For a Limited Time: Get HUGE savings on Pro and Sticky Password Premium! Act now & save 60%! BUY NOW >
  • Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Fri, 03/31/2017 - 03:05

Trojan.GenericKD.4586130_f00a8892f8

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.4586130 (B) (Emsisoft), Trojan.GenericKD.4586130 (AdAware), HackTool.Win32.PassView.FD, GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS) Behaviour: Trojan, Worm, HackTool, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: f00a8892f8c25bd68f4834301b6d1165

SHA1: 019aa00251e5ec8a8300b9cb12902113d199a88d

SHA256: 997aae20f538b667c739d697b75966d33b1a3721aac41c375815ec05d7e7b0b3

SSDeep: 24576:JndLZqMeQ oIfVKNFjBmj2MKQjKsKbfscIc2dUSxGCBWfucmumKV18gjAsRkrRrD:NHN1I0NOmo8fBIqCB6Hg06MqF

Size: 2176512 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2016-10-08 19:05:54

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1780
ViaFile.EXE:1916
vbc.exe:2960
installutil.exe:2784

The Trojan injects its code into the following process(es):

RegAsm.exe:3220
installutil.exe:3692

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process RegAsm.exe:3220 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe (53 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holdermail.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (0 bytes)

The process vbc.exe:2960 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)

The process installutil.exe:2784 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\ViaFolder\ViaFile.EXE (148 bytes)

Registry activity

The process %original file name%.exe:1780 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process RegAsm.exe:3220 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS]
"MaxFileSize" = "1048576"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe"

The process ViaFile.EXE:1916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
278edbd499374bf73621f8c1f969d894c:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1780
    ViaFile.EXE:1916
    vbc.exe:2960
    installutil.exe:2784

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (56 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\ViaFolder\ViaFile.EXE (148 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Update" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: 2006; Wikipedia Journal also editors that
Product Name: acknowledged magazine, policy comparison, encyclopedia Alto
Product Version: 1.7.5.3
Legal Copyright:
Legal Trademarks: In stable and it in slowing
Original Filename: acknowledged magazine, policy comparison, encyclopedia Alto
Internal Name: acknowledged magazine, policy comparison, encyclopedia Alto
File Version: 4.10.0.7
File Description: engine that titled 8, facing Wales
Comments: 2001, these decline.[49] not claims numbers
Language: Chinese (Simplified, PRC)

Company Name: 2006; Wikipedia Journal also editors that Product Name: acknowledged magazine, policy comparison, encyclopedia Alto Product Version: 1.7.5.3 Legal Copyright: Legal Trademarks: In stable and it in slowing Original Filename: acknowledged magazine, policy comparison, encyclopedia Alto Internal Name: acknowledged magazine, policy comparison, encyclopedia Alto File Version: 4.10.0.7 File Description: engine that titled 8, facing Wales Comments: 2001, these decline.[49] not claims numbers Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text8192217282021729284.43824aa10599e100412fdb0a54e5bcaa33c1e
.rsrc2187264212625602.45403b6f626cbbb110d187c872f53ed9ef80e
.reloc2195456125120.070639a2ed04e0630b5bc50302ac6760f0ebd6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://whatismyipaddress.com/92.122.94.47
smtp-mail.outlook.com65.55.176.126

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Host: whatismyipaddress.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 59

Date: Thu, 30 Mar 2017 07:29:33 GMT

Connection: keep-alive

Access Denied (AK1). Contact support@whatismyipaddress.comHTTP/1.1 200 OK..Content-Type: text/html..Content-Length: 59..Date: Thu, 30 Mar 2017 07:29:33 GMT..Connection: keep-alive..Access Denied (AK1). Contact support@whatismyipaddress.com..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

installutil.exe_3692_rwx_001E2000_0000E000:

file:///C:\Users\"%CurrentUserName%"\AppData\Roaming\ViaFolder\ViaFile.EXE

file:///C:\Users\"%CurrentUserName%"\AppData\Roaming\ViaFolder\ViaFile.EXE

conhost.exe_3704:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

msvcrt.dll

msvcrt.dll

ntdll.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

KERNEL32.dll

IMM32.dll

IMM32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

Bv.SCv

Bv.SCv

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

Cannot allocate 0n%d bytes

|%SWj

|%SWj

O.fBf;

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

FTPh

\>.Sj

\>.Sj

GetKeyboardLayout

GetKeyboardLayout

MapVirtualKeyW

MapVirtualKeyW

VkKeyScanW

VkKeyScanW

GetKeyboardState

GetKeyboardState

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

GetKeyState

GetKeyState

ActivateKeyboardLayout

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

GetKeyboardLayoutNameW

_amsg_exit

_amsg_exit

_acmdln

_acmdln

ShipAssert

ShipAssert

NtReplyWaitReceivePort

NtReplyWaitReceivePort

NtCreatePort

NtCreatePort

NtEnumerateValueKey

NtEnumerateValueKey

NtQueryValueKey

NtQueryValueKey

NtOpenKey

NtOpenKey

NtAcceptConnectPort

NtAcceptConnectPort

NtReplyPort

NtReplyPort

SetProcessShutdownParameters

SetProcessShutdownParameters

GetCPInfo

GetCPInfo

conhost.pdb

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%$%a%b%V%U%c%Q%W%]%\%[%

%

%

version="5.1.0.0"

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

name="Microsoft.Windows.ConsoleHost"

name="Microsoft.Windows.ConsoleHost.SystemDefault"

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

:>@>

:>@>

2%2X2

2%2X2

%SystemRoot%

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

WindowSize

ColorTableu

ColorTableu

ExtendedEditkeyCustom

ExtendedEditkeyCustom

ExtendedEditKey

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

\ !:=/.;|&

\ !:=/.;|&

%d/%d

%d/%d

cmd.exe

cmd.exe

desktop.ini

desktop.ini

\console.dll

\console.dll

%d/%d

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

CONHOST.EXE

Windows

Windows

Operating System

Operating System

6.1.7601.17641

6.1.7601.17641

RegAsm.exe_3220:

.text

.text

`.rsrc

`.rsrc

@.reloc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

v2.0.50727

CMemoryExecute.dll

CMemoryExecute.dll

CMemoryExecute

CMemoryExecute

PAGE_EXECUTE_READWRITE

PAGE_EXECUTE_READWRITE

.ctor

.ctor

System.Reflection

System.Reflection

System.Runtime.InteropServices

System.Runtime.InteropServices

System.Security.Permissions

System.Security.Permissions

System.Diagnostics

System.Diagnostics

System.Runtime.CompilerServices

System.Runtime.CompilerServices

DllImportAttribute

DllImportAttribute

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

System.Security

System.Security

$8fcd4931-91a2-4e18-849b-70de34ab75df

$8fcd4931-91a2-4e18-849b-70de34ab75df

1.0.0.0

1.0.0.0

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb

C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb

mscoree.dll

mscoree.dll

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

D$.SPf

D$.SPf

2 34 567

2 34 567

com.apple.Safari

com.apple.Safari

com.apple.WebKit2WebProcess

com.apple.WebKit2WebProcess

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins

"Account","Login Name","Password","Web Site","Comments"

"Account","Login Name","Password","Web Site","Comments"

3.7.5

3.7.5

SQLite format 3

SQLite format 3

CREATE TABLE sqlite_master(

CREATE TABLE sqlite_master(

sql text

sql text

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

PK11_CheckUserPassword

PK11_CheckUserPassword

large file support is disabled

large file support is disabled

unknown operation

unknown operation

SQL logic error or missing database

SQL logic error or missing database

foreign_keys

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_compileoption_used

sqlite_source_id

sqlite_source_id

sqlite_version

sqlite_version

sqlite_attach

sqlite_attach

sqlite_detach

sqlite_detach

sqlite_stat1

sqlite_stat1

sqlite_rename_parent

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_trigger

sqlite_rename_table

sqlite_rename_table

%Y-%m-%d %H:%M:%S

%Y-%m-%d %H:%M:%S

%Y-%m-%d

%Y-%m-%d

%H:%M:%S

%H:%M:%S

SQLITE_

SQLITE_

failed to allocate %u bytes of memory

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

failed memory resize %u to %u bytes

922337203685477580

922337203685477580

API call with %s database connection pointer

API call with %s database connection pointer

%s-shm

%s-shm

%s\etilqs_

%s\etilqs_

OsError 0x%x (%u)

OsError 0x%x (%u)

Recovered %d frames from WAL file %s

Recovered %d frames from WAL file %s

%s-mjX

%s-mjX

foreign key constraint failed

foreign key constraint failed

unable to use function %s in the requested context

unable to use function %s in the requested context

abort at %d in [%s]: %s

abort at %d in [%s]: %s

constraint failed at %d in [%s]

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

cannot open savepoint - SQL statements in progress

no such savepoint: %s

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

cannot change %s wal mode from within a transaction

statement aborts at %d: [%s] %s

statement aborts at %d: [%s] %s

misuse of aliased aggregate %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s.%s

%s: %s.%s

%s: %s.%s

%s: %s

%s: %s

%r %s BY term out of range - should be between 1 and %d

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

variable number must be between ?1 and ?%d

too many SQL variables

too many SQL variables

too many columns in %s

too many columns in %s

oversized integer: %s%s

oversized integer: %s%s

misuse of aggregate: %s()

misuse of aggregate: %s()

%.*s"%w"%s

%.*s"%w"%s

%s%.*s"%w"

%s%.*s"%w"

%s OR name=%Q

%s OR name=%Q

type='trigger' AND (%s)

type='trigger' AND (%s)

there is already another table or index with this name: %s

there is already another table or index with this name: %s

sqlite_

sqlite_

table %s may not be altered

table %s may not be altered

view %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

DELETE FROM %Q.%s WHERE tbl=%Q

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

invalid name: "%s"

too many attached databases - max %d

too many attached databases - max %d

database %s is already in use

database %s is already in use

unable to open database: %s

unable to open database: %s

no such database: %s

no such database: %s

cannot detach database %s

cannot detach database %s

database %s is locked

database %s is locked

%s %T cannot reference objects in database %s

%s %T cannot reference objects in database %s

object name reserved for internal use: %s

object name reserved for internal use: %s

there is already an index named %s

there is already an index named %s

too many columns on %s

too many columns on %s

duplicate column name: %s

duplicate column name: %s

default value of column [%s] is not constant

default value of column [%s] is not constant

table "%s" has more than one primary key

table "%s" has more than one primary key

no such collation sequence: %s

no such collation sequence: %s

CREATE %s %.*s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

view %s is circularly defined

view %s is circularly defined

table %s may not be dropped

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

use DROP VIEW to delete view %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

foreign key on %s should reference only one column of table %T

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

unknown column "%s" in foreign key definition

indexed columns are not unique

indexed columns are not unique

table %s may not be indexed

table %s may not be indexed

views may not be indexed

views may not be indexed

virtual tables may not be indexed

virtual tables may not be indexed

there is already a table named %s

there is already a table named %s

index %s already exists

index %s already exists

sqlite_autoindex_%s_%d

sqlite_autoindex_%s_%d

table %s has no column named %s

table %s has no column named %s

CREATE%s INDEX %.*s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

a JOIN clause is required before %s

unable to identify the object to be reindexed

unable to identify the object to be reindexed

table %s may not be modified

table %s may not be modified

cannot modify %s because it is a view

cannot modify %s because it is a view

foreign key mismatch

foreign key mismatch

table %S has %d columns but %d values were supplied

table %S has %d columns but %d values were supplied

%d values for %d columns

%d values for %d columns

table %S has no column named %s

table %S has no column named %s

%s.%s may not be NULL

%s.%s may not be NULL

PRIMARY KEY must be unique

PRIMARY KEY must be unique

automatic extension loading failed: %s

automatic extension loading failed: %s

foreign_key_list

foreign_key_list

malformed database schema (%s)

malformed database schema (%s)

%s - %s

%s - %s

unsupported file format

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unknown or unsupported join type: %T %T%s%T

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

cannot join using column %s - column not present in both tables

%s.%s

%s.%s

%s:%d

%s:%d

no such index: %s

no such index: %s

sqlite_subquery_%p_

sqlite_subquery_%p_

no such table: %s

no such table: %s

cannot create %s trigger on view: %S

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

no such trigger: %S

no such column: %s

no such column: %s

cannot VACUUM - SQL statements in progress

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor failed: %s

vtable constructor did not declare schema: %s

vtable constructor did not declare schema: %s

no such module: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

table %s: xBestIndex returned an invalid plan

at most %d tables in a join

at most %d tables in a join

cannot use index: %s

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unable to close due to unfinished backup operation

unknown database: %s

unknown database: %s

no such vfs: %s

no such vfs: %s

database corruption at line %d of [%.10s]

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

cannot open file at line %d of [%.10s]

sqlite3_open

sqlite3_open

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_text

sqlite3_column_text

sqlite3_column_int

sqlite3_column_int

sqlite3_column_int64

sqlite3_column_int64

sqlite3_finalize

sqlite3_finalize

sqlite3_close

sqlite3_close

sqlite3_exec

sqlite3_exec

f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb

f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb

msvcrt.dll

msvcrt.dll

_wcmdln

_wcmdln

COMCTL32.dll

COMCTL32.dll

VERSION.dll

VERSION.dll

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

WININET.dll

WININET.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

EnumChildWindows

EnumChildWindows

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

comdlg32.dll

comdlg32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

5JEw%Xg

5JEw%Xg

hXXp://VVV.usertrust.com1

hXXp://VVV.usertrust.com1

3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05

3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05

hXXp://ocsp.usertrust.com0

hXXp://ocsp.usertrust.com0

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t

1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

hXXps://secure.comodo.net/CPS0A

hXXps://secure.comodo.net/CPS0A

0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

hXXp://ocsp.comodoca.com0

hXXp://ocsp.comodoca.com0

support@nirsoft.net0

support@nirsoft.net0

t{SSh

t{SSh

v%SSW

v%SSW

Mail PassView

Mail PassView

Mozilla\Profiles

Mozilla\Profiles

Software\Mozilla\Mozilla Thunderbird

Software\Mozilla\Mozilla Thunderbird

%s\Main

%s\Main

sqlite3.dll

sqlite3.dll

nss3.dll

nss3.dll

%programfiles%\Mozilla Thunderbird

%programfiles%\Mozilla Thunderbird

AddExportHeaderLine

AddExportHeaderLine

%s %s %s

%s %s %s

HTTPMail User Name

HTTPMail User Name

SMTP USer Name

SMTP USer Name

HTTPMail Server

HTTPMail Server

SMTP Server

SMTP Server

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Port

POP3 Port

IMAP Port

IMAP Port

HTTPMail Port

HTTPMail Port

SMTP Port

SMTP Port

HTTPMail Secure Connection

HTTPMail Secure Connection

SMTP Secure Connection

SMTP Secure Connection

SMTP Display Name

SMTP Display Name

SMTP Email Address

SMTP Email Address

POP3 Password

POP3 Password

IMAP Password

IMAP Password

HTTP Password

HTTP Password

SMTP Password

SMTP Password

HTTP User

HTTP User

SMTP User

SMTP User

HTTP Server URL

HTTP Server URL

HTTP Port

HTTP Port

HTTPMail Use SSL

HTTPMail Use SSL

SMTP Use SSL

SMTP Use SSL

%s\%s

%s\%s

PopPort

PopPort

PopPassword

PopPassword

SMTPAccount

SMTPAccount

SMTPServer

SMTPServer

SMTPPort

SMTPPort

SMTPLogSecure

SMTPLogSecure

SMTPPassword

SMTPPassword

%s\Accounts

%s\Accounts

LoginName

LoginName

SavePasswordText

SavePasswordText

ESMTPUsername

ESMTPUsername

ESMTPPassword

ESMTPPassword

POP3Password

POP3Password

fb.dat

fb.dat

%s@gmail.com

%s@gmail.com

%s@yahoo.com

%s@yahoo.com

Software\Microsoft\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles


%s %s


%s %s

smtp

smtp

advapi32.dll

advapi32.dll

comctl32.dll

comctl32.dll

*.ini

*.ini

netmsg.dll

netmsg.dll

Error %d: %s

Error %d: %s

%s (%s)

%s (%s)

menu_%d

menu_%d

dialog_%d

dialog_%d

TranslatorURL

TranslatorURL

_lng.ini

_lng.ini

%-18s: %s

%-18s: %s

%%-%d.%ds

%%-%d.%ds

%s

%s

%s

%s

%s%s

%s%s

bgcolor="%s"

bgcolor="%s"

%s

%s

%s%s>

%s%s>

%s>

%s>

report.html

report.html

*.txt

*.txt

*.htm;*.html

*.htm;*.html

*.xml

*.xml

*.csv

*.csv

Software\NirSoft\MailPassView

Software\NirSoft\MailPassView

MailPassView

MailPassView

/skeepass

/skeepass

/deleteregkey

/deleteregkey

Failed to load the executable file !

Failed to load the executable file !

mail.account.account

mail.account.account

mail.server

mail.server

port

port

mail.identity

mail.identity

signon.signonfilename

signon.signonfilename

mailbox://%s@%s

mailbox://%s@%s

imap://%s@%s

imap://%s@%s

mailbox://%s

mailbox://%s

imap://%s

imap://%s

signons.txt

signons.txt

signons.sqlite

signons.sqlite

prefs.js

prefs.js

Password.NET Messenger Service

Password.NET Messenger Service

User.NET Messenger Service

User.NET Messenger Service

Passport.Net\*

Passport.Net\*

ps:password

ps:password

windowslive:name=

windowslive:name=

Exception %8.8X at address %8.8X in module %s

Exception %8.8X at address %8.8X in module %s

Stack Data: %s

Stack Data: %s

Code Data: %s

Code Data: %s

mozsqlite3.dll

mozsqlite3.dll

psapi.dll

psapi.dll

pstorec.dll

pstorec.dll

5e7e8100-9138-11d1-945a-00c04fc308ff

5e7e8100-9138-11d1-945a-00c04fc308ff

00000000-0000-0000-0000-000000000000

00000000-0000-0000-0000-000000000000

220D5CD0-853A-11D0-84BC-00C04FD43F8F

220D5CD0-853A-11D0-84BC-00C04FD43F8F

220D5CD1-853A-11D0-84BC-00C04FD43F8F

220D5CD1-853A-11D0-84BC-00C04FD43F8F

220D5CC1-853A-11D0-84BC-00C04FD43F8F

220D5CC1-853A-11D0-84BC-00C04FD43F8F

417E2D75-84BD-11D0-84BB-00C04FD43F8F

417E2D75-84BD-11D0-84BB-00C04FD43F8F

shell32.dll

shell32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shlwapi.dll

shlwapi.dll

%s%s

%s%s

%s

%s

%s

%s

size="%d"

size="%d"

color="#%s"

color="#%s"

width="%s"

width="%s"

%s%s%s

%s%s%s

SOFTWARE\Mozilla

SOFTWARE\Mozilla

mozilla

mozilla

%s\bin

%s\bin

PathToExe

PathToExe

\sqlite3.dll

\sqlite3.dll

\mozsqlite3.dll

\mozsqlite3.dll

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

SMTP_Server

SMTP_Server

SMTP_User_Name

SMTP_User_Name

POP3_Password2

POP3_Password2

IMAP_Password2

IMAP_Password2

NNTP_Password2

NNTP_Password2

SMTP_Password2

SMTP_Password2

SMTP_Email_Address

SMTP_Email_Address

SMTP_Port

SMTP_Port

NNTP_Port

NNTP_Port

IMAP_Port

IMAP_Port

POP3_Port

POP3_Port

SMTP_Secure_Connection

SMTP_Secure_Connection

*.oeaccount

*.oeaccount

\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

f:\Projects\VS2005\mailpv\Release\mailpv.pdb

f:\Projects\VS2005\mailpv\Release\mailpv.pdb

_acmdln

_acmdln

RPCRT4.dll

RPCRT4.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

RegEnumKeyA

RegEnumKeyA

RegEnumKeyExA

RegEnumKeyExA

ShellExecuteA

ShellExecuteA

NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

Phulli.exe

Phulli.exe

Microsoft.VisualBasic

Microsoft.VisualBasic

System.Windows.Forms

System.Windows.Forms

System.Drawing

System.Drawing

System.Management

System.Management

tapi32.dll

tapi32.dll

rtm.dll

rtm.dll

user32.dll

user32.dll

Phulli.Resources.resources

Phulli.Resources.resources

Phulli.Form1.resources

Phulli.Form1.resources

Phulli.My

Phulli.My

WindowsFormsApplicationBase

WindowsFormsApplicationBase

Microsoft.VisualBasic.ApplicationServices

Microsoft.VisualBasic.ApplicationServices

System.Collections.Generic

System.Collections.Generic

.cctor

.cctor

System.Threading

System.Threading

System.ComponentModel

System.ComponentModel

System.CodeDom.Compiler

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

Microsoft.VisualBasic.Devices

m_MyWebServicesObjectProvider

m_MyWebServicesObjectProvider

get_WebServices

get_WebServices

HelpKeywordAttribute

HelpKeywordAttribute

System.ComponentModel.Design

System.ComponentModel.Design

WebServices

WebServices

Microsoft.VisualBasic.CompilerServices

Microsoft.VisualBasic.CompilerServices

System.Collections

System.Collections

ContainsKey

ContainsKey

InvalidOperationException

InvalidOperationException

MyWebServices

MyWebServices

encryptedpassstring

encryptedpassstring

encryptedsmtpstring

encryptedsmtpstring

portstring

portstring

encryptedftphost

encryptedftphost

encryptedftpuser

encryptedftpuser

encryptedftppass

encryptedftppass

useftp

useftp

websitevisitor

websitevisitor

websiteblocker

websiteblocker

passstring

passstring

smtpstring

smtpstring

ftphost

ftphost

ftpuser

ftpuser

ftppass

ftppass

WM_KEYUP

WM_KEYUP

WM_KEYDOWN

WM_KEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYUP

WM_SYSKEYUP

KeyboardHandle

KeyboardHandle

KeyLog

KeyLog

CleanedPasswordsMAIL

CleanedPasswordsMAIL

CleanedPasswordsWB

CleanedPasswordsWB

System.IO

System.IO

get_ExecutablePath

get_ExecutablePath

WindowsIdentity

WindowsIdentity

System.Security.Principal

System.Security.Principal

set_WindowState

set_WindowState

FormWindowState

FormWindowState

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookEx

SetWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

GetAsyncKeyState

GetAsyncKeyState

vKey

vKey

HookKeyboard

HookKeyboard

UnhookKeyboard

UnhookKeyboard

Operators

Operators

get_Keyboard

get_Keyboard

Keyboard

Keyboard

get_CtrlKeyDown

get_CtrlKeyDown

get_AltKeyDown

get_AltKeyDown

KeyboardCallback

KeyboardCallback

set_UseShellExecute

set_UseShellExecute

Microsoft.VisualBasic.MyServices

Microsoft.VisualBasic.MyServices

System.Collections.ObjectModel

System.Collections.ObjectModel

MsgBox

MsgBox

MsgBoxResult

MsgBoxResult

MsgBoxStyle

MsgBoxStyle

ForceSteamLogin

ForceSteamLogin

System.Net.NetworkInformation

System.Net.NetworkInformation

get_OperationalStatus

get_OperationalStatus

OperationalStatus

OperationalStatus

FakemsgInstall

FakemsgInstall

System.Net.Mail

System.Net.Mail

SmtpClient

SmtpClient

System.Globalization

System.Globalization

set_Port

set_Port

System.Net

System.Net

Microsoft.Win32

Microsoft.Win32

RegistryKey

RegistryKey

OpenSubKey

OpenSubKey

System.Security.Cryptography

System.Security.Cryptography

System.Text

System.Text

set_Key

set_Key

stealWebroswers

stealWebroswers

WebClient

WebClient

readweb

readweb

System.IO.Compression

System.IO.Compression

SendLogsFTP

SendLogsFTP

FtpWebRequest

FtpWebRequest

WebRequest

WebRequest

UploadFTP

UploadFTP

secretKey

secretKey

set_KeySize

set_KeySize

get_KeySize

get_KeySize

System.Net.Sockets

System.Net.Sockets

virtualKey

virtualKey

KeyboardHookDelegate

KeyboardHookDelegate

get_Msg

get_Msg

Phulli.My.Resources

Phulli.My.Resources

System.Resources

System.Resources

get_CMemoryExecute

get_CMemoryExecute

get_WebBrowserPassView

get_WebBrowserPassView

WebBrowserPassView

WebBrowserPassView

System.Configuration

System.Configuration

8.0.0.0

8.0.0.0

My.Computer

My.Computer

My.Application

My.Application

My.User

My.User

My.Forms

My.Forms

My.WebServices

My.WebServices

System.Windows.Forms.Form

System.Windows.Forms.Form

My.MyProject.Forms

My.MyProject.Forms

4System.Web.Services.Protocols.SoapHttpClientProtocol

4System.Web.Services.Protocols.SoapHttpClientProtocol

3System.Resources.Tools.StronglyTypedResourceBuilder

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

11.0.0.0

11.0.0.0

My.Settings

My.Settings

$1f128a07-8438-4dc0-8205-570da0ccce8d

$1f128a07-8438-4dc0-8205-570da0ccce8d

_CorExeMain

_CorExeMain

%%0.ß

%%0.ß

Apple Computer\Preferences\keychain.plist

Apple Computer\Preferences\keychain.plist

LoadPasswordsIE

LoadPasswordsIE

LoadPasswordsFirefox

LoadPasswordsFirefox

LoadPasswordsChrome

LoadPasswordsChrome

LoadPasswordsOpera

LoadPasswordsOpera

LoadPasswordsSafari

LoadPasswordsSafari

LoadPasswordsSeaMonkey

LoadPasswordsSeaMonkey

UseFirefoxProfileFolder

UseFirefoxProfileFolder

UseFirefoxInstallFolder

UseFirefoxInstallFolder

UseChromeProfileFolder

UseChromeProfileFolder

UseOperaPasswordFile

UseOperaPasswordFile

FirefoxProfileFolder

FirefoxProfileFolder

FirefoxInstallFolder

FirefoxInstallFolder

ChromeProfileFolder

ChromeProfileFolder

OperaPasswordFile

OperaPasswordFile

Aadvapi32.dll

Aadvapi32.dll

crypt32.dll

crypt32.dll

777705555443332

777705555443332

5555443332

5555443332

5555443332

5555443332

wand.dat

wand.dat

@nss3.dll

@nss3.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe

%programfiles%\Sea Monkey

%programfiles%\Sea Monkey

%programfiles%\Mozilla Firefox

%programfiles%\Mozilla Firefox

-signons.txt

-signons.txt

signons2.txt

signons2.txt

signons3.txt

signons3.txt

@dllhost.exe

@dllhost.exe

taskhost.exe

taskhost.exe

taskhostex.exe

taskhostex.exe

Microsoft\Windows\WebCache\WebCacheV01.dat

Microsoft\Windows\WebCache\WebCacheV01.dat

Microsoft\Windows\WebCache\WebCacheV24.dat

Microsoft\Windows\WebCache\WebCacheV24.dat

index.dat

index.dat

hXXps://VVV.google.com/accounts/servicelogin

hXXps://VVV.google.com/accounts/servicelogin

hXXp://VVV.facebook.com/

hXXp://VVV.facebook.com/

hXXps://login.yahoo.com/config/login

hXXps://login.yahoo.com/config/login

hXXp://

hXXp://

hXXps://

hXXps://

PTF://

PTF://

@history.dat

@history.dat

places.sqlite

places.sqlite

Mozilla\Firefox\Profiles

Mozilla\Firefox\Profiles

Mozilla\SeaMonkey\Profiles

Mozilla\SeaMonkey\Profiles

Mozilla\SeaMonkey

Mozilla\SeaMonkey

Mozilla\Firefox

Mozilla\Firefox

profiles.ini

profiles.ini

Profile%d

Profile%d

tntdll.dll

tntdll.dll

sWeb Data

sWeb Data

Login Data

Login Data

Google\Chrome\User Data

Google\Chrome\User Data

Google\Chrome SxS\User Data

Google\Chrome SxS\User Data

Opera\Opera\wand.dat

Opera\Opera\wand.dat

Opera\Opera7\profile\wand.dat

Opera\Opera7\profile\wand.dat

Opera

Opera

@"%s"

@"%s"

Ashell32.dll

Ashell32.dll

\nss3.dll

\nss3.dll

.save

.save

vaultcli.dll

vaultcli.dll

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

Copy &Password

Copy &Password

&HTML Report - All Items

&HTML Report - All Items

HTML R&eport - Selected Items

HTML R&eport - Selected Items

HTML Report - All Items

HTML Report - All Items

HTML Report - Selected Items

HTML Report - Selected Items

Load Passwords From...

Load Passwords From...

Google Chrome

Google Chrome

Mozilla Firefox

Mozilla Firefox

SeaMonkey

SeaMonkey

Firefox Options

Firefox Options

Master password:

Master password:

Firefox Profile:

Firefox Profile:

Firefox Installation:

Firefox Installation:

Chrome Options

Chrome Options

Opera Options

Opera Options

wand.dat file:

wand.dat file:

%d Passwords

%d Passwords

, %d Selected

, %d Selected

Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)

Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)

Loading... %d

Loading... %d

KeePass csv file

KeePass csv file

Opera Password File

Opera Password File

Firefox 1.x

Firefox 1.x

Firefox 2.x

Firefox 2.x

Firefox 3.0

Firefox 3.0

Firefox

Firefox

Chrome

Chrome

Web Browser

Web Browser

Password

Password

Password Strength

Password Strength

Password Field

Password Field

WebBrowserPassView.exe

WebBrowserPassView.exe

VVV.google.com/Please log in to your Gmail account

VVV.google.com/Please log in to your Gmail account

VVV.google.com:443/Please log in to your Gmail account

VVV.google.com:443/Please log in to your Gmail account

VVV.google.com/Please log in to your Google Account

VVV.google.com/Please log in to your Google Account

VVV.google.com:443/Please log in to your Google Account

VVV.google.com:443/Please log in to your Google Account

VVV.google.com

VVV.google.com

dWindowsLive:name=*

dWindowsLive:name=*

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

Copy Password

Copy Password

%d items

%d items

Select Eudora.ini filename/Select the location of Thunderbird installation

Select Eudora.ini filename/Select the location of Thunderbird installation

Eudora.ini file

Eudora.ini file

SMTP

SMTP

Windows Mail

Windows Mail

Windows Live Mail

Windows Live Mail

Server Port

Server Port

SMTP Server Port

SMTP Server Port

Mail Password Recovery

Mail Password Recovery

mailpv.exe

mailpv.exe

noftp

noftp

Disablecmd

Disablecmd

\Windows Update.exe

\Windows Update.exe

\WindowsUpdate.exe

\WindowsUpdate.exe

SysInfo.txt

SysInfo.txt

\pid.txt

\pid.txt

\pidloc.txt

\pidloc.txt

HawkEyeKeylogger

HawkEyeKeylogger

\Mozilla\Firefox\Profiles

\Mozilla\Firefox\Profiles

127.0.0.1

127.0.0.1

\SteamAppData.vdf

\SteamAppData.vdf

\ClientRegistry.blob

\ClientRegistry.blob

Dear HawkEye Customers!

Dear HawkEye Customers!

HawkEye Logger Details:

HawkEye Logger Details:

Keylogger Enabled:

Keylogger Enabled:

Operating System:

Operating System:

HawkEye_Keylogger_Execution_Confirmed_

HawkEye_Keylogger_Execution_Confirmed_

HawkEye Keylogger | Execution Confirmed |

HawkEye Keylogger | Execution Confirmed |

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

autorun.inf

autorun.inf

open=Sys.exe

open=Sys.exe

Sys.exe

Sys.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Windows Update

Windows Update

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

\bitcoin\wallet.dat

\bitcoin\wallet.dat

_wallet.dat

_wallet.dat

wallet.dat

wallet.dat

Microsoft.NET\Framework\v2.0.50727\vbc.exe

Microsoft.NET\Framework\v2.0.50727\vbc.exe

holdermail.txt"

holdermail.txt"

holdermail.txt

holdermail.txt

Operating System Intel Recovery

Operating System Intel Recovery

Operating System Platform:

Operating System Platform:

Operating System Version:

Operating System Version:

WEB Browser Password Stealer

WEB Browser Password Stealer

Mail Messenger Password Stealer

Mail Messenger Password Stealer

JDownloader Password Stealer

JDownloader Password Stealer

HawkEye_Keylogger_Stealer_Records_

HawkEye_Keylogger_Stealer_Records_

HawkEye Keylogger | Stealer Records |

HawkEye Keylogger | Stealer Records |

holderwb.txt"

holderwb.txt"

holderwb.txt

holderwb.txt

C:\Users\

C:\Users\

_Pin0.jpeg

_Pin0.jpeg

_Pin1.jpeg

_Pin1.jpeg

_Pin2.jpeg

_Pin2.jpeg

_Pin3.jpeg

_Pin3.jpeg

_Pin4.jpeg

_Pin4.jpeg

HawkEye Keylogger | RuneScape Stealer |

HawkEye Keylogger | RuneScape Stealer |

HawkEye Keylogger | BitCoin Stealer |

HawkEye Keylogger | BitCoin Stealer |

Steals the Wallet.DAT file that holds the users bitcoin currency.

Steals the Wallet.DAT file that holds the users bitcoin currency.

\.minecraft\lastlogin

\.minecraft\lastlogin

HawkEye Keylogger | MineCraft Stealer |

HawkEye Keylogger | MineCraft Stealer |

As you can see, this email has the attached file, containing MineCraft Username and Password. Please download it then decrypt the login credential / information with MineCraft Decryptor.

As you can see, this email has the attached file, containing MineCraft Username and Password. Please download it then decrypt the login credential / information with MineCraft Decryptor.

HawkEye Keylogger | Keylog Records |

HawkEye Keylogger | Keylog Records |

Keylog Records

Keylog Records

.jpeg

.jpeg

HawkEye_Keylogger_Keylog_Records_

HawkEye_Keylogger_Keylog_Records_

hXXp://whatismyipaddress.com/

hXXp://whatismyipaddress.com/

Phulli.Resources

Phulli.Resources

:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

installutil.exe_3692_rwx_03920000_00002000:

".MgXP

".MgXP

RegAsm.exe_3220_rwx_00400000_00088000:

.text

.text

`.rsrc

`.rsrc

@.reloc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

v2.0.50727

CMemoryExecute.dll

CMemoryExecute.dll

CMemoryExecute

CMemoryExecute

PAGE_EXECUTE_READWRITE

PAGE_EXECUTE_READWRITE

.ctor

.ctor

System.Reflection

System.Reflection

System.Runtime.InteropServices

System.Runtime.InteropServices

System.Security.Permissions

System.Security.Permissions

System.Diagnostics

System.Diagnostics

System.Runtime.CompilerServices

System.Runtime.CompilerServices

DllImportAttribute

DllImportAttribute

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

System.Security

System.Security

$8fcd4931-91a2-4e18-849b-70de34ab75df

$8fcd4931-91a2-4e18-849b-70de34ab75df

1.0.0.0

1.0.0.0

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb

C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb

mscoree.dll

mscoree.dll

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

D$.SPf

D$.SPf

2 34 567

2 34 567

com.apple.Safari

com.apple.Safari

com.apple.WebKit2WebProcess

com.apple.WebKit2WebProcess

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins

"Account","Login Name","Password","Web Site","Comments"

"Account","Login Name","Password","Web Site","Comments"

3.7.5

3.7.5

SQLite format 3

SQLite format 3

CREATE TABLE sqlite_master(

CREATE TABLE sqlite_master(

sql text

sql text

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

PK11_CheckUserPassword

PK11_CheckUserPassword

large file support is disabled

large file support is disabled

unknown operation

unknown operation

SQL logic error or missing database

SQL logic error or missing database

foreign_keys

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_compileoption_used

sqlite_source_id

sqlite_source_id

sqlite_version

sqlite_version

sqlite_attach

sqlite_attach

sqlite_detach

sqlite_detach

sqlite_stat1

sqlite_stat1

sqlite_rename_parent

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_trigger

sqlite_rename_table

sqlite_rename_table

%Y-%m-%d %H:%M:%S

%Y-%m-%d %H:%M:%S

%Y-%m-%d

%Y-%m-%d

%H:%M:%S

%H:%M:%S

SQLITE_

SQLITE_

failed to allocate %u bytes of memory

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

failed memory resize %u to %u bytes

922337203685477580

922337203685477580

API call with %s database connection pointer

API call with %s database connection pointer

%s-shm

%s-shm

%s\etilqs_

%s\etilqs_

OsError 0x%x (%u)

OsError 0x%x (%u)

Recovered %d frames from WAL file %s

Recovered %d frames from WAL file %s

%s-mjX

%s-mjX

foreign key constraint failed

foreign key constraint failed

unable to use function %s in the requested context

unable to use function %s in the requested context

abort at %d in [%s]: %s

abort at %d in [%s]: %s

constraint failed at %d in [%s]

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

cannot open savepoint - SQL statements in progress

no such savepoint: %s

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

cannot change %s wal mode from within a transaction

statement aborts at %d: [%s] %s

statement aborts at %d: [%s] %s

misuse of aliased aggregate %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s.%s

%s: %s.%s

%s: %s.%s

%s: %s

%s: %s

%r %s BY term out of range - should be between 1 and %d

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

variable number must be between ?1 and ?%d

too many SQL variables

too many SQL variables

too many columns in %s

too many columns in %s

oversized integer: %s%s

oversized integer: %s%s

misuse of aggregate: %s()

misuse of aggregate: %s()

%.*s"%w"%s

%.*s"%w"%s

%s%.*s"%w"

%s%.*s"%w"

%s OR name=%Q

%s OR name=%Q

type='trigger' AND (%s)

type='trigger' AND (%s)

there is already another table or index with this name: %s

there is already another table or index with this name: %s

sqlite_

sqlite_

table %s may not be altered

table %s may not be altered

view %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

DELETE FROM %Q.%s WHERE tbl=%Q

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

invalid name: "%s"

too many attached databases - max %d

too many attached databases - max %d

database %s is already in use

database %s is already in use

unable to open database: %s

unable to open database: %s

no such database: %s

no such database: %s

cannot detach database %s

cannot detach database %s

database %s is locked

database %s is locked

%s %T cannot reference objects in database %s

%s %T cannot reference objects in database %s

object name reserved for internal use: %s

object name reserved for internal use: %s

there is already an index named %s

there is already an index named %s

too many columns on %s

too many columns on %s

duplicate column name: %s

duplicate column name: %s

default value of column [%s] is not constant

default value of column [%s] is not constant

table "%s" has more than one primary key

table "%s" has more than one primary key

no such collation sequence: %s

no such collation sequence: %s

CREATE %s %.*s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

view %s is circularly defined

view %s is circularly defined

table %s may not be dropped

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

use DROP VIEW to delete view %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

foreign key on %s should reference only one column of table %T

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

unknown column "%s" in foreign key definition

indexed columns are not unique

indexed columns are not unique

table %s may not be indexed

table %s may not be indexed

views may not be indexed

views may not be indexed

virtual tables may not be indexed

virtual tables may not be indexed

there is already a table named %s

there is already a table named %s

index %s already exists

index %s already exists

sqlite_autoindex_%s_%d

sqlite_autoindex_%s_%d

table %s has no column named %s

table %s has no column named %s

CREATE%s INDEX %.*s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

a JOIN clause is required before %s

unable to identify the object to be reindexed

unable to identify the object to be reindexed

table %s may not be modified

table %s may not be modified

cannot modify %s because it is a view

cannot modify %s because it is a view

foreign key mismatch

foreign key mismatch

table %S has %d columns but %d values were supplied

table %S has %d columns but %d values were supplied

%d values for %d columns

%d values for %d columns

table %S has no column named %s

table %S has no column named %s

%s.%s may not be NULL

%s.%s may not be NULL

PRIMARY KEY must be unique

PRIMARY KEY must be unique

automatic extension loading failed: %s

automatic extension loading failed: %s

foreign_key_list

foreign_key_list

malformed database schema (%s)

malformed database schema (%s)

%s - %s

%s - %s

unsupported file format

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unknown or unsupported join type: %T %T%s%T

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

cannot join using column %s - column not present in both tables

%s.%s

%s.%s

%s:%d

%s:%d

no such index: %s

no such index: %s

sqlite_subquery_%p_

sqlite_subquery_%p_

no such table: %s

no such table: %s

cannot create %s trigger on view: %S

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

no such trigger: %S

no such column: %s

no such column: %s

cannot VACUUM - SQL statements in progress

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor failed: %s

vtable constructor did not declare schema: %s

vtable constructor did not declare schema: %s

no such module: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

table %s: xBestIndex returned an invalid plan

at most %d tables in a join

at most %d tables in a join

cannot use index: %s

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unable to close due to unfinished backup operation

unknown database: %s

unknown database: %s

no such vfs: %s

no such vfs: %s

database corruption at line %d of [%.10s]

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

cannot open file at line %d of [%.10s]

sqlite3_open

sqlite3_open

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_text

sqlite3_column_text

sqlite3_column_int

sqlite3_column_int

sqlite3_column_int64

sqlite3_column_int64

sqlite3_finalize

sqlite3_finalize

sqlite3_close

sqlite3_close

sqlite3_exec

sqlite3_exec

f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb

f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb

msvcrt.dll

msvcrt.dll

_wcmdln

_wcmdln

COMCTL32.dll

COMCTL32.dll

VERSION.dll

VERSION.dll

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

WININET.dll

WININET.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

EnumChildWindows

EnumChildWindows

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

comdlg32.dll

comdlg32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

5JEw%Xg

5JEw%Xg

hXXp://VVV.usertrust.com1

hXXp://VVV.usertrust.com1

3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05

3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05

hXXp://ocsp.usertrust.com0

hXXp://ocsp.usertrust.com0

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t

1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

hXXps://secure.comodo.net/CPS0A

hXXps://secure.comodo.net/CPS0A

0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

hXXp://ocsp.comodoca.com0

hXXp://ocsp.comodoca.com0

support@nirsoft.net0

support@nirsoft.net0

t{SSh

t{SSh

v%SSW

v%SSW

Mail PassView

Mail PassView

Mozilla\Profiles

Mozilla\Profiles

Software\Mozilla\Mozilla Thunderbird

Software\Mozilla\Mozilla Thunderbird

%s\Main

%s\Main

sqlite3.dll

sqlite3.dll

nss3.dll

nss3.dll

%programfiles%\Mozilla Thunderbird

%programfiles%\Mozilla Thunderbird

AddExportHeaderLine

AddExportHeaderLine

%s %s %s

%s %s %s

HTTPMail User Name

HTTPMail User Name

SMTP USer Name

SMTP USer Name

HTTPMail Server

HTTPMail Server

SMTP Server

SMTP Server

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Port

POP3 Port

IMAP Port

IMAP Port

HTTPMail Port

HTTPMail Port

SMTP Port

SMTP Port

HTTPMail Secure Connection

HTTPMail Secure Connection

SMTP Secure Connection

SMTP Secure Connection

SMTP Display Name

SMTP Display Name

SMTP Email Address

SMTP Email Address

POP3 Password

POP3 Password

IMAP Password

IMAP Password

HTTP Password

HTTP Password

SMTP Password

SMTP Password

HTTP User

HTTP User

SMTP User

SMTP User

HTTP Server URL

HTTP Server URL

HTTP Port

HTTP Port

HTTPMail Use SSL

HTTPMail Use SSL

SMTP Use SSL

SMTP Use SSL

%s\%s

%s\%s

PopPort

PopPort

PopPassword

PopPassword

SMTPAccount

SMTPAccount

SMTPServer

SMTPServer

SMTPPort

SMTPPort

SMTPLogSecure

SMTPLogSecure

SMTPPassword

SMTPPassword

%s\Accounts

%s\Accounts

LoginName

LoginName

SavePasswordText

SavePasswordText

ESMTPUsername

ESMTPUsername

ESMTPPassword

ESMTPPassword

POP3Password

POP3Password

fb.dat

fb.dat

%s@gmail.com

%s@gmail.com

%s@yahoo.com

%s@yahoo.com

Software\Microsoft\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles


%s %s


%s %s

smtp

smtp

advapi32.dll

advapi32.dll

comctl32.dll

comctl32.dll

*.ini

*.ini

netmsg.dll

netmsg.dll

Error %d: %s

Error %d: %s

%s (%s)

%s (%s)

menu_%d

menu_%d

dialog_%d

dialog_%d

TranslatorURL

TranslatorURL

_lng.ini

_lng.ini

%-18s: %s

%-18s: %s

%%-%d.%ds

%%-%d.%ds

%s

%s

%s

%s

%s%s

%s%s

bgcolor="%s"

bgcolor="%s"

%s

%s

%s%s>

%s%s>

%s>

%s>

report.html

report.html

*.txt

*.txt

*.htm;*.html

*.htm;*.html

*.xml

*.xml

*.csv

*.csv

Software\NirSoft\MailPassView

Software\NirSoft\MailPassView

MailPassView

MailPassView

/skeepass

/skeepass

/deleteregkey

/deleteregkey

Failed to load the executable file !

Failed to load the executable file !

mail.account.account

mail.account.account

mail.server

mail.server

port

port

mail.identity

mail.identity

signon.signonfilename

signon.signonfilename

mailbox://%s@%s

mailbox://%s@%s

imap://%s@%s

imap://%s@%s

mailbox://%s

mailbox://%s

imap://%s

imap://%s

signons.txt

signons.txt

signons.sqlite

signons.sqlite

prefs.js

prefs.js

Password.NET Messenger Service

Password.NET Messenger Service

User.NET Messenger Service

User.NET Messenger Service

Passport.Net\*

Passport.Net\*

ps:password

ps:password

windowslive:name=

windowslive:name=

Exception %8.8X at address %8.8X in module %s

Exception %8.8X at address %8.8X in module %s

Stack Data: %s

Stack Data: %s

Code Data: %s

Code Data: %s

mozsqlite3.dll

mozsqlite3.dll

psapi.dll

psapi.dll

pstorec.dll

pstorec.dll

5e7e8100-9138-11d1-945a-00c04fc308ff

5e7e8100-9138-11d1-945a-00c04fc308ff

00000000-0000-0000-0000-000000000000

00000000-0000-0000-0000-000000000000

220D5CD0-853A-11D0-84BC-00C04FD43F8F

220D5CD0-853A-11D0-84BC-00C04FD43F8F

220D5CD1-853A-11D0-84BC-00C04FD43F8F

220D5CD1-853A-11D0-84BC-00C04FD43F8F

220D5CC1-853A-11D0-84BC-00C04FD43F8F

220D5CC1-853A-11D0-84BC-00C04FD43F8F

417E2D75-84BD-11D0-84BB-00C04FD43F8F

417E2D75-84BD-11D0-84BB-00C04FD43F8F

shell32.dll

shell32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shlwapi.dll

shlwapi.dll

%s%s

%s%s

%s

%s

%s

%s

size="%d"

size="%d"

color="#%s"

color="#%s"

width="%s"

width="%s"

%s%s%s

%s%s%s

SOFTWARE\Mozilla

SOFTWARE\Mozilla

mozilla

mozilla

%s\bin

%s\bin

PathToExe

PathToExe

\sqlite3.dll

\sqlite3.dll

\mozsqlite3.dll

\mozsqlite3.dll

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

SMTP_Server

SMTP_Server

SMTP_User_Name

SMTP_User_Name

POP3_Password2

POP3_Password2

IMAP_Password2

IMAP_Password2

NNTP_Password2

NNTP_Password2

SMTP_Password2

SMTP_Password2

SMTP_Email_Address

SMTP_Email_Address

SMTP_Port

SMTP_Port

NNTP_Port

NNTP_Port

IMAP_Port

IMAP_Port

POP3_Port

POP3_Port

SMTP_Secure_Connection

SMTP_Secure_Connection

*.oeaccount

*.oeaccount

\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

f:\Projects\VS2005\mailpv\Release\mailpv.pdb

f:\Projects\VS2005\mailpv\Release\mailpv.pdb

_acmdln

_acmdln

RPCRT4.dll

RPCRT4.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

RegEnumKeyA

RegEnumKeyA

RegEnumKeyExA

RegEnumKeyExA

ShellExecuteA

ShellExecuteA

NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

Phulli.exe

Phulli.exe

Microsoft.VisualBasic

Microsoft.VisualBasic

System.Windows.Forms

System.Windows.Forms

System.Drawing

System.Drawing

System.Management

System.Management

tapi32.dll

tapi32.dll

rtm.dll

rtm.dll

user32.dll

user32.dll

Phulli.Resources.resources

Phulli.Resources.resources

Phulli.Form1.resources

Phulli.Form1.resources

Phulli.My

Phulli.My

WindowsFormsApplicationBase

WindowsFormsApplicationBase

Microsoft.VisualBasic.ApplicationServices

Microsoft.VisualBasic.ApplicationServices

System.Collections.Generic

System.Collections.Generic

.cctor

.cctor

System.Threading

System.Threading

System.ComponentModel

System.ComponentModel

System.CodeDom.Compiler

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

Microsoft.VisualBasic.Devices

m_MyWebServicesObjectProvider

m_MyWebServicesObjectProvider

get_WebServices

get_WebServices

HelpKeywordAttribute

HelpKeywordAttribute

System.ComponentModel.Design

System.ComponentModel.Design

WebServices

WebServices

Microsoft.VisualBasic.CompilerServices

Microsoft.VisualBasic.CompilerServices

System.Collections

System.Collections

ContainsKey

ContainsKey

InvalidOperationException

InvalidOperationException

MyWebServices

MyWebServices

encryptedpassstring

encryptedpassstring

encryptedsmtpstring

encryptedsmtpstring

portstring

portstring

encryptedftphost

encryptedftphost

encryptedftpuser

encryptedftpuser

encryptedftppass

encryptedftppass

useftp

useftp

websitevisitor

websitevisitor

websiteblocker

websiteblocker

passstring

passstring

smtpstring

smtpstring

ftphost

ftphost

ftpuser

ftpuser

ftppass

ftppass

WM_KEYUP

WM_KEYUP

WM_KEYDOWN

WM_KEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYUP

WM_SYSKEYUP

KeyboardHandle

KeyboardHandle

KeyLog

KeyLog

CleanedPasswordsMAIL

CleanedPasswordsMAIL

CleanedPasswordsWB

CleanedPasswordsWB

System.IO

System.IO

get_ExecutablePath

get_ExecutablePath

WindowsIdentity

WindowsIdentity

System.Security.Principal

System.Security.Principal

set_WindowState

set_WindowState

FormWindowState

FormWindowState

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookEx

SetWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

GetAsyncKeyState

GetAsyncKeyState

vKey

vKey

HookKeyboard

HookKeyboard

UnhookKeyboard

UnhookKeyboard

Operators

Operators

get_Keyboard

get_Keyboard

Keyboard

Keyboard

get_CtrlKeyDown

get_CtrlKeyDown

get_AltKeyDown

get_AltKeyDown

KeyboardCallback

KeyboardCallback

set_UseShellExecute

set_UseShellExecute

Microsoft.VisualBasic.MyServices

Microsoft.VisualBasic.MyServices

System.Collections.ObjectModel

System.Collections.ObjectModel

MsgBox

MsgBox

MsgBoxResult

MsgBoxResult

MsgBoxStyle

MsgBoxStyle

ForceSteamLogin

ForceSteamLogin

System.Net.NetworkInformation

System.Net.NetworkInformation

get_OperationalStatus

get_OperationalStatus

OperationalStatus

OperationalStatus

FakemsgInstall

FakemsgInstall

System.Net.Mail

System.Net.Mail

SmtpClient

SmtpClient

System.Globalization

System.Globalization

set_Port

set_Port

System.Net

System.Net

Microsoft.Win32

Microsoft.Win32

RegistryKey

RegistryKey

OpenSubKey

OpenSubKey

System.Security.Cryptography

System.Security.Cryptography

System.Text

System.Text

set_Key

set_Key

stealWebroswers

stealWebroswers

WebClient

WebClient

readweb

readweb

System.IO.Compression

System.IO.Compression

SendLogsFTP

SendLogsFTP

FtpWebRequest

FtpWebRequest

WebRequest

WebRequest

UploadFTP

UploadFTP

secretKey

secretKey

set_KeySize

set_KeySize

get_KeySize

get_KeySize

System.Net.Sockets

System.Net.Sockets

virtualKey

virtualKey

KeyboardHookDelegate

KeyboardHookDelegate

get_Msg

get_Msg

Phulli.My.Resources

Phulli.My.Resources

System.Resources

System.Resources

get_CMemoryExecute

get_CMemoryExecute

get_WebBrowserPassView

get_WebBrowserPassView

WebBrowserPassView

WebBrowserPassView

System.Configuration

System.Configuration

8.0.0.0

8.0.0.0

My.Computer

My.Computer

My.Application

My.Application

My.User

My.User

My.Forms

My.Forms

My.WebServices

My.WebServices

System.Windows.Forms.Form

System.Windows.Forms.Form

My.MyProject.Forms

My.MyProject.Forms

4System.Web.Services.Protocols.SoapHttpClientProtocol

4System.Web.Services.Protocols.SoapHttpClientProtocol

3System.Resources.Tools.StronglyTypedResourceBuilder

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

11.0.0.0

11.0.0.0

My.Settings

My.Settings

$1f128a07-8438-4dc0-8205-570da0ccce8d

$1f128a07-8438-4dc0-8205-570da0ccce8d

_CorExeMain

_CorExeMain

%%0.ß

%%0.ß

Apple Computer\Preferences\keychain.plist

Apple Computer\Preferences\keychain.plist

LoadPasswordsIE

LoadPasswordsIE

LoadPasswordsFirefox

LoadPasswordsFirefox

LoadPasswordsChrome

LoadPasswordsChrome

LoadPasswordsOpera

LoadPasswordsOpera

LoadPasswordsSafari

LoadPasswordsSafari

LoadPasswordsSeaMonkey

LoadPasswordsSeaMonkey

UseFirefoxProfileFolder

UseFirefoxProfileFolder

UseFirefoxInstallFolder

UseFirefoxInstallFolder

UseChromeProfileFolder

UseChromeProfileFolder

UseOperaPasswordFile

UseOperaPasswordFile

FirefoxProfileFolder

FirefoxProfileFolder

FirefoxInstallFolder

FirefoxInstallFolder

ChromeProfileFolder

ChromeProfileFolder

OperaPasswordFile

OperaPasswordFile

Aadvapi32.dll

Aadvapi32.dll

crypt32.dll

crypt32.dll

777705555443332

777705555443332

5555443332

5555443332

5555443332

5555443332

wand.dat

wand.dat

@nss3.dll

@nss3.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe

%programfiles%\Sea Monkey

%programfiles%\Sea Monkey

%programfiles%\Mozilla Firefox

%programfiles%\Mozilla Firefox

-signons.txt

-signons.txt

signons2.txt

signons2.txt

signons3.txt

signons3.txt

@dllhost.exe

@dllhost.exe

taskhost.exe

taskhost.exe

taskhostex.exe

taskhostex.exe

Microsoft\Windows\WebCache\WebCacheV01.dat

Microsoft\Windows\WebCache\WebCacheV01.dat

Microsoft\Windows\WebCache\WebCacheV24.dat

Microsoft\Windows\WebCache\WebCacheV24.dat

index.dat

index.dat

hXXps://VVV.google.com/accounts/servicelogin

hXXps://VVV.google.com/accounts/servicelogin

hXXp://VVV.facebook.com/

hXXp://VVV.facebook.com/

hXXps://login.yahoo.com/config/login

hXXps://login.yahoo.com/config/login

hXXp://

hXXp://

hXXps://

hXXps://

PTF://

PTF://

@history.dat

@history.dat

places.sqlite

places.sqlite

Mozilla\Firefox\Profiles

Mozilla\Firefox\Profiles

Mozilla\SeaMonkey\Profiles

Mozilla\SeaMonkey\Profiles

Mozilla\SeaMonkey

Mozilla\SeaMonkey

Mozilla\Firefox

Mozilla\Firefox

profiles.ini

profiles.ini

Profile%d

Profile%d

tntdll.dll

tntdll.dll

sWeb Data

sWeb Data

Login Data

Login Data

Google\Chrome\User Data

Google\Chrome\User Data

Google\Chrome SxS\User Data

Google\Chrome SxS\User Data

Opera\Opera\wand.dat

Opera\Opera\wand.dat

Opera\Opera7\profile\wand.dat

Opera\Opera7\profile\wand.dat

Opera

Opera

@"%s"

@"%s"

Ashell32.dll

Ashell32.dll

\nss3.dll

\nss3.dll

.save

.save

vaultcli.dll

vaultcli.dll

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

Copy &Password

Copy &Password

&HTML Report - All Items

&HTML Report - All Items

HTML R&eport - Selected Items

HTML R&eport - Selected Items

HTML Report - All Items

HTML Report - All Items

HTML Report - Selected Items

HTML Report - Selected Items

Load Passwords From...

Load Passwords From...

Google Chrome

Google Chrome

Mozilla Firefox

Mozilla Firefox

SeaMonkey

SeaMonkey

Firefox Options

Firefox Options

Master password:

Master password:

Firefox Profile:

Firefox Profile:

Firefox Installation:

Firefox Installation:

Chrome Options

Chrome Options

Opera Options

Opera Options

wand.dat file:

wand.dat file:

%d Passwords

%d Passwords

, %d Selected

, %d Selected

Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)

Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)

Loading... %d

Loading... %d

KeePass csv file

KeePass csv file

Opera Password File

Opera Password File

Firefox 1.x

Firefox 1.x

Firefox 2.x

Firefox 2.x

Firefox 3.0

Firefox 3.0

Firefox

Firefox

Chrome

Chrome

Web Browser

Web Browser

Password

Password

Password Strength

Password Strength

Password Field

Password Field

WebBrowserPassView.exe

WebBrowserPassView.exe

VVV.google.com/Please log in to your Gmail account

VVV.google.com/Please log in to your Gmail account

VVV.google.com:443/Please log in to your Gmail account

VVV.google.com:443/Please log in to your Gmail account

VVV.google.com/Please log in to your Google Account

VVV.google.com/Please log in to your Google Account

VVV.google.com:443/Please log in to your Google Account

VVV.google.com:443/Please log in to your Google Account

VVV.google.com

VVV.google.com

dWindowsLive:name=*

dWindowsLive:name=*

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

Copy Password

Copy Password

%d items

%d items

Select Eudora.ini filename/Select the location of Thunderbird installation

Select Eudora.ini filename/Select the location of Thunderbird installation

Eudora.ini file

Eudora.ini file

SMTP

SMTP

Windows Mail

Windows Mail

Windows Live Mail

Windows Live Mail

Server Port

Server Port

SMTP Server Port

SMTP Server Port

Mail Password Recovery

Mail Password Recovery

mailpv.exe

mailpv.exe

noftp

noftp

Disablecmd

Disablecmd

\Windows Update.exe

\Windows Update.exe

\WindowsUpdate.exe

\WindowsUpdate.exe

SysInfo.txt

SysInfo.txt

\pid.txt

\pid.txt

\pidloc.txt

\pidloc.txt

HawkEyeKeylogger

HawkEyeKeylogger

\Mozilla\Firefox\Profiles

\Mozilla\Firefox\Profiles

127.0.0.1

127.0.0.1

\SteamAppData.vdf

\SteamAppData.vdf

\ClientRegistry.blob

\ClientRegistry.blob

Dear HawkEye Customers!

Dear HawkEye Customers!

HawkEye Logger Details:

HawkEye Logger Details:

Keylogger Enabled:

Keylogger Enabled:

Operating System:

Operating System:

HawkEye_Keylogger_Execution_Confirmed_

HawkEye_Keylogger_Execution_Confirmed_

HawkEye Keylogger | Execution Confirmed |

HawkEye Keylogger | Execution Confirmed |

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

autorun.inf

autorun.inf

open=Sys.exe

open=Sys.exe

Sys.exe

Sys.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Windows Update

Windows Update

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

\bitcoin\wallet.dat

\bitcoin\wallet.dat

_wallet.dat

_wallet.dat

wallet.dat

wallet.dat

Microsoft.NET\Framework\v2.0.50727\vbc.exe

Microsoft.NET\Framework\v2.0.50727\vbc.exe

holdermail.txt"

holdermail.txt"

holdermail.txt

holdermail.txt

Operating System Intel Recovery

Operating System Intel Recovery

Operating System Platform:

Operating System Platform:

Operating System Version:

Operating System Version:

WEB Browser Password Stealer

WEB Browser Password Stealer

Mail Messenger Password Stealer

Mail Messenger Password Stealer

JDownloader Password Stealer

JDownloader Password Stealer

HawkEye_Keylogger_Stealer_Records_

HawkEye_Keylogger_Stealer_Records_

HawkEye Keylogger | Stealer Records |

HawkEye Keylogger | Stealer Records |

holderwb.txt"

holderwb.txt"

holderwb.txt

holderwb.txt

C:\Users\

C:\Users\

_Pin0.jpeg

_Pin0.jpeg

_Pin1.jpeg

_Pin1.jpeg

_Pin2.jpeg

_Pin2.jpeg

_Pin3.jpeg

_Pin3.jpeg

_Pin4.jpeg

_Pin4.jpeg

HawkEye Keylogger | RuneScape Stealer |

HawkEye Keylogger | RuneScape Stealer |

HawkEye Keylogger | BitCoin Stealer |

HawkEye Keylogger | BitCoin Stealer |

Steals the Wallet.DAT file that holds the users bitcoin currency.

Steals the Wallet.DAT file that holds the users bitcoin currency.

\.minecraft\lastlogin

\.minecraft\lastlogin

HawkEye Keylogger | MineCraft Stealer |

HawkEye Keylogger | MineCraft Stealer |

As you can see, this email has the attached file, containing MineCraft Username and Password. Please download it then decrypt the login credential / information with MineCraft Decryptor.

As you can see, this email has the attached file, containing MineCraft Username and Password. Please download it then decrypt the login credential / information with MineCraft Decryptor.

HawkEye Keylogger | Keylog Records |

HawkEye Keylogger | Keylog Records |

Keylog Records

Keylog Records

.jpeg

.jpeg

HawkEye_Keylogger_Keylog_Records_

HawkEye_Keylogger_Keylog_Records_

hXXp://whatismyipaddress.com/

hXXp://whatismyipaddress.com/

Phulli.Resources

Phulli.Resources

:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

taskeng.exe_2872:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

USER32.dll

USER32.dll

msvcrt.dll

msvcrt.dll

ntdll.dll

ntdll.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll

API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-ThreadPool-L1-1-0.dll

API-MS-Win-Core-ThreadPool-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

RPCRT4.dll

RPCRT4.dll

KERNEL32.dll

KERNEL32.dll

.TBvf

.TBvf

d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp

Session::ChannelMsgReceived

Session::ChannelMsgReceived

d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp

StopJobMsg

StopJobMsg

StartJobMsg

StartJobMsg

ClientPipeName

ClientPipeName

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp

d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp

TaskScheduler.log

TaskScheduler.log

j%Xf;

j%Xf;

d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

SspiCli.dll

SspiCli.dll

XmlLite.dll

XmlLite.dll

MPR.dll

MPR.dll

RegOpenKeyTransactedW

RegOpenKeyTransactedW

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegNotifyChangeKeyValue

RegNotifyChangeKeyValue

RegCreateKeyExW

RegCreateKeyExW

FindExecutableW

FindExecutableW

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

EnumThreadWindows

EnumThreadWindows

EnumWindows

EnumWindows

GetProcessWindowStation

GetProcessWindowStation

_wcmdln

_wcmdln

_amsg_exit

_amsg_exit

GetProcessHeap

GetProcessHeap

SetProcessShutdownParameters

SetProcessShutdownParameters

TaskEng.pdb

TaskEng.pdb

version="5.1.0.0"

version="5.1.0.0"

name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"

name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"

8 8$8(878

8 8$8(878

3=4Z4w4

3=4Z4w4

=!=(=0=4=?=>>

=!=(=0=4=?=>>

5 5U5_5

5 5U5_5

5b6u6

5b6u6

-131J1X1o1}1

-131J1X1o1}1

=$=

=$=

Password

Password

hXXp://schemas.microsoft.com/windows/2004/02/mit/task

hXXp://schemas.microsoft.com/windows/2004/02/mit/task

Mieframe.dll

Mieframe.dll

%SystemRoot%\SYSTEM32\cmd.exe

%SystemRoot%\SYSTEM32\cmd.exe

%SystemRoot%\System32\Tasks

%SystemRoot%\System32\Tasks

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake

WindowSeconds

WindowSeconds

InitializeCmdlineProcessing()

InitializeCmdlineProcessing()

pCrimson provider registration failed for taskeng, hr=0x%x

pCrimson provider registration failed for taskeng, hr=0x%x

CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]

CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]

InteractiveTokenOrPassword

InteractiveTokenOrPassword

Murl

Murl

%d.%d

%d.%d

%s, (%d)

%s, (%d)

hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout

hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout

hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate

hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate

hXXp://schemas.microsoft.com/cdo/configuration/sendusing

hXXp://schemas.microsoft.com/cdo/configuration/sendusing

hXXp://schemas.microsoft.com/cdo/configuration/smtpserver

hXXp://schemas.microsoft.com/cdo/configuration/smtpserver

201ef99a-7fa0-444c-9399-19ba84f12a1a

201ef99a-7fa0-444c-9399-19ba84f12a1a

C:\Windows\SYSTEM32\cmd.exe

C:\Windows\SYSTEM32\cmd.exe

6.1.7601.17514 (win7sp1_rtm.101119-1850)

6.1.7601.17514 (win7sp1_rtm.101119-1850)

taskeng.exe

taskeng.exe

Windows

Windows

Operating System

Operating System

6.1.7601.17514

6.1.7601.17514