>pstorec.dll</pre><pre>5e7e8100-9138-11d1-945a-00c04fc308ff</pre><pre>00000000-0000-0000-0000-000000000000</pre><pre>220D5CD0-853A-11D0-84BC-00C04FD43F8F</pre><pre>220D5CD1-853A-11D0-84BC-00C04FD43F8F</pre><pre>220D5CC1-853A-11D0-84BC-00C04FD43F8F</pre><pre>417E2D75-84BD-11D0-84BB-00C04FD43F8F</pre><pre>shell32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>shlwapi.dll</pre><pre><html><head>%s<title>%s</title></head></html></pre><pre>%s <h3>%s</h3></pre><pre>size="%d"</pre><pre>color="#%s"</pre><pre><font color="%s"></font></pre><pre><table border="1" cellpadding="5"><tr%s></tr%s></table></pre><pre>width="%s"</pre><pre><th%s>%s%s%s</th%s></pre><pre>SOFTWARE\Mozilla</pre><pre>mozilla</pre><pre>%s\bin</pre><pre>PathToExe</pre><pre>\sqlite3.dll</pre><pre>\mozsqlite3.dll</pre><pre>Software\Microsoft\Windows Mail</pre><pre>Software\Microsoft\Windows Live Mail</pre><pre>SMTP_Server</pre><pre>SMTP_User_Name</pre><pre>POP3_Password2</pre><pre>IMAP_Password2</pre><pre>NNTP_Password2</pre><pre>SMTP_Password2</pre><pre>SMTP_Email_Address</pre><pre>SMTP_Port</pre><pre>NNTP_Port</pre><pre>IMAP_Port</pre><pre>POP3_Port</pre><pre>SMTP_Secure_Connection</pre><pre>*.oeaccount</pre><pre>\Microsoft\Windows Mail</pre><pre>\Microsoft\Windows Live Mail</pre><pre>f:\Projects\VS2005\mailpv\Release\mailpv.pdb</pre><pre>_acmdln</pre><pre>RPCRT4.dll</pre><pre>GetWindowsDirectoryA</pre><pre>RegDeleteKeyA</pre><pre>RegOpenKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegEnumKeyExA</pre><pre>ShellExecuteA</pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="NirSoft" type="win32"></assemblyIdentity><description>NirSoft</description><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD</pre><pre>Debugger.exe</pre><pre>Microsoft.VisualBasic</pre><pre>System.Windows.Forms</pre><pre>System.Drawing</pre><pre>System.Management</pre><pre>tapi32.dll</pre><pre>rtm.dll</pre><pre>user32.dll</pre><pre>Debugger.Debugger.resources</pre><pre>Debugger.Resources.resources</pre><pre>Debugger.My</pre><pre>WindowsFormsApplicationBase</pre><pre>Microsoft.VisualBasic.ApplicationServices</pre><pre>System.ComponentModel</pre><pre>System.CodeDom.Compiler</pre><pre>Microsoft.VisualBasic.Devices</pre><pre>m_MyWebServicesObjectProvider</pre><pre>.cctor</pre><pre>get_WebServices</pre><pre>HelpKeywordAttribute</pre><pre>System.ComponentModel.Design</pre><pre>WebServices</pre><pre>Microsoft.VisualBasic.CompilerServices</pre><pre>System.Collections</pre><pre>ContainsKey</pre><pre>InvalidOperationException</pre><pre>MyWebServices</pre><pre>encryptedpassstring</pre><pre>encryptedsmtpstring</pre><pre>portstring</pre><pre>fakeMSGholder</pre><pre>encryptedftphost</pre><pre>encryptedftpuser</pre><pre>encryptedftppass</pre><pre>useftp</pre><pre>websitevisitor</pre><pre>websiteblocker</pre><pre>passstring</pre><pre>smtpstring</pre><pre>ftphost</pre><pre>ftpuser</pre><pre>ftppass</pre><pre>WM_KEYUP</pre><pre>WM_KEYDOWN</pre><pre>WM_SYSKEYDOWN</pre><pre>WM_SYSKEYUP</pre><pre>KeyboardHandle</pre><pre>KeyLog</pre><pre>CleanedPasswordsMAIL</pre><pre>CleanedPasswordsWB</pre><pre>System.IO</pre><pre>get_ExecutablePath</pre><pre>WindowsIdentity</pre><pre>System.Security.Principal</pre><pre>set_WindowState</pre><pre>FormWindowState</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>GetAsyncKeyState</pre><pre>vKey</pre><pre>HookKeyboard</pre><pre>UnhookKeyboard</pre><pre>Operators</pre><pre>get_Keyboard</pre><pre>Keyboard</pre><pre>get_CtrlKeyDown</pre><pre>get_AltKeyDown</pre><pre>KeyboardCallback</pre><pre>System.Threading</pre><pre>System.Collections.Generic</pre><pre>Microsoft.VisualBasic.MyServices</pre><pre>System.Collections.ObjectModel</pre><pre>MsgBox</pre><pre>MsgBoxResult</pre><pre>MsgBoxStyle</pre><pre>set_WindowStyle</pre><pre>ProcessWindowStyle</pre><pre>ForceSteamLogin</pre><pre>System.Net.NetworkInformation</pre><pre>get_OperationalStatus</pre><pre>OperationalStatus</pre><pre>FakemsgInstall</pre><pre>System.Net.Mail</pre><pre>SmtpClient</pre><pre>System.Globalization</pre><pre>set_Port</pre><pre>System.Net</pre><pre>Microsoft.Win32</pre><pre>RegistryKey</pre><pre>OpenSubKey</pre><pre>System.Security.Cryptography</pre><pre>System.Text</pre><pre>set_Key</pre><pre>stealWebroswers</pre><pre>WebClient</pre><pre>readweb</pre><pre>System.IO.Compression</pre><pre>SendLogsFTP</pre><pre>FtpWebRequest</pre><pre>WebRequest</pre><pre>UploadFTP</pre><pre>secretKey</pre><pre>set_KeySize</pre><pre>get_KeySize</pre><pre>System.Net.Sockets</pre><pre>virtualKey</pre><pre>KeyboardHookDelegate</pre><pre>get_Msg</pre><pre>Debugger.My.Resources</pre><pre>System.Resources</pre><pre>get_CMemoryExecute</pre><pre>get_WebBrowserPassView</pre><pre>WebBrowserPassView</pre><pre>System.Configuration</pre><pre>8.0.0.0</pre><pre>My.Computer</pre><pre>My.Application</pre><pre>My.User</pre><pre>My.Forms</pre><pre>My.WebServices</pre><pre>System.Windows.Forms.Form</pre><pre>My.MyProject.Forms</pre><pre>4System.Web.Services.Protocols.SoapHttpClientProtocol</pre><pre>3System.Resources.Tools.StronglyTypedResourceBuilder</pre><pre>4.0.0.0</pre><pre>KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator</pre><pre>10.0.0.0</pre><pre>My.Settings</pre><pre>$e48811ca-8af8-4e73-85dd-2045b9cca73a</pre><pre>_CorExeMain</pre><pre><assemblyIdentity version="1.0.0.0" name="MyApplication.app" /></pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false" /></pre><pre>%%0.ß</pre><pre>Apple Computer\Preferences\keychain.plist</pre><pre>LoadPasswordsIE</pre><pre>LoadPasswordsFirefox</pre><pre>LoadPasswordsChrome</pre><pre>LoadPasswordsOpera</pre><pre>LoadPasswordsSafari</pre><pre>LoadPasswordsSeaMonkey</pre><pre>UseFirefoxProfileFolder</pre><pre>UseFirefoxInstallFolder</pre><pre>UseChromeProfileFolder</pre><pre>UseOperaPasswordFile</pre><pre>FirefoxProfileFolder</pre><pre>FirefoxInstallFolder</pre><pre>ChromeProfileFolder</pre><pre>OperaPasswordFile</pre><pre>Aadvapi32.dll</pre><pre>crypt32.dll</pre><pre>777705555443332</pre><pre>5555443332</pre><pre>5555443332</pre><pre>wand.dat</pre><pre>@nss3.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe</pre><pre>%programfiles%\Sea Monkey</pre><pre>%programfiles%\Mozilla Firefox</pre><pre>-signons.txt</pre><pre>signons2.txt</pre><pre>signons3.txt</pre><pre>@dllhost.exe</pre><pre>taskhost.exe</pre><pre>taskhostex.exe</pre><pre>Microsoft\Windows\WebCache\WebCacheV01.dat</pre><pre>Microsoft\Windows\WebCache\WebCacheV24.dat</pre><pre>index.dat</pre><pre>https://www.google.com/accounts/servicelogin</pre><pre>http://www.facebook.com/</pre><pre>https://login.yahoo.com/config/login</pre><pre>http://</pre><pre>https://</pre><pre>ftp://</pre><pre>@history.dat</pre><pre>places.sqlite</pre><pre>Mozilla\Firefox\Profiles</pre><pre>Mozilla\SeaMonkey\Profiles</pre><pre>Mozilla\SeaMonkey</pre><pre>Mozilla\Firefox</pre><pre>profiles.ini</pre><pre>Profile%d</pre><pre>tntdll.dll</pre><pre>sWeb Data</pre><pre>Login Data</pre><pre>Google\Chrome\User Data</pre><pre>Google\Chrome SxS\User Data</pre><pre>Opera\Opera\wand.dat</pre><pre>Opera\Opera7\profile\wand.dat</pre><pre>Opera</pre><pre>@"%s"</pre><pre>Ashell32.dll</pre><pre>\nss3.dll</pre><pre>.save</pre><pre>vaultcli.dll</pre><pre>abe2869f-9b47-4cd9-a358-c22904dba7f7</pre><pre>Copy &Password</pre><pre>&HTML Report - All Items</pre><pre>HTML R&eport - Selected Items</pre><pre>HTML Report - All Items</pre><pre>HTML Report - Selected Items</pre><pre>Load Passwords From...</pre><pre>Google Chrome</pre><pre>Mozilla Firefox</pre><pre>SeaMonkey</pre><pre>Firefox Options</pre><pre>Master password:</pre><pre>Firefox Profile:</pre><pre>Firefox Installation:</pre><pre>Chrome Options</pre><pre>Opera Options</pre><pre>wand.dat file:</pre><pre>%d Passwords</pre><pre>, %d Selected</pre><pre>Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)</pre><pre>Loading... %d</pre><pre>KeePass csv file</pre><pre>Opera Password File</pre><pre>Firefox 1.x</pre><pre>Firefox 2.x</pre><pre>Firefox 3.0</pre><pre>Firefox</pre><pre>Chrome</pre><pre>Web Browser</pre><pre>Password</pre><pre>Password Strength</pre><pre>Password Field</pre><pre>WebBrowserPassView.exe</pre><pre>www.google.com/Please log in to your Gmail account</pre><pre>www.google.com:443/Please log in to your Gmail account</pre><pre>www.google.com/Please log in to your Google Account</pre><pre>www.google.com:443/Please log in to your Google Account</pre><pre>www.google.com</pre><pre>dWindowsLive:name=*</pre><pre>82BD0E67-9FEA-4748-8672-D5EFE5B779B0</pre><pre>Copy Password</pre><pre>%d items</pre><pre>Select Eudora.ini filename/Select the location of Thunderbird installation</pre><pre>Eudora.ini file</pre><pre>SMTP</pre><pre>Windows Mail</pre><pre>Windows Live Mail</pre><pre>Server Port</pre><pre>SMTP Server Port</pre><pre>Mail Password Recovery</pre><pre>mailpv.exe</pre><pre>3, 7 #,)</pre><pre>MessageBoxIcon.Error</pre><pre>noftp</pre><pre>filename.exe</pre><pre>http://www.example.com/directory/file.exe</pre><pre>Disablecmd</pre><pre>\Windows Update.exe</pre><pre>\WindowsUpdate.exe</pre><pre>SysInfo.txt</pre><pre>\pid.txt</pre><pre>\pidloc.txt</pre><pre>\Mozilla\Firefox\Profiles</pre><pre>127.0.0.1</pre><pre>ping -n 1 -w 3000 1.1.1.1</pre><pre>cmd.exe</pre><pre>\SteamAppData.vdf</pre><pre>\ClientRegistry.blob</pre><pre>MessageBoxIcon.Exclamation</pre><pre>Keylogger Enabled:</pre><pre>Operating System:</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced</pre><pre>autorun.inf</pre><pre>open=Sys.exe</pre><pre>Sys.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Update</pre><pre>C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><pre>\bitcoin\wallet.dat</pre><pre>_wallet.dat</pre><pre>wallet.dat</pre><pre>Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><pre>holdermail.txt"</pre><pre>holdermail.txt</pre><pre>Operating System Intel Recovery</pre><pre>Operating System Platform:</pre><pre>Operating System Version:</pre><pre>WEB Browser Password Recovery</pre><pre>Mail Messenger Password Recovery</pre><pre>Jdownloader Password Recovery</pre><pre>holderwb.txt"</pre><pre>holderwb.txt</pre><pre>C:\Users\</pre><pre>_Pin0.jpeg</pre><pre>_Pin1.jpeg</pre><pre>_Pin2.jpeg</pre><pre>_Pin3.jpeg</pre><pre>_Pin4.jpeg</pre><pre>Steals the Wallet.DAT file that holds the users bitcoin currency</pre><pre>\.minecraft\lastlogin</pre><pre>There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor</pre><pre>Predator Pain v14 - Key Recorder - [</pre><pre>Keylogger Log</pre><pre>.jpeg</pre><pre>Predator_Pain_v14_KeyLog_</pre><pre>http://whatismyipaddress.com/</pre><pre>Debugger.Resources</pre><pre>:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe</pre><b>oDefrag.exe_444_rwx_675A6000_00003000:</b><pre>.Qg<-Qg><pre>*Rg`.Rg|)RgL Rg</pre></-Qg></pre></pre>