For a Limited Time: Get HUGE savings on Pro and Sticky Password Premium! Act now & save 60%! BUY NOW >
  • Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Fri, 03/31/2017 - 03:06

Trojan.VBS.Agent.AIY_15104a2195

Trojan.Win32.Xtrat.aahj (Kaspersky), Trojan.VBS.Agent.AIY (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, WormAutoItGen.YR (Lavasoft MAS) Behaviour: Trojan, Worm, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 15104a2195987a4926ee31d447dfa8b3

SHA1: 8749afa04945cd5771768edb980d37f90954227c

SHA256: 176a25e7fc0d2cbea50dbd142c0aec38c593b1b43e47231a1dabbb2a362135b2

SSDeep: 12288:A3nZMhJ ubNiRKPMn8WiScA/PAb0TwPRjNOs33h57x8/wzSIcEmVdXS:A3nZqfbpPM8Sc10QjNOW7m/weIBoi

Size: 747632 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Xacti, LLC

Created at: 2012-02-17 16:55:21

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

dvl07.exe:328
dvl07.exe:3448
csc.exe:4008
WScript.exe:3556
WScript.exe:3516
108.exe:532
RegSvcs.exe:3904
RegSvcs.exe:3332
RegSvcs.exe:1936
RegSvcs.exe:1592
836.exe:3980
6x7aj.exe:676
6x7aj.exe:1480
file.exe:3348
file.exe:3336
rundll32.exe:3736
Javatmp2539891.exe:672
jfd.exe:1368
jfd.exe:2904
%original file name%.exe:3404

The Trojan injects its code into the following process(es):

csc.exe:3528
6x7aj.exe:2632

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process dvl07.exe:3448 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (0 bytes)

The process csc.exe:4008 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\nAgLlf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Adovetmp35891[1].exe (124320 bytes)
C:\nAgLlfnAgLlf\nAgLlf.vbs (207 bytes)
C:\nAgLlfnAgLlf\x (5441 bytes)
C:\nAgLlfnAgLlf\nAgLlf.exe (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\836.exe (62167 bytes)

The process csc.exe:3528 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\PfMycVPfMycV\PfMycV.exe (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9666.tmp (2712 bytes)
C:\PfMycVPfMycV\PfMycV.vbs (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Adovetmp35891[1].exe (102417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\PfMycV (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9665.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\108.exe (44515 bytes)
C:\PfMycVPfMycV\x (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619 (1290 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9665.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9666.tmp (0 bytes)

The process WScript.exe:3556 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\qto4z\file.exe (593 bytes)

The process 108.exe:532 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\qto4z\53bym.vbs (90 bytes)
C:\Users\"%CurrentUserName%"\qto4z\file.exe (2488 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\qto4z\__tmp_rar_sfx_access_check_350050 (0 bytes)

The process RegSvcs.exe:3332 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (0 bytes)

The process RegSvcs.exe:1936 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (0 bytes)

The process 836.exe:3980 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\xbq.jpg (209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\tlq.txt (766 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\xli.docx (713 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\iol.mp4 (885 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wqr.icm (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\tpg.ico (949 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\lka.mp4 (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wju.ppt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\iix.pdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\fwm.bmp (689 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\nhu.mp3 (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\ntr.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\smw.ppt (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wmd.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe (15154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\odo.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\ele.ppt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\obc.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wiq.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qam.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\mva.pdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qwf-nns (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\upr.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\cbj.dat (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\hui.txt (123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\hoo.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\vmh.ico (395 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\__tmp_rar_sfx_access_check_359785 (0 bytes)

The process 6x7aj.exe:676 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (298 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (0 bytes)

The process file.exe:3348 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\dvl07.exe (1853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\x (7410 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\__tmp_rar_sfx_access_check_350768 (0 bytes)

The process file.exe:3336 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\6x7aj.exe (1853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\x (6098 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\__tmp_rar_sfx_access_check_335776 (0 bytes)

The process rundll32.exe:3736 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\60FRU4FC\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2Q082UPM\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R6ZYRE63\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z1KVGK69\desktop.ini (67 bytes)

The process Javatmp2539891.exe:672 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bnk.mp3 (482 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\vov.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bvf.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xtp.exe (15154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ppo.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xor.pdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\anp.docx (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\tlg.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\lsp.ico (490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\wel.mp4 (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\frr.ppt (205 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\sqg.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\idi.mp4 (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\igr.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\jcb-nuo (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\vlc.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\mqd.ico (515 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\fnq.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\mfq.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ugx.mp3 (416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bis.icm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\abx.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ebw.txt (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\dir.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\rko.ppt (485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\sgm.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\uxs.ppt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\exh.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\tox.ppt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bep.docx (776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\alr.ico (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\olk.xl (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\__tmp_rar_sfx_access_check_399612 (0 bytes)

The process jfd.exe:1368 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\AYKHP (97 bytes)

The process jfd.exe:2904 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Javatmp2539891.exe (157922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\spd (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Javatmp2539891[1].exe (587707 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\AYKHP (0 bytes)

The process %original file name%.exe:3404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\h2x2x\file.exe (2488 bytes)
C:\Users\"%CurrentUserName%"\h2x2x\nktas.vbs (90 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\h2x2x\__tmp_rar_sfx_access_check_334372 (0 bytes)

Registry activity

The process dvl07.exe:328 makes changes in the system registry.


The Trojan deletes the following registry key(s):

[HKCU\Software\3448]

The process dvl07.exe:3448 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\zUB8dknwC]
"ServerStarted" = "3/30/2017 16:22:27 PM"

[HKCU\Software\3448]
"Mutex" = "zUB8dknwC"

[HKCU\Software\zUB8dknwC]
"InstalledServer" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\dvl07.exe"

The process csc.exe:4008 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nAgLlf" = "C:\nAgLlfnAgLlf\nAgLlf.vbs"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process csc.exe:3528 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"EnableConsoleTracing" = "0"

"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"ConsoleTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"PfMycV" = "C:\PfMycVPfMycV\PfMycV.vbs"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process WScript.exe:3556 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WScript.exe:3516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 108.exe:532 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process RegSvcs.exe:3904 makes changes in the system registry.


The Trojan deletes the following registry key(s):

[HKCU\Software\3332]

The process RegSvcs.exe:3332 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\zUB8dknwC]
"ServerStarted" = "3/30/2017 16:23:08 PM"

[HKCU\Software\3332]
"Mutex" = "zUB8dknwC"

[HKCU\Software\zUB8dknwC]
"InstalledServer" = "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

The process RegSvcs.exe:1936 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\zUB8dknwC]
"ServerStarted" = "3/30/2017 16:23:13 PM"
"InstalledServer" = "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

[HKCU\Software\1936]
"Mutex" = "zUB8dknwC"

The process RegSvcs.exe:1592 makes changes in the system registry.


The Trojan deletes the following registry key(s):

[HKCU\Software\1936]

The process 836.exe:3980 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 6x7aj.exe:676 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\zUB8dknwC]
"ServerStarted" = "3/30/2017 16:22:17 PM"
"InstalledServer" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\6x7aj.exe"

[HKCU\Software\676]
"Mutex" = "zUB8dknwC"

The process 6x7aj.exe:2632 makes changes in the system registry.


The Trojan deletes the following registry key(s):

[HKCU\Software\676]

The process file.exe:3348 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process file.exe:3336 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Javatmp2539891.exe:672 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process jfd.exe:2904 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdatemf" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qwf-nns"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:3404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
ea91e005c6920683a4526839f7745482c:\PfMycVPfMycV\PfMycV.exe
a984b83727565a4854b0d4834c99c38bc:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Adovetmp35891[1].exe
6f6323d9006f3a6ba57a86b78211a675c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Javatmp2539891[1].exe
881873b613e3e0d7bf17a3c3f92fb52dc:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Adovetmp35891[1].exe
a984b83727565a4854b0d4834c99c38bc:\Users\"%CurrentUserName%"\AppData\Local\Temp\108.exe
881873b613e3e0d7bf17a3c3f92fb52dc:\Users\"%CurrentUserName%"\AppData\Local\Temp\836.exe
6f6323d9006f3a6ba57a86b78211a675c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Javatmp2539891.exe
ea91e005c6920683a4526839f7745482c:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\6x7aj.exe
71d8f6d5dc35517275bc38ebcc815f9fc:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe
ea91e005c6920683a4526839f7745482c:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\dvl07.exe
a3965bf24f188ba39e9defa8b4cb2d8bc:\Users\"%CurrentUserName%"\h2x2x\file.exe
0ca2e93b7e2fca0d242d7c284b49f7c5c:\Users\"%CurrentUserName%"\qto4z\file.exe
ea91e005c6920683a4526839f7745482c:\nAgLlfnAgLlf\nAgLlf.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dvl07.exe:328
    dvl07.exe:3448
    csc.exe:4008
    WScript.exe:3556
    WScript.exe:3516
    108.exe:532
    RegSvcs.exe:3904
    RegSvcs.exe:3332
    RegSvcs.exe:1936
    RegSvcs.exe:1592
    836.exe:3980
    6x7aj.exe:676
    6x7aj.exe:1480
    file.exe:3348
    file.exe:3336
    rundll32.exe:3736
    Javatmp2539891.exe:672
    jfd.exe:1368
    jfd.exe:2904
    %original file name%.exe:3404

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (308 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\nAgLlf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Adovetmp35891[1].exe (124320 bytes)
    C:\nAgLlfnAgLlf\nAgLlf.vbs (207 bytes)
    C:\nAgLlfnAgLlf\x (5441 bytes)
    C:\nAgLlfnAgLlf\nAgLlf.exe (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\836.exe (62167 bytes)
    C:\PfMycVPfMycV\PfMycV.exe (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619 (471 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9666.tmp (2712 bytes)
    C:\PfMycVPfMycV\PfMycV.vbs (207 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Adovetmp35891[1].exe (102417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\PfMycV (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9665.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\108.exe (44515 bytes)
    C:\PfMycVPfMycV\x (5441 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619 (1290 bytes)
    C:\Users\"%CurrentUserName%"\qto4z\file.exe (593 bytes)
    C:\Users\"%CurrentUserName%"\qto4z\53bym.vbs (90 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\xbq.jpg (209 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\tlq.txt (766 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\xli.docx (713 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\iol.mp4 (885 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wqr.icm (768 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\tpg.ico (949 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\lka.mp4 (26 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wju.ppt (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\iix.pdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\fwm.bmp (689 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\nhu.mp3 (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\ntr.mp4 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\smw.ppt (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wmd.txt (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe (15154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\odo.txt (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\ele.ppt (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\obc.mp4 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wiq.dat (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qam.mp4 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\mva.pdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qwf-nns (392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\upr.bmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\cbj.dat (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\hui.txt (123 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\hoo.txt (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\vmh.ico (395 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\dvl07.exe (1853 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\x (7410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\6x7aj.exe (1853 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\x (6098 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\60FRU4FC\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2Q082UPM\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R6ZYRE63\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z1KVGK69\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bnk.mp3 (482 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\vov.bmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bvf.bmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xtp.exe (15154 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ppo.mp4 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xor.pdf (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\anp.docx (191 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\tlg.mp3 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\lsp.ico (490 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\wel.mp4 (856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\frr.ppt (205 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\sqg.ico (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\idi.mp4 (335 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\igr.mp3 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\jcb-nuo (392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\vlc.xl (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\mqd.ico (515 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\fnq.xl (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\mfq.mp3 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ugx.mp3 (416 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bis.icm (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\abx.mp3 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ebw.txt (672 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\dir.txt (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\rko.ppt (485 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\sgm.txt (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\uxs.ppt (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\exh.xl (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\tox.ppt (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bep.docx (776 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\alr.ico (660 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\olk.xl (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\AYKHP (97 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Javatmp2539891.exe (157922 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\spd (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Javatmp2539891[1].exe (587707 bytes)
    C:\Users\"%CurrentUserName%"\h2x2x\file.exe (2488 bytes)
    C:\Users\"%CurrentUserName%"\h2x2x\nktas.vbs (90 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nAgLlf" = "C:\nAgLlfnAgLlf\nAgLlf.vbs"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "PfMycV" = "C:\PfMycVPfMycV\PfMycV.vbs"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WindowsUpdatemf" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qwf-nns"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409672754732164.543936713f49bc050e40a4e491d5cf0444245
.rdata77824722176803.3807176315cc3ce7c7f34b89c00e96fd3d919
.data86016878045122.46276f9415022853d8e925bcb178dd62e322
.CRT176128165120.152104d8690a66757c8eeab6988f4a858f4dcd
.rsrc1802241126201126400.934972c9249bc5c25286bb68ccf41cc4520564

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://dryversdocumentsandfullcustomsoft.com/Adovetmp35891.exe192.185.135.72
hxxp://dryversdocumentsandfullcloud.com/Adovetmp35891.exe192.185.39.254
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX+JrHYM=
hxxp://dryversdocumentsandfullcloud.com/Javatmp2539891.exe192.185.39.254
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX+JrHYM=93.184.220.29
www.google.com172.217.20.164
dns.msftncsi.com131.107.255.255
k4l1m3r4.publicvm.com187.189.61.175
www.dropbox.com162.125.66.1
wins10up.16-b.it189.149.244.162

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX+JrHYM= HTTP/1.1

Cache-Control: max-age = 517590

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 06:25:50 GMT

If-None-Match: "57ff28ee-1d7"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: public, max-age=172800

Content-Type: application/ocsp-response

Date: Thu, 30 Mar 2017 13:22:33 GMT

Etag: "58dca596-1d7"

Expires: Thu, 06 Apr 2017 01:22:33 GMT

Last-Modified: Thu, 30 Mar 2017 06:28:38 GMT

Server: ECS (fcn/41D2)

X-Cache: HIT

Content-Length: 471

0..........0..... .....0......0...0.......>.i...G...&....cd ...20170329220000Z0s0q0I0... ............(..A...B..G@B.X....>.i...G...&....cd ....y.D.... .a_.k......20170329220000Z....20170405220000Z0...*.H..............F.C..Z.....tJ....N......0;..M.h.C......2P ..J&M.{~.y...m....j....6.>.-....R;....v..z.R.&..CE...q..#..(......o.k.5..>s.....rZ...........<.[..d.....u..JF....].1.s.....R4.....~..E{..7t2...(.......Y.i....... v..0.............).}..,.]t.}G)..rW...V...;U..O%"[..HTTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: public, max-age=172800..Content-Type: application/ocsp-response..Date: Thu, 30 Mar 2017 13:22:33 GMT..Etag: "58dca596-1d7"..Expires: Thu, 06 Apr 2017 01:22:33 GMT..Last-Modified: Thu, 30 Mar 2017 06:28:38 GMT..Server: ECS (fcn/41D2)..X-Cache: HIT..Content-Length: 471..0..........0..... .....0......0...0.......>.i...G...&....cd ...20170329220000Z0s0q0I0... ............(..A...B..G@B.X....>.i...G...&....cd ....y.D.... .a_.k......20170329220000Z....20170405220000Z0...*.H..............F.C..Z.....tJ....N......0;..M.h.C......2P ..J&M.{~.y...m....j....6.>.-....R;....v..z.R.&..CE...q..#..(......o.k.5..>s.....rZ...........<.[..d.....u..JF....].1.s.....R4.....~..E{..7t2...(.......Y.i....... v..0.............).}..,.]t.}G)..rW...V...;U..O%"[....

<<< skipped >>>

GET /Adovetmp35891.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: dryversdocumentsandfullcloud.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.10.3

Date: Thu, 30 Mar 2017 13:22:22 GMT

Content-Type: application/x-msdownload

Content-Length: 1471344

Connection: keep-alive

Last-Modified: Wed, 29 Mar 2017 16:36:56 GMT

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............|...|...|.......|...}...|.......|.......|.......|.......|.......|.......|.Rich..|.........................PE..L...uM.O.................$...................@....@..................................................................\..3....L.......................................B...............................................@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...$w...`.......F..............@....CRT.... ............H..............@..@.rsrc................J..............@..@..................................................................................................................................................................................................................................................................................................................................................@s... s........................................D$..L$....L$.u..D$......S.....D$..d$....D$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$.........D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$...}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3......D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]^_....

<<< skipped >>>

GET /Adovetmp35891.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: dryversdocumentsandfullcustomsoft.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 30 Mar 2017 13:22:13 GMT

Server: Apache

Last-Modified: Tue, 28 Mar 2017 14:53:53 GMT

Accept-Ranges: bytes

Content-Length: 1018212

Keep-Alive: timeout=5, max=75

Connection: Keep-Alive

Content-Type: application/x-msdownload

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........f..{5..{5..{5...5..{5..z5(.{5...5..{5...5..{5...5..{5...5..{5...5..{5...5..{5Rich..{5........PE..L...Yj>O.....................N...............0....@..................................................................K..3...L<.......................................2...............................................0...............................text...2........................... ..`.rdata..5....0......."..............@..@.data....V...P.......@..............@....CRT.................B..............@..@.rsrc................D..............@..@..................................................................................................................................................................................................................................................................................................................................................................@s... s........................................D$..L$....L$.u..D$......S.....D$..d$....D$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$.........D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$...}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3......D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]

<<< skipped >>>

GET /Javatmp2539891.exe HTTP/1.1

User-Agent: AutoIt

Host: dryversdocumentsandfullcloud.com

HTTP/1.1 200 OK

Server: nginx/1.10.3

Date: Thu, 30 Mar 2017 13:22:57 GMT

Content-Type: application/x-msdownload

Content-Length: 1470465

Connection: keep-alive

Last-Modified: Wed, 29 Mar 2017 16:28:48 GMT

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............|...|...|.......|...}...|.......|.......|.......|.......|.......|.......|.Rich..|.........................PE..L...uM.O.................$...................@....@..................................................................\..3....L.......................................B...............................................@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...$w...`.......F..............@....CRT.... ............H..............@..@.rsrc................J..............@..@..................................................................................................................................................................................................................................................................................................................................................@s... s........................................D$..L$....L$.u..D$......S.....D$..d$....D$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$.........D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$...}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3......D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]^_....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

SearchProtocolHost.exe_3428:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

ADVAPI32.dll

ADVAPI32.dll

ntdll.DLL

ntdll.DLL

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

TQUERY.DLL

TQUERY.DLL

MSSHooks.dll

MSSHooks.dll

IMM32.dll

IMM32.dll

SHLWAPI.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSLogin

SrchDSSPortManager

SrchDSSPortManager

SrchPHHttp

SrchPHHttp

SrchIndexerQuery

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerClient

SrchIndexerSchema

SrchIndexerSchema

Msidle.dll

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyW

RegDeleteKeyExW

RegDeleteKeyExW

8%uiP

8%uiP

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

0xx=

0xx=

%s(%d)

%s(%d)

tid="0x%x"

tid="0x%x"

pid="0x%x"

pid="0x%x"

tagname="%s"

tagname="%s"

tagid="0x%x"

tagid="0x%x"

el="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

time="d/d/d d:d:d.d"

logname="%s"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

SHELL32.dll

PROPSYS.dll

PROPSYS.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ReportEventW

ReportEventW

_amsg_exit

_amsg_exit

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

SearchProtocolHost.pdb

2 2(20282|2

2 2(20282|2

4%5S5

4%5S5

Software\Microsoft\Windows Search

Software\Microsoft\Windows Search

https

https

kernel32.dll

kernel32.dll

msTracer.dll

msTracer.dll

msfte.dll

msfte.dll

lX-X-X-XX-XXXXXX

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

tquery.dll

tquery.dll

%s\%s

%s\%s

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

Windows Search Service

Windows Search Service


0xx%p%S%d


0xx%p%S%d

advapi32.dll

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

Software\Microsoft\Windows Search\Tracing\EventThrottleState

%S(%d)

%S(%d)

tagname="%S"

tagname="%S"

logname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s.mui

.\%s\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

SearchProtocolHost.exe

Windows

Windows

7.00.7601.17610

7.00.7601.17610

csc.exe_3528:

`.rsrc

`.rsrc

kernel32.dll

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

76487-644-3177037-23510

76487-644-3177037-23510

55274-640-2673064-23950

55274-640-2673064-23950

sbiedll.dll

sbiedll.dll

dbghelp.dll

dbghelp.dll

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

PSAPI.dll

PSAPI.dll

UnitKeylogger

UnitKeylogger

application/x-www-form-urlencoded

application/x-www-form-urlencoded

compatible; MSIE 7.0; Windows NT 5.1; SV1)

compatible; MSIE 7.0; Windows NT 5.1; SV1)

\SysWOW64\svchost.exe

\SysWOW64\svchost.exe

ProcessHacker.exe

ProcessHacker.exe

avk.bin

avk.bin

hXXps://VVV.dropbox.com/s/vbnt8gud1d14zx8/avkplugin.bin?dl=1

hXXps://VVV.dropbox.com/s/vbnt8gud1d14zx8/avkplugin.bin?dl=1

kprocesshacker.sys

kprocesshacker.sys

Avast! Antivirus|aswRvrt|aswRdr|avastsvc.exe|AvastUI.exe|KLIM6|AVP|KLIF|klkbdflt|klmounflt|

Avast! Antivirus|aswRvrt|aswRdr|avastsvc.exe|AvastUI.exe|KLIM6|AVP|KLIF|klkbdflt|klmounflt|

avp.exe|avpui.exe|MBAMProtector|MBAMScheduler|MBAMService|MBAMSwissArmy|mbamgui.exe|mbam.exe|GDTdiInterceptor|GDBehave|

avp.exe|avpui.exe|MBAMProtector|MBAMScheduler|MBAMService|MBAMSwissArmy|mbamgui.exe|mbam.exe|GDTdiInterceptor|GDBehave|

GDMnIcpt|GDScan.exe|AVKWCtl.exe|AVKTray.exe|GDSC.exe|McMPFSvc|mcpltsvc|mfetdi2k|McProxy|mfevtp|McNaiAnn|mfeavfk|mfefirek|mfehidk|

GDMnIcpt|GDScan.exe|AVKWCtl.exe|AVKTray.exe|GDSC.exe|McMPFSvc|mcpltsvc|mfetdi2k|McProxy|mfevtp|McNaiAnn|mfeavfk|mfefirek|mfehidk|

mfendisk|mfencbdc|mfencrk|mferkdet|mfendisk|mfefire|HomeNetSvc|McAPExe|cfwids|HipShieldK|mfeapfk|mfeavfk|mfecore|McSvHost.exe|McUICnt.exe|McItInfo.exe|

mfendisk|mfencbdc|mfencrk|mferkdet|mfendisk|mfefire|HomeNetSvc|McAPExe|cfwids|HipShieldK|mfeapfk|mfeavfk|mfecore|McSvHost.exe|McUICnt.exe|McItInfo.exe|

mcupdate.exe|MsMpSvc|MpFilter|msseces.exe|MsMpeng.exe|bdselfpr|VSSERV|UPDATESRV|helpsvc|bdagent.exe|seccenter.exe|updatesrv.exe|

mcupdate.exe|MsMpSvc|MpFilter|msseces.exe|MsMpeng.exe|bdselfpr|VSSERV|UPDATESRV|helpsvc|bdagent.exe|seccenter.exe|updatesrv.exe|

vsserv.exe|TPSrv|PskSvcRetail|PavProc|NETFLTDI|NETIMFLT01060044|PSIMSVC|PSHost|PAVFNSVR|ShldDrv|psksvc.exe|iface.exe|PavFnSvr.exe|

vsserv.exe|TPSrv|PskSvcRetail|PavProc|NETFLTDI|NETIMFLT01060044|PSIMSVC|PSHost|PAVFNSVR|ShldDrv|psksvc.exe|iface.exe|PavFnSvr.exe|

pavsrvx86.exe|pavsrvx64.exe|AVENGINE.EXE|PsCtrlS.exe|psksvc.exe|SrvLoad.exe|PsImSvc.exe|ApVxdWin.exe|NCO|

pavsrvx86.exe|pavsrvx64.exe|AVENGINE.EXE|PsCtrlS.exe|psksvc.exe|SrvLoad.exe|PsImSvc.exe|ApVxdWin.exe|NCO|

eeCtrl|SRTSP|SymNetS|SymIRON|SymEFA|SymELAM|SymDS|SymEvent|NAV|NAV.exe|AntiVirWebService|AntiVirService|

eeCtrl|SRTSP|SymNetS|SymIRON|SymEFA|SymELAM|SymDS|SymEvent|NAV|NAV.exe|AntiVirWebService|AntiVirService|

AntiVirSchedulerService|Avipp|cfp.exe|avguard.exe|avshadow.exe|avgn|

AntiVirSchedulerService|Avipp|cfp.exe|avguard.exe|avshadow.exe|avgn|

:\love.scr

:\love.scr

taskmgr.exe

taskmgr.exe

processhacker.exe

processhacker.exe

KILLPROCESSHACKER

KILLPROCESSHACKER

Wireshark.exe

Wireshark.exe

egui.exe

egui.exe

bdagent.exe

bdagent.exe

avguard.exe

avguard.exe

ollydbg.exe

ollydbg.exe

rstrui.exe

rstrui.exe

regedit.exe

regedit.exe

msconfig.exe

msconfig.exe

vmware.exe

vmware.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild

%Program Files% (x86)\Kaspersky Lab

%Program Files% (x86)\Kaspersky Lab

%Program Files%\Kaspersky Lab

%Program Files%\Kaspersky Lab

svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

:Zone.Identifier

:Zone.Identifier

c:\debugg

c:\debugg

on error resume next:Set objShell = CreateObject("Shell.Application"):objShell.ShellExecute "C:\yw8oeyw8oe\yw8oe.exe", "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", "C:\yw8oeyw8oe", "open", 1

on error resume next:Set objShell = CreateObject("Shell.Application"):objShell.ShellExecute "C:\yw8oeyw8oe\yw8oe.exe", "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", "C:\yw8oeyw8oe", "open", 1

avgui.exe

avgui.exe

C:\Users\

C:\Users\

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnce

avpui.exe

avpui.exe

ruta.txt

ruta.txt

%Program Files%\Bitdefender

%Program Files%\Bitdefender

%Program Files%\Trend Micro

%Program Files%\Trend Micro

C:\Windows\System32\werfault.exe

C:\Windows\System32\werfault.exe

iu2.iua

iu2.iua

KWindows

KWindows

UrlMon

UrlMon

GetCPInfo

GetCPInfo

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

ShellExecuteExA

ShellExecuteExA

URLDownloadToFileA

URLDownloadToFileA

GetKeyboardType

GetKeyboardType

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

KERNEL32.DLL

KERNEL32.DLL

advapi32.dll

advapi32.dll

shell32.dll

shell32.dll

shfolder.dll

shfolder.dll

URLMON.DLL

URLMON.DLL

user32.dll

user32.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

List capacity out of bounds (%d)

List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

List index out of bounds (%d)

%s.Seek not implemented$Operation not allowed on sorted list

%s.Seek not implemented$Operation not allowed on sorted list

Cannot assign a %s to a %s%String list does not allow duplicates

Cannot assign a %s to a %s%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

!'%s' is not a valid integer value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

csc.exe_3528_rwx_00400000_00024000:

`.rsrc

`.rsrc

kernel32.dll

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

76487-644-3177037-23510

76487-644-3177037-23510

55274-640-2673064-23950

55274-640-2673064-23950

sbiedll.dll

sbiedll.dll

dbghelp.dll

dbghelp.dll

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

PSAPI.dll

PSAPI.dll

UnitKeylogger

UnitKeylogger

application/x-www-form-urlencoded

application/x-www-form-urlencoded

compatible; MSIE 7.0; Windows NT 5.1; SV1)

compatible; MSIE 7.0; Windows NT 5.1; SV1)

\SysWOW64\svchost.exe

\SysWOW64\svchost.exe

ProcessHacker.exe

ProcessHacker.exe

avk.bin

avk.bin

hXXps://VVV.dropbox.com/s/vbnt8gud1d14zx8/avkplugin.bin?dl=1

hXXps://VVV.dropbox.com/s/vbnt8gud1d14zx8/avkplugin.bin?dl=1

kprocesshacker.sys

kprocesshacker.sys

Avast! Antivirus|aswRvrt|aswRdr|avastsvc.exe|AvastUI.exe|KLIM6|AVP|KLIF|klkbdflt|klmounflt|

Avast! Antivirus|aswRvrt|aswRdr|avastsvc.exe|AvastUI.exe|KLIM6|AVP|KLIF|klkbdflt|klmounflt|

avp.exe|avpui.exe|MBAMProtector|MBAMScheduler|MBAMService|MBAMSwissArmy|mbamgui.exe|mbam.exe|GDTdiInterceptor|GDBehave|

avp.exe|avpui.exe|MBAMProtector|MBAMScheduler|MBAMService|MBAMSwissArmy|mbamgui.exe|mbam.exe|GDTdiInterceptor|GDBehave|

GDMnIcpt|GDScan.exe|AVKWCtl.exe|AVKTray.exe|GDSC.exe|McMPFSvc|mcpltsvc|mfetdi2k|McProxy|mfevtp|McNaiAnn|mfeavfk|mfefirek|mfehidk|

GDMnIcpt|GDScan.exe|AVKWCtl.exe|AVKTray.exe|GDSC.exe|McMPFSvc|mcpltsvc|mfetdi2k|McProxy|mfevtp|McNaiAnn|mfeavfk|mfefirek|mfehidk|

mfendisk|mfencbdc|mfencrk|mferkdet|mfendisk|mfefire|HomeNetSvc|McAPExe|cfwids|HipShieldK|mfeapfk|mfeavfk|mfecore|McSvHost.exe|McUICnt.exe|McItInfo.exe|

mfendisk|mfencbdc|mfencrk|mferkdet|mfendisk|mfefire|HomeNetSvc|McAPExe|cfwids|HipShieldK|mfeapfk|mfeavfk|mfecore|McSvHost.exe|McUICnt.exe|McItInfo.exe|

mcupdate.exe|MsMpSvc|MpFilter|msseces.exe|MsMpeng.exe|bdselfpr|VSSERV|UPDATESRV|helpsvc|bdagent.exe|seccenter.exe|updatesrv.exe|

mcupdate.exe|MsMpSvc|MpFilter|msseces.exe|MsMpeng.exe|bdselfpr|VSSERV|UPDATESRV|helpsvc|bdagent.exe|seccenter.exe|updatesrv.exe|

vsserv.exe|TPSrv|PskSvcRetail|PavProc|NETFLTDI|NETIMFLT01060044|PSIMSVC|PSHost|PAVFNSVR|ShldDrv|psksvc.exe|iface.exe|PavFnSvr.exe|

vsserv.exe|TPSrv|PskSvcRetail|PavProc|NETFLTDI|NETIMFLT01060044|PSIMSVC|PSHost|PAVFNSVR|ShldDrv|psksvc.exe|iface.exe|PavFnSvr.exe|

pavsrvx86.exe|pavsrvx64.exe|AVENGINE.EXE|PsCtrlS.exe|psksvc.exe|SrvLoad.exe|PsImSvc.exe|ApVxdWin.exe|NCO|

pavsrvx86.exe|pavsrvx64.exe|AVENGINE.EXE|PsCtrlS.exe|psksvc.exe|SrvLoad.exe|PsImSvc.exe|ApVxdWin.exe|NCO|

eeCtrl|SRTSP|SymNetS|SymIRON|SymEFA|SymELAM|SymDS|SymEvent|NAV|NAV.exe|AntiVirWebService|AntiVirService|

eeCtrl|SRTSP|SymNetS|SymIRON|SymEFA|SymELAM|SymDS|SymEvent|NAV|NAV.exe|AntiVirWebService|AntiVirService|

AntiVirSchedulerService|Avipp|cfp.exe|avguard.exe|avshadow.exe|avgn|

AntiVirSchedulerService|Avipp|cfp.exe|avguard.exe|avshadow.exe|avgn|

:\love.scr

:\love.scr

taskmgr.exe

taskmgr.exe

processhacker.exe

processhacker.exe

KILLPROCESSHACKER

KILLPROCESSHACKER

Wireshark.exe

Wireshark.exe

egui.exe

egui.exe

bdagent.exe

bdagent.exe

avguard.exe

avguard.exe

ollydbg.exe

ollydbg.exe

rstrui.exe

rstrui.exe

regedit.exe

regedit.exe

msconfig.exe

msconfig.exe

vmware.exe

vmware.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild

%Program Files% (x86)\Kaspersky Lab

%Program Files% (x86)\Kaspersky Lab

%Program Files%\Kaspersky Lab

%Program Files%\Kaspersky Lab

svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

:Zone.Identifier

:Zone.Identifier

c:\debugg

c:\debugg

on error resume next:Set objShell = CreateObject("Shell.Application"):objShell.ShellExecute "C:\yw8oeyw8oe\yw8oe.exe", "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", "C:\yw8oeyw8oe", "open", 1

on error resume next:Set objShell = CreateObject("Shell.Application"):objShell.ShellExecute "C:\yw8oeyw8oe\yw8oe.exe", "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", "C:\yw8oeyw8oe", "open", 1

avgui.exe

avgui.exe

C:\Users\

C:\Users\

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnce

avpui.exe

avpui.exe

ruta.txt

ruta.txt

%Program Files%\Bitdefender

%Program Files%\Bitdefender

%Program Files%\Trend Micro

%Program Files%\Trend Micro

C:\Windows\System32\werfault.exe

C:\Windows\System32\werfault.exe

iu2.iua

iu2.iua

KWindows

KWindows

UrlMon

UrlMon

GetCPInfo

GetCPInfo

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegCreateKeyA

RegCreateKeyA

ShellExecuteExA

ShellExecuteExA

URLDownloadToFileA

URLDownloadToFileA

GetKeyboardType

GetKeyboardType

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

KERNEL32.DLL

KERNEL32.DLL

advapi32.dll

advapi32.dll

shell32.dll

shell32.dll

shfolder.dll

shfolder.dll

URLMON.DLL

URLMON.DLL

user32.dll

user32.dll

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

List capacity out of bounds (%d)

List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

List index out of bounds (%d)

%s.Seek not implemented$Operation not allowed on sorted list

%s.Seek not implemented$Operation not allowed on sorted list

Cannot assign a %s to a %s%String list does not allow duplicates

Cannot assign a %s to a %s%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Interface not supported

Interface not supported

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

!'%s' is not a valid integer value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

SearchFilterHost.exe_2348:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

ADVAPI32.dll

ADVAPI32.dll

ntdll.DLL

ntdll.DLL

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

TQUERY.DLL

TQUERY.DLL

IMM32.dll

IMM32.dll

MSSHooks.dll

MSSHooks.dll

mscoree.dll

mscoree.dll

SHLWAPI.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyW

RegDeleteKeyExW

RegDeleteKeyExW

8%uiP

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ReportEventW

ReportEventW

_amsg_exit

_amsg_exit

SearchFilterHost.pdb

SearchFilterHost.pdb

version="5.1.0.0"

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

name="Microsoft.Windows.Search.MSSFH"

3 3(30383|3

3 3(30383|3

kernel32.dll

kernel32.dll

Software\Microsoft\Windows Search

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

Windows Search Service

Windows Search Service

tquery.dll

tquery.dll

advapi32.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll


0xx%p%S%d


0xx%p%S%d

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

Software\Microsoft\Windows Search\Tracing\EventThrottleState

0xx=

0xx=

%S(%d)

%S(%d)

tid="0x%x"

tid="0x%x"

pid="0x%x"

pid="0x%x"

tagname="%S"

tagname="%S"

tagid="0x%x"

tagid="0x%x"

el="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

time="d/d/d d:d:d.d"

logname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s.mui

.\%s\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s\%s.mui

%s\%s

%s\%s

winhttp.dll

winhttp.dll

Microsoft Windows Search Filter Host

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

SearchFilterHost.exe

Windows

Windows

7.00.7601.17610

7.00.7601.17610

6x7aj.exe_2632:

`.rsrc

`.rsrc

kernel32.dll

kernel32.dll

Windows

Windows

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

ssShift

ssShift

htKeyword

htKeyword

EInvalidOperation

EInvalidOperation

u%CNu

u%CNu

%s[%d]

%s[%d]

%s_%d

%s_%d

EIdCanNotBindPortInRange

EIdCanNotBindPortInRange

EIdInvalidPortRange\wc

EIdInvalidPortRange\wc

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas

WS2_32.DLL

WS2_32.DLL

MSWSOCK.DLL

MSWSOCK.DLL

getservbyport

getservbyport

WSAAsyncGetServByPort

WSAAsyncGetServByPort

WSAJoinLeaf

WSAJoinLeaf

WSARecvMsg

WSARecvMsg

WSASendMsg

WSASendMsg

Wship6.dll

Wship6.dll

Fwpuclnt.dll

Fwpuclnt.dll

TIdSocketListWindows

TIdSocketListWindows

TIdStackWindowsU

TIdStackWindowsU

Kernel32.dll

Kernel32.dll

EIdIPVersionUnsupportedP

EIdIPVersionUnsupportedP

127.0.0.1

127.0.0.1

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas

EIdPortRequired

EIdPortRequired

EIdTCPConnectionError

EIdTCPConnectionError

EIdObjectTypeNotSupported

EIdObjectTypeNotSupported

ftpTransfer

ftpTransfer

ftpReady

ftpReady

ftpAborted

ftpAborted

PortT

PortT

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas

ClientPortMin

ClientPortMin

ClientPortMax

ClientPortMax

Port|

Port|

"EIdTransparentProxyUDPNotSupported

"EIdTransparentProxyUDPNotSupported

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas

%EIdSocksUDPNotSupportedBySOCKSVersion

%EIdSocksUDPNotSupportedBySOCKSVersion

saUsernamePassword

saUsernamePassword

Password

Password

PortD

PortD

0.0.0.1

0.0.0.1

0.0.0.0

0.0.0.0

BoundPort

BoundPort

DefaultPortD

DefaultPortD

TIdTCPConnection

TIdTCPConnection

TIdTCPConnectionX

TIdTCPConnectionX

IdTCPConnection

IdTCPConnection

TIdTCPClientCustom

TIdTCPClientCustom

IdTCPClient

IdTCPClient

TIdTCPClient

TIdTCPClient

TIdTCPClientH

TIdTCPClientH

BoundPortT

BoundPortT

ole32.dll

ole32.dll

EInvalidGraphicOperation

EInvalidGraphicOperation

Please contact Cyber-Software support

Please contact Cyber-Software support

shlwapi.dll

shlwapi.dll

WbemScripting.SWbemLocator

WbemScripting.SWbemLocator

%s\%s

%s\%s

SELECT * FROM %s

SELECT * FROM %s

pathToSignedProductExe

pathToSignedProductExe

pathToSignedReportingExe

pathToSignedReportingExe

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

uxtheme.dll

uxtheme.dll

MAPI32.DLL

MAPI32.DLL

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

JumpID("","%s")

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

HelpKeyword

HelpKeyword

crSQLWait

crSQLWait

%s (%s)

%s (%s)

imm32.dll

imm32.dll

AutoHotkeys

AutoHotkeys

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

KeyPreview

KeyPreview

WindowState

WindowState

OnKeyDown46g

OnKeyDown46g

OnKeyPress

OnKeyPress

OnKeyUp

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

User32.dll

User32.dll

TWebcam

TWebcam

SetupApi.dll

SetupApi.dll

SetupDiOpenClassRegKey

SetupDiOpenClassRegKey

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKeyExW

SetupDiOpenClassRegKeyExW

SetupDiCreateDeviceInterfaceRegKeyA

SetupDiCreateDeviceInterfaceRegKeyA

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiOpenDeviceInterfaceRegKey

SetupDiOpenDeviceInterfaceRegKey

SetupDiDeleteDeviceInterfaceRegKey

SetupDiDeleteDeviceInterfaceRegKey

SetupDiCreateDevRegKeyA

SetupDiCreateDevRegKeyA

SetupDiCreateDevRegKeyW

SetupDiCreateDevRegKeyW

SetupDiOpenDevRegKey

SetupDiOpenDevRegKey

SetupDiDeleteDevRegKey

SetupDiDeleteDevRegKey

CM_DEVCAP_LOCKSUPPORTED

CM_DEVCAP_LOCKSUPPORTED

CM_DEVCAP_EJECTSUPPORTED

CM_DEVCAP_EJECTSUPPORTED

PDCAP_D0_SUPPORTED

PDCAP_D0_SUPPORTED

PDCAP_D1_SUPPORTED

PDCAP_D1_SUPPORTED

PDCAP_D2_SUPPORTED

PDCAP_D2_SUPPORTED

PDCAP_D3_SUPPORTED

PDCAP_D3_SUPPORTED

PDCAP_WAKE_FROM_D0_SUPPORTED

PDCAP_WAKE_FROM_D0_SUPPORTED

PDCAP_WAKE_FROM_D1_SUPPORTED

PDCAP_WAKE_FROM_D1_SUPPORTED

PDCAP_WAKE_FROM_D2_SUPPORTED

PDCAP_WAKE_FROM_D2_SUPPORTED

PDCAP_WAKE_FROM_D3_SUPPORTED

PDCAP_WAKE_FROM_D3_SUPPORTED

PDCAP_WARM_EJECT_SUPPORTED

PDCAP_WARM_EJECT_SUPPORTED

ISO_646.irv:1991

ISO_646.irv:1991

ISO_646.basic:1983

ISO_646.basic:1983

ISO_646.irv:1983

ISO_646.irv:1983

csISO16Portuguese

csISO16Portuguese

csISO84Portuguese2

csISO84Portuguese2

windows-936

windows-936

csShiftJIS

csShiftJIS

windows-874

windows-874

ISO-8859-1-Windows-3.0-Latin-1

ISO-8859-1-Windows-3.0-Latin-1

csWindows30Latin1

csWindows30Latin1

ISO-8859-1-Windows-3.1-Latin-1

ISO-8859-1-Windows-3.1-Latin-1

csWindows31Latin1

csWindows31Latin1

ISO-8859-2-Windows-Latin-2

ISO-8859-2-Windows-Latin-2

csWindows31Latin2

csWindows31Latin2

ISO-8859-9-Windows-Latin-5

ISO-8859-9-Windows-Latin-5

csWindows31Latin5

csWindows31Latin5

csMicrosoftPublishing

csMicrosoftPublishing

Windows-31J

Windows-31J

csWindows31J

csWindows31J

PTCP154

PTCP154

csPTCP154

csPTCP154

windows-1250

windows-1250

windows-1251

windows-1251

windows-1252

windows-1252

windows-1253

windows-1253

windows-1254

windows-1254

windows-1255

windows-1255

windows-1256

windows-1256

windows-1257

windows-1257

windows-1258

windows-1258

HTTP-EQUIV

HTTP-EQUIV

()@,;:\"./

()@,;:\"./

()@,;:\"/[]?=

()@,;:\"/[]?=

()@,;:\"/[]?={}

()@,;:\"/[]?={}

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas

EIdTCPNoOnExecute

EIdTCPNoOnExecute

TIdTCPServer

TIdTCPServer

TIdTCPServerX

TIdTCPServerX

IdTCPServer

IdTCPServer

OnExecute

OnExecute

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas

%s User

%s User

IdCustomTCPServer

IdCustomTCPServer

TIdCustomTCPServer

TIdCustomTCPServer

DefaultPort

DefaultPort

EIdTCPServerError

EIdTCPServerError

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas

CmdDelimiter

CmdDelimiter

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas

'TIdCmdTCPServerAfterCommandHandlerEvent

'TIdCmdTCPServerAfterCommandHandlerEvent

TIdCmdTCPServer

TIdCmdTCPServer

(TIdCmdTCPServerBeforeCommandHandlerEvent

(TIdCmdTCPServerBeforeCommandHandlerEvent

IdCmdTCPServer

IdCmdTCPServer

Displays commands that the servers supports.

Displays commands that the servers supports.

TIdTCPStream

TIdTCPStream

IdRead() method of TIdTCPStream class does not support seeking

IdRead() method of TIdTCPStream class does not support seeking

TIdHTTPProxyTransferMode

TIdHTTPProxyTransferMode

TIdHTTPProxyServerContextt

TIdHTTPProxyServerContextt

TIdHTTPProxyServerContext$

TIdHTTPProxyServerContext$

TOnHTTPContextEvent

TOnHTTPContextEvent

TIdHTTPProxyServerContext

TIdHTTPProxyServerContext

TOnHTTPDocument

TOnHTTPDocument

TIdHTTPProxyServer

TIdHTTPProxyServer

OnHTTPBeforeCommand

OnHTTPBeforeCommand

OnHTTPResponse

OnHTTPResponse

OnHTTPDocument

OnHTTPDocument

HTTP/1.0

HTTP/1.0

HTTP/1.0 200 Connection established

HTTP/1.0 200 Connection established

HNetCfg.FwMgr

HNetCfg.FwMgr

HNetCfg.FwAuthorizedApplication

HNetCfg.FwAuthorizedApplication

PSAPI.dll

PSAPI.dll

TWebcamThread

TWebcamThread

Uh.Uk

Uh.Uk

789:;

789:;

iphlpapi.dll

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

AllocateAndGetTcpExTableFromStack

AllocateAndGetUdpExTableFromStack

AllocateAndGetUdpExTableFromStack

SetTcpEntry

SetTcpEntry

GetExtendedTcpTable

GetExtendedTcpTable

GetExtendedUdpTable

GetExtendedUdpTable

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

TSendKey

TSendKey

sqlite3_bind_blob

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_text

sqlite3_bind_double

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_null

sqlite3_bind_parameter_index

sqlite3_bind_parameter_index

sqlite3_open

sqlite3_open

sqlite3_close

sqlite3_close

sqlite3_errmsg

sqlite3_errmsg

sqlite3_free

sqlite3_free

sqlite3_prepare_v2

sqlite3_prepare_v2

sqlite3_column_count

sqlite3_column_count

sqlite3_column_name

sqlite3_column_name

sqlite3_column_decltype

sqlite3_column_decltype

sqlite3_step

sqlite3_step

sqlite3_column_blob

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_double

sqlite3_column_double

sqlite3_column_text

sqlite3_column_text

sqlite3_column_type

sqlite3_column_type

sqlite3_column_int64

sqlite3_column_int64

sqlite3_finalize

sqlite3_finalize

sqlite3_reset

sqlite3_reset

ESQLiteException

ESQLiteException

TSQLiteDatabaseD

TSQLiteDatabaseD

TSQLiteTable

TSQLiteTable

Failed to open database "%s" : %s

Failed to open database "%s" : %s

Failed to open database "%s" : unknown error

Failed to open database "%s" : unknown error

Error executing SQL

Error executing SQL

Could not prepare SQL statement

Could not prepare SQL statement

Error executing SQL statement

Error executing SQL statement

SQLite is Busy

SQLite is Busy

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

1234567890.

1234567890.

mozsqlite3.dll

mozsqlite3.dll

sqlite3.dll

sqlite3.dll

mozcrt19.dll

mozcrt19.dll

msvcr100.dll

msvcr100.dll

mozglue.dll

mozglue.dll

mozutils.dll

mozutils.dll

nspr4.dll

nspr4.dll

plc4.dll

plc4.dll

plds4.dll

plds4.dll

nssutil3.dll

nssutil3.dll

nss3.dll

nss3.dll

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\Mozilla\Firefox\

signons.sqlite

signons.sqlite

SELECT * FROM moz_logins

SELECT * FROM moz_logins

encryptedPassword

encryptedPassword

Microsoft\Network\Connections\pbk\rasphone.pbk

Microsoft\Network\Connections\pbk\rasphone.pbk

rasapi32.dll

rasapi32.dll

rnaph.dll

rnaph.dll

RAS Passwords

RAS Passwords

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

Ps_Passwords

Ps_Passwords

advapi32.dll

advapi32.dll

WindowsLive:name=*

WindowsLive:name=*

\Mozilla Firefox\

\Mozilla Firefox\

MSVCR100.dll

MSVCR100.dll

softokn3.dll

softokn3.dll

userenv.dll

userenv.dll

profiles.ini

profiles.ini

\signons3.txt

\signons3.txt

\signons2.txt

\signons2.txt

\signons1.txt

\signons1.txt

\signons.txt

\signons.txt

ps_SafariPasswordRecovery

ps_SafariPasswordRecovery

AVURLProtocol_Classic

AVURLProtocol_Classic

\Apple Computer\Preferences\keychain.plist

\Apple Computer\Preferences\keychain.plist

\Apple\Apple Application Support\CFNetwork.dll

\Apple\Apple Application Support\CFNetwork.dll

hXXp://

hXXp://

PTF://

PTF://

*PTF://

*PTF://

hXXps://

hXXps://

Shell.Application

Shell.Application

hXXp://cyber-sec.org/email/asp/email.php?email=

hXXp://cyber-sec.org/email/asp/email.php?email=

TMemoryOperation

TMemoryOperation

%sysdir%\

%sysdir%\

%serverpath%\

%serverpath%\

%sysdir%

%sysdir%

%serverpath%

%serverpath%

Proxy Bypass

Proxy Bypass

ntdll.dll

ntdll.dll

TPasswordItem

TPasswordItem

TArrayPasswod

TArrayPasswod

Crypt32.dll

Crypt32.dll

shell32.dll

shell32.dll

Advapi32.dll

Advapi32.dll

SOFTWARE\MOZILLA\MOZILLA FIREFOX

SOFTWARE\MOZILLA\MOZILLA FIREFOX

SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main

SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main

select * from moz_logins

select * from moz_logins

Firefox

Firefox

SOFTWARE\MOZILLA\MOZILLA FIREFOX\

SOFTWARE\MOZILLA\MOZILLA FIREFOX\

\Flock\Browser\profiles.ini

\Flock\Browser\profiles.ini

Flock-Firefox

Flock-Firefox

\1-abc\personal calendar\sqlite3.dll

\1-abc\personal calendar\sqlite3.dll

\clipdiary\sqlite3.dll

\clipdiary\sqlite3.dll

\conceptworld\recentx\sqlite3.dll

\conceptworld\recentx\sqlite3.dll

\darq software\transmute\sqlite3.dll

\darq software\transmute\sqlite3.dll

\delphish\sqlite3.dll

\delphish\sqlite3.dll

\ditto\sqlite3.dll

\ditto\sqlite3.dll

\du meter\sqlite3.dll

\du meter\sqlite3.dll

\fcleaner\sqlite3.dll

\fcleaner\sqlite3.dll

\file seeker\sqlite3.dll

\file seeker\sqlite3.dll

\flashnote\sqlite3.dll

\flashnote\sqlite3.dll

\flashpaste\sqlite3.dll

\flashpaste\sqlite3.dll

\gorecord\sqlite3.dll

\gorecord\sqlite3.dll

\gorecord2\sqlite3.dll

\gorecord2\sqlite3.dll

\linkcollector portable\sqlite3.dll

\linkcollector portable\sqlite3.dll

\ma-config.com\sqlite3.dll

\ma-config.com\sqlite3.dll

\macrovirus\sqlite3.dll

\macrovirus\sqlite3.dll

\msnsniffer2\sqlite3.dll

\msnsniffer2\sqlite3.dll

\notecable\sqlite3.dll

\notecable\sqlite3.dll

\nzbleecher\sqlite3.dll

\nzbleecher\sqlite3.dll

\outlook express\sqlite3.dll

\outlook express\sqlite3.dll

\page update watcher\sqlite3.dll

\page update watcher\sqlite3.dll

\pipi\sqlite3.dll

\pipi\sqlite3.dll

\qloud\sqlite3.dll

\qloud\sqlite3.dll

\qloud\winamp\sqlite3.dll

\qloud\winamp\sqlite3.dll

\qloud\windows media player\sqlite3.dll

\qloud\windows media player\sqlite3.dll

\recordtheradio\sqlite3.dll

\recordtheradio\sqlite3.dll

\rightload\sqlite3.dll

\rightload\sqlite3.dll

\smm\funny sms10\sqlite3.dll

\smm\funny sms10\sqlite3.dll

\smm\simple mail 7\sqlite3.dll

\smm\simple mail 7\sqlite3.dll

\spiceworks\bin\sqlite3.dll

\spiceworks\bin\sqlite3.dll

\spyware-secure\sqlite3.dll

\spyware-secure\sqlite3.dll

\timelog\sqlite3.dll

\timelog\sqlite3.dll

\video2webcam\sqlite3.dll

\video2webcam\sqlite3.dll

\webmarkers\sqlite3.dll

\webmarkers\sqlite3.dll

\webmediaplayer\sqlite3.dll

\webmediaplayer\sqlite3.dll

\windows media player\plugins\qloud\sqlite3.dll

\windows media player\plugins\qloud\sqlite3.dll

\Mozilla Firefox\sqlite3.dll

\Mozilla Firefox\sqlite3.dll

\VirusGuardPlus\sqlite3.dll

\VirusGuardPlus\sqlite3.dll

\Safari\sqlite3.dll

\Safari\sqlite3.dll

\AIMP2\sqlite3.dll

\AIMP2\sqlite3.dll

\Live-Player\sqlite3.dll

\Live-Player\sqlite3.dll

\TrustedProtection\sqlite3.dll

\TrustedProtection\sqlite3.dll

\PCTotalDefender\sqlite3.dll

\PCTotalDefender\sqlite3.dll

\Common Files\eEye Digital Security\Application Bus\sqlite3.dll

\Common Files\eEye Digital Security\Application Bus\sqlite3.dll

Windows Live Messenger

Windows Live Messenger

DynDNS\Updater\config.dyndns

DynDNS\Updater\config.dyndns

Password=

Password=

Software\DownloadManager\Passwords

Software\DownloadManager\Passwords

Software\DownloadManager\Passwords\

Software\DownloadManager\Passwords\

EncPassword

EncPassword

YLoginWnd

YLoginWnd

FileZilla\recentservers.xml

FileZilla\recentservers.xml

FileZilla\sitemanager.xml

FileZilla\sitemanager.xml

FileZilla\filezilla.xml

FileZilla\filezilla.xml

.purple\accounts.xml

.purple\accounts.xml

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

trillian.ini

trillian.ini

accounts.ini

accounts.ini

password

password

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian

Trillian\trillian.exe

Trillian\trillian.exe

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

###@@@!!!

###@@@!!!

IMAP Password

IMAP Password

IMAP Password:

IMAP Password:

POP3 Password

POP3 Password

POP3 Password:

POP3 Password:

HNetCfg.NATUPnP

HNetCfg.NATUPnP

StaticPortMappingCollection

StaticPortMappingCollection

Uh%Fm

Uh%Fm

TCpuUsageU

TCpuUsageU

##,##0.00

##,##0.00

TNewFTPThreadU

TNewFTPThreadU

TPasswordU

TPasswordU

SHFileOperationW

SHFileOperationW

.hd'n

.hd'n

.hd*n

.hd*n

%s %s

%s %s

Windows NT %d.%d

Windows NT %d.%d

%s %s Server

%s %s Server

Unknown Platform ID (%d)

Unknown Platform ID (%d)

%d.%d

%d.%d

%s [Build: %d

%s [Build: %d

- Service Pack: %s

- Service Pack: %s

KERNEL32.DLL

KERNEL32.DLL

TIdTCPClientNewp

TIdTCPClientNewp

TIdTCPClientNew

TIdTCPClientNew

1.2.3

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

inflate 1.2.3 Copyright 1995-2005 Mark Adler

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

com.apple.Safari

com.apple.Safari

com.apple.Safari0123456789ABCDEF

com.apple.Safari0123456789ABCDEF

1iu2.iu

1iu2.iu

333333333333333333

333333333333333333

33333833

33333833

3333339

3333339

3333333333333338

3333333333333338

:*"*"$3338

:*"*"$3338

3333333

3333333

33333333

33333333

33333333333

33333333333

3333333333338

3333333333338

33338?383

33338?383

333333333333

333333333333

:*3:"$3338

:*3:"$3338

333333333333333

333333333333333

KWindows

KWindows

IdStackWindows

IdStackWindows

Sr_StartWebcam

Sr_StartWebcam

UrlMon

UrlMon

UnitWebcamAPI

UnitWebcamAPI

IdTCPStream

IdTCPStream

IdTCPServer

IdTCPServer

Sr_Windows

Sr_Windows

Cm_Keylogger

Cm_Keylogger

~Sr_Ports

~Sr_Ports

}Unitsndkey32

}Unitsndkey32

Vps_FireFox3_5

Vps_FireFox3_5

SQLiteTable3

SQLiteTable3

SQLite3

SQLite3

Ps_IEpasswords

Ps_IEpasswords

ps_URLHistory

ps_URLHistory

FPs_PasswordRecovery

FPs_PasswordRecovery

Ps_OperaPasswords

Ps_OperaPasswords

Sr_MemoryEXE

Sr_MemoryEXE

Sr_MemoryExecuteFunctions

Sr_MemoryExecuteFunctions

U_GrabFirefox10

U_GrabFirefox10

YU_GrabFirefox8

YU_GrabFirefox8

6U_GrabFirefox

6U_GrabFirefox

\U_GrabChrome

\U_GrabChrome

U_GrabFirefox15

U_GrabFirefox15

U_Grabfirefox22

U_Grabfirefox22

{IdCmdTCPClient

{IdCmdTCPClient

SetNamedPipeHandleState

SetNamedPipeHandleState

GetWindowsDirectoryW

GetWindowsDirectoryW

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

RegQueryInfoKeyA

RegQueryInfoKeyA

RegOpenKeyExW

RegOpenKeyExW

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyW

RegOpenKeyW

RegOpenKeyA

RegOpenKeyA

RegFlushKey

RegFlushKey

RegEnumKeyExW

RegEnumKeyExW

RegEnumKeyExA

RegEnumKeyExA

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyExW

RegCreateKeyExW

RegCreateKeyExA

RegCreateKeyExA

RegCreateKeyW

RegCreateKeyW

RegCloseKey

RegCloseKey

CryptImportKey

CryptImportKey

CryptSetKeyParam

CryptSetKeyParam

CryptDestroyKey

CryptDestroyKey

SetViewportOrgEx

SetViewportOrgEx

GdiplusShutdown

GdiplusShutdown

ShellExecuteW

ShellExecuteW

FindExecutableW

FindExecutableW

SHDeleteKeyW

SHDeleteKeyW

URLDownloadToFileW

URLDownloadToFileW

keybd_event

keybd_event

VkKeyScanW

VkKeyScanW

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

SetWindowsHookExA

SetWindowsHookExA

SetKeyboardState

SetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyW

MapVirtualKeyW

MapVirtualKeyA

MapVirtualKeyA

LoadKeyboardLayoutA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyNameTextA

GetKeyNameTextA

ExitWindowsEx

ExitWindowsEx

EnumWindows

EnumWindows

EnumThreadWindows

EnumThreadWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

GetKeyboardType

GetKeyboardType

FtpPutFileW

FtpPutFileW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

InternetOpenUrlW

InternetOpenUrlW

InternetOpenUrlA

InternetOpenUrlA

HttpQueryInfoA

HttpQueryInfoA

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

[E.MyFull

[E.MyFull

-!GA?EXE

-!GA?EXE

LMsg

LMsg

AVICAP32.DLL

AVICAP32.DLL

crypt32.dll

crypt32.dll

gdi32.dll

gdi32.dll

gdiplus.dll

gdiplus.dll

mpr.dll

mpr.dll

msacm32.dll

msacm32.dll

powrprof.dll

powrprof.dll

pstorec.dll

pstorec.dll

URLMON.DLL

URLMON.DLL

user32.dll

user32.dll

version.dll

version.dll

wininet.dll

wininet.dll

winmm.dll

winmm.dll

wsock32.dll

wsock32.dll

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

Portugal

Portugal

Turkey

Turkey

WEBCAM

WEBCAM

*#%"{}|\^[]`

*#%"{}|\^[]`

uploadandexecute

uploadandexecute

uploadandexecuteyes|

uploadandexecuteyes|

uploadandexecuteno|

uploadandexecuteno|

webcam|webcamstream|

webcam|webcamstream|

webcam|webcamstop|

webcam|webcamstop|

webcamstart

webcamstart

[Execute]

[Execute]

KeyDelBackspace

KeyDelBackspace

CyberGateKeylogger

CyberGateKeylogger

software\microsoft\windows\currentversion\uninstall\

software\microsoft\windows\currentversion\uninstall\

Invalid Key Name

Invalid Key Name

Invalid KeyName

Invalid KeyName

%Username%

%Username%

%Country%

%Country%

Úte%

Úte%

FirstExecution

FirstExecution

keylogger|keyloggeronlinekey|

keylogger|keyloggeronlinekey|

keylogger|keyloggerativar|T|

keylogger|keyloggerativar|T|

keylogger|keyloggerativar|F|

keylogger|keyloggerativar|F|

webcamlist|

webcamlist|

webcam

webcam

filemanager|fmsendftpyes|

filemanager|fmsendftpyes|

filemanager|fmsendftpno|

filemanager|fmsendftpno|

FIREFOX2|

FIREFOX2|

FIREFOX8|

FIREFOX8|

FIREFOX10|

FIREFOX10|

FIREFOX15|

FIREFOX15|

FIREFOX22|

FIREFOX22|

\Opera\Opera\wand.dat

\Opera\Opera\wand.dat

OPERA|

OPERA|

\Google\Chrome\User Data\Default\Login Data

\Google\Chrome\User Data\Default\Login Data

CHROME|

CHROME|

\Google\Chrome\User Data\Default\Web Data

\Google\Chrome\User Data\Default\Web Data

getpasswords

getpasswords

downexec

downexec

openweb

openweb

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\

fmexecnormal

fmexecnormal

filemanager|fmexecnormal|

filemanager|fmexecnormal|

fmexechide

fmexechide

filemanager|fmexechide|

filemanager|fmexechide|

fmexecparam

fmexecparam

filemanager|fmexecparam|F|

filemanager|fmexecparam|F|

filemanager|fmexecparam|T|

filemanager|fmexecparam|T|

fmsendftp

fmsendftp

filemanager|fmsendftp|

filemanager|fmsendftp|

listarportas

listarportas

listarportas|listadeportasativas|

listarportas|listadeportasativas|

listarportasdns

listarportasdns

listarportas|finalizarconexao|

listarportas|finalizarconexao|

finalizarprocessoportas

finalizarprocessoportas

listarportas|finalizarprocessoportas|Y|

listarportas|finalizarprocessoportas|Y|

listarportas|finalizarprocessoportas|N|

listarportas|finalizarprocessoportas|N|

tecaladoexecutar

tecaladoexecutar

webcamconfig

webcamconfig

keylogger

keylogger

keylogger|keyloggeronlinestart|

keylogger|keyloggeronlinestart|

keylogger|keyloggeronlinestop|

keylogger|keyloggeronlinestop|

keyloggerativar

keyloggerativar

keyloggerdesativar

keyloggerdesativar

keyloggerbaixar

keyloggerbaixar

keylogger|keyloggerbaixar|

keylogger|keyloggerbaixar|

keylogger|keyloggerbaixar|NOLOGS

keylogger|keyloggerbaixar|NOLOGS

keyloggerexcluir

keyloggerexcluir

keylogger|keyloggerexcluir|

keylogger|keyloggerexcluir|

keyloggeronlinestart

keyloggeronlinestart

keyloggeronlinestop

keyloggeronlinestop

chromepass

chromepass

chromepass|

chromepass|

keysearch

keysearch

keysearch|NO

keysearch|NO

keysearch|YES

keysearch|YES

sendkeyswindow

sendkeyswindow

enviarlogskey

enviarlogskey

enviarlogskey|

enviarlogskey|

rar.exe

rar.exe

rarreg.key

rarreg.key

vs.vbs

vs.vbs

bs.bat

bs.bat

memoryexecoperation

memoryexecoperation

TeamViewer.exe

TeamViewer.exe

TeamViewer_Resource.dll

TeamViewer_Resource.dll

TV.dll

TV.dll

x.html

x.html

Windows 3.1

Windows 3.1

Windows 95 (Release 2)

Windows 95 (Release 2)

Windows 95

Windows 95

Windows 98 SE

Windows 98 SE

Windows 98

Windows 98

Windows ME

Windows ME

Windows 8

Windows 8

Windows 7

Windows 7

Windows Vista

Windows Vista

Windows XP Professional x64

Windows XP Professional x64

Windows XP Home

Windows XP Home

Windows XP Professional

Windows XP Professional

Windows 2000 Professional

Windows 2000 Professional

Windows 2008

Windows 2008

Windows 2003 Server Datacenter

Windows 2003 Server Datacenter

Windows 2003 Server Enterprise

Windows 2003 Server Enterprise

Windows 2003 Server Web Edition

Windows 2003 Server Web Edition

Windows 2003 Server

Windows 2003 Server

Windows Home Server

Windows Home Server

Windows 2003 Server (Release 2)

Windows 2003 Server (Release 2)

Windows 2000 Server Datacenter

Windows 2000 Server Datacenter

Windows 2000 Server Enterprise

Windows 2000 Server Enterprise

Windows 2000 Server Web Edition

Windows 2000 Server Web Edition

Windows 2000 Server

Windows 2000 Server

Windows NT 4.0 Server Datacenter

Windows NT 4.0 Server Datacenter

Windows NT 4.0 Server Enterprise

Windows NT 4.0 Server Enterprise

Windows NT 4.0 Server Web Edition

Windows NT 4.0 Server Web Edition

Windows NT 4.0 Server

Windows NT 4.0 Server

SelfDelete.bat

SelfDelete.bat

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows NT\CurrentVersion\Windows

Software\Microsoft\Windows NT\CurrentVersion\Windows

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

explorer.exe

explorer.exe

\Microsoft\Windows\

\Microsoft\Windows\

CYBERGATEPASS

CYBERGATEPASS

k4l1m3r4.publicvm.com

k4l1m3r4.publicvm.com

wins10up.16-b.it

wins10up.16-b.it

UIAutomsslwin.moneyhome.biz

UIAutomsslwin.moneyhome.biz

c0pywins.is-not-certified.com

c0pywins.is-not-certified.com

UIAutomh1h1tl3r.click

UIAutomh1h1tl3r.click

-certified.com

-certified.com

%USECRYPTER%

%USECRYPTER%

2.5.2.0

2.5.2.0

webcamlizUB8dknwCPERSIST

webcamlizUB8dknwCPERSIST

ertified.com

ertified.com

PTF.ftpserver.com

PTF.ftpserver.com

ftpuser

ftpuser

ftppass

ftppass

pong|35953|Borrador Memorial de Aportaci

pong|35953|Borrador Memorial de Aportaci

hXXp://VVV.myserver.com/serverplugin.srv

hXXp://VVV.myserver.com/serverplugin.srv

hXXp://VVV.somehosting.com/tagger.php

hXXp://VVV.somehosting.com/tagger.php

C @ JAIME].ini

C @ JAIME].ini

Express.xlsx

Express.xlsx

ache_idx.db!018

ache_idx.db!018

Global\C::Users:crackmen:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs

Global\C::Users:crackmen:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs

DisableKeyboardD?id=%ID%&name=%Username% @ %PCName%&version=%Version%

DisableKeyboardD?id=%ID%&name=%Username% @ %PCName%&version=%Version%

ques y ahorro.pdfn

ques y ahorro.pdfn

example@email.com

example@email.com

No help keyword specified.

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt Clipboard does not support Icons/Menu '%s' is already being used by another form

Alt Clipboard does not support Icons/Menu '%s' is already being used by another form

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Unsupported clipboard format

Unsupported clipboard format

Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.

Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.

Reply Code is not valid: %s

Reply Code is not valid: %s

Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event.

Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event.

Command not supported.

Command not supported.

Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)

Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)

File "%s" not found

File "%s" not found

Object type not supported.

Object type not supported.

%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.

%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.

Set Size Exceeded.)UDP is not support in this SOCKS version.

Set Size Exceeded.)UDP is not support in this SOCKS version.

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Invalid Port Range (%d - %d)

Invalid Port Range (%d - %d)

%s is not a valid service.

%s is not a valid service.

"Operation not supported on socket.

"Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

Protocol family not supported.0Address family not supported by protocol family.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation would block.

Operation would block.

Operation now in progress.

Operation now in progress.

Operation already in progress.

Operation already in progress.

Socket operation on non-socket.

Socket operation on non-socket.

Protocol not supported.

Protocol not supported.

Socket type not supported.

Socket type not supported.

Invalid destination array"Character index out of bounds (%d)

Invalid destination array"Character index out of bounds (%d)

Start index out of bounds (%d)

Start index out of bounds (%d)

Invalid count (%d)

Invalid count (%d)

Invalid destination index (%d)

Invalid destination index (%d)

Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)

Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Resolving hostname %s.

Connecting to %s.

Connecting to %s.

Socket Error # %d

Socket Error # %d

List capacity out of bounds (%d)

List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to get data for '%s'

Resource %s not found

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Property %s does not exist

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s'

Invalid data type for '%s'

Ancestor for '%s' not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Cannot assign a %s to a %s

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

!'%s' is not a valid integer value('%s' is not a valid floating point value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

6x7aj.exe_2632_rwx_01611000_0010D000:

kernel32.dll

kernel32.dll

Windows

Windows

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

ssShift

ssShift

htKeyword

htKeyword

EInvalidOperation

EInvalidOperation

u%CNu

u%CNu

%s[%d]

%s[%d]

%s_%d

%s_%d

EIdCanNotBindPortInRange

EIdCanNotBindPortInRange

EIdInvalidPortRange\wc

EIdInvalidPortRange\wc

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas

WS2_32.DLL

WS2_32.DLL

MSWSOCK.DLL

MSWSOCK.DLL

getservbyport

getservbyport

WSAAsyncGetServByPort

WSAAsyncGetServByPort

WSAJoinLeaf

WSAJoinLeaf

WSARecvMsg

WSARecvMsg

WSASendMsg

WSASendMsg

Wship6.dll

Wship6.dll

Fwpuclnt.dll

Fwpuclnt.dll

TIdSocketListWindows

TIdSocketListWindows

TIdStackWindowsU

TIdStackWindowsU

Kernel32.dll

Kernel32.dll

EIdIPVersionUnsupportedP

EIdIPVersionUnsupportedP

127.0.0.1

127.0.0.1

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas

EIdPortRequired

EIdPortRequired

EIdTCPConnectionError

EIdTCPConnectionError

EIdObjectTypeNotSupported

EIdObjectTypeNotSupported

ftpTransfer

ftpTransfer

ftpReady

ftpReady

ftpAborted

ftpAborted

PortT

PortT

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas

ClientPortMin

ClientPortMin

ClientPortMax

ClientPortMax

Port|

Port|

"EIdTransparentProxyUDPNotSupported

"EIdTransparentProxyUDPNotSupported

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas

%EIdSocksUDPNotSupportedBySOCKSVersion

%EIdSocksUDPNotSupportedBySOCKSVersion

saUsernamePassword

saUsernamePassword

Password

Password

PortD

PortD

0.0.0.1

0.0.0.1

0.0.0.0

0.0.0.0

BoundPort

BoundPort

DefaultPortD

DefaultPortD

TIdTCPConnection

TIdTCPConnection

TIdTCPConnectionX

TIdTCPConnectionX

IdTCPConnection

IdTCPConnection

TIdTCPClientCustom

TIdTCPClientCustom

IdTCPClient

IdTCPClient

TIdTCPClient

TIdTCPClient

TIdTCPClientH

TIdTCPClientH

BoundPortT

BoundPortT

ole32.dll

ole32.dll

EInvalidGraphicOperation

EInvalidGraphicOperation

Please contact Cyber-Software support

Please contact Cyber-Software support

shlwapi.dll

shlwapi.dll

WbemScripting.SWbemLocator

WbemScripting.SWbemLocator

%s\%s

%s\%s

SELECT * FROM %s

SELECT * FROM %s

pathToSignedProductExe

pathToSignedProductExe

pathToSignedReportingExe

pathToSignedReportingExe

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

uxtheme.dll

uxtheme.dll

MAPI32.DLL

MAPI32.DLL

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

JumpID("","%s")

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

HelpKeyword

HelpKeyword

crSQLWait

crSQLWait

%s (%s)

%s (%s)

imm32.dll

imm32.dll

AutoHotkeys

AutoHotkeys

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

KeyPreview

KeyPreview

WindowState

WindowState

OnKeyDown46g

OnKeyDown46g

OnKeyPress

OnKeyPress

OnKeyUp

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

User32.dll

User32.dll

TWebcam

TWebcam

SetupApi.dll

SetupApi.dll

SetupDiOpenClassRegKey

SetupDiOpenClassRegKey

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKeyExW

SetupDiOpenClassRegKeyExW

SetupDiCreateDeviceInterfaceRegKeyA

SetupDiCreateDeviceInterfaceRegKeyA

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiOpenDeviceInterfaceRegKey

SetupDiOpenDeviceInterfaceRegKey

SetupDiDeleteDeviceInterfaceRegKey

SetupDiDeleteDeviceInterfaceRegKey

SetupDiCreateDevRegKeyA

SetupDiCreateDevRegKeyA

SetupDiCreateDevRegKeyW

SetupDiCreateDevRegKeyW

SetupDiOpenDevRegKey

SetupDiOpenDevRegKey

SetupDiDeleteDevRegKey

SetupDiDeleteDevRegKey

CM_DEVCAP_LOCKSUPPORTED

CM_DEVCAP_LOCKSUPPORTED

CM_DEVCAP_EJECTSUPPORTED

CM_DEVCAP_EJECTSUPPORTED

PDCAP_D0_SUPPORTED

PDCAP_D0_SUPPORTED

PDCAP_D1_SUPPORTED

PDCAP_D1_SUPPORTED

PDCAP_D2_SUPPORTED

PDCAP_D2_SUPPORTED

PDCAP_D3_SUPPORTED

PDCAP_D3_SUPPORTED

PDCAP_WAKE_FROM_D0_SUPPORTED

PDCAP_WAKE_FROM_D0_SUPPORTED

PDCAP_WAKE_FROM_D1_SUPPORTED

PDCAP_WAKE_FROM_D1_SUPPORTED

PDCAP_WAKE_FROM_D2_SUPPORTED

PDCAP_WAKE_FROM_D2_SUPPORTED

PDCAP_WAKE_FROM_D3_SUPPORTED

PDCAP_WAKE_FROM_D3_SUPPORTED

PDCAP_WARM_EJECT_SUPPORTED

PDCAP_WARM_EJECT_SUPPORTED

ISO_646.irv:1991

ISO_646.irv:1991

ISO_646.basic:1983

ISO_646.basic:1983

ISO_646.irv:1983

ISO_646.irv:1983

csISO16Portuguese

csISO16Portuguese

csISO84Portuguese2

csISO84Portuguese2

windows-936

windows-936

csShiftJIS

csShiftJIS

windows-874

windows-874

ISO-8859-1-Windows-3.0-Latin-1

ISO-8859-1-Windows-3.0-Latin-1

csWindows30Latin1

csWindows30Latin1

ISO-8859-1-Windows-3.1-Latin-1

ISO-8859-1-Windows-3.1-Latin-1

csWindows31Latin1

csWindows31Latin1

ISO-8859-2-Windows-Latin-2

ISO-8859-2-Windows-Latin-2

csWindows31Latin2

csWindows31Latin2

ISO-8859-9-Windows-Latin-5

ISO-8859-9-Windows-Latin-5

csWindows31Latin5

csWindows31Latin5

csMicrosoftPublishing

csMicrosoftPublishing

Windows-31J

Windows-31J

csWindows31J

csWindows31J

PTCP154

PTCP154

csPTCP154

csPTCP154

windows-1250

windows-1250

windows-1251

windows-1251

windows-1252

windows-1252

windows-1253

windows-1253

windows-1254

windows-1254

windows-1255

windows-1255

windows-1256

windows-1256

windows-1257

windows-1257

windows-1258

windows-1258

HTTP-EQUIV

HTTP-EQUIV

()@,;:\"./

()@,;:\"./

()@,;:\"/[]?=

()@,;:\"/[]?=

()@,;:\"/[]?={}

()@,;:\"/[]?={}

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas

EIdTCPNoOnExecute

EIdTCPNoOnExecute

TIdTCPServer

TIdTCPServer

TIdTCPServerX

TIdTCPServerX

IdTCPServer

IdTCPServer

OnExecute

OnExecute

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas

%s User

%s User

IdCustomTCPServer

IdCustomTCPServer

TIdCustomTCPServer

TIdCustomTCPServer

DefaultPort

DefaultPort

EIdTCPServerError

EIdTCPServerError

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas

CmdDelimiter

CmdDelimiter

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas

Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas

'TIdCmdTCPServerAfterCommandHandlerEvent

'TIdCmdTCPServerAfterCommandHandlerEvent

TIdCmdTCPServer

TIdCmdTCPServer

(TIdCmdTCPServerBeforeCommandHandlerEvent

(TIdCmdTCPServerBeforeCommandHandlerEvent

IdCmdTCPServer

IdCmdTCPServer

Displays commands that the servers supports.

Displays commands that the servers supports.

TIdTCPStream

TIdTCPStream

IdRead() method of TIdTCPStream class does not support seeking

IdRead() method of TIdTCPStream class does not support seeking

TIdHTTPProxyTransferMode

TIdHTTPProxyTransferMode

TIdHTTPProxyServerContextt

TIdHTTPProxyServerContextt

TIdHTTPProxyServerContext$

TIdHTTPProxyServerContext$

TOnHTTPContextEvent

TOnHTTPContextEvent

TIdHTTPProxyServerContext

TIdHTTPProxyServerContext

TOnHTTPDocument

TOnHTTPDocument

TIdHTTPProxyServer

TIdHTTPProxyServer

OnHTTPBeforeCommand

OnHTTPBeforeCommand

OnHTTPResponse

OnHTTPResponse

OnHTTPDocument

OnHTTPDocument

HTTP/1.0

HTTP/1.0

HTTP/1.0 200 Connection established

HTTP/1.0 200 Connection established

HNetCfg.FwMgr

HNetCfg.FwMgr

HNetCfg.FwAuthorizedApplication

HNetCfg.FwAuthorizedApplication

PSAPI.dll

PSAPI.dll

TWebcamThread

TWebcamThread

Uh.Uk

Uh.Uk

789:;

789:;

iphlpapi.dll

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

AllocateAndGetTcpExTableFromStack

AllocateAndGetUdpExTableFromStack

AllocateAndGetUdpExTableFromStack

SetTcpEntry

SetTcpEntry

GetExtendedTcpTable

GetExtendedTcpTable

GetExtendedUdpTable

GetExtendedUdpTable

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

TSendKey

TSendKey

sqlite3_bind_blob

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_text

sqlite3_bind_double

sqlite3_bind_double

sqlite3_bind_int

sqlite3_bind_int

sqlite3_bind_int64

sqlite3_bind_int64

sqlite3_bind_null

sqlite3_bind_null

sqlite3_bind_parameter_index

sqlite3_bind_parameter_index

sqlite3_open

sqlite3_open

sqlite3_close

sqlite3_close

sqlite3_errmsg

sqlite3_errmsg

sqlite3_free

sqlite3_free

sqlite3_prepare_v2

sqlite3_prepare_v2

sqlite3_column_count

sqlite3_column_count

sqlite3_column_name

sqlite3_column_name

sqlite3_column_decltype

sqlite3_column_decltype

sqlite3_step

sqlite3_step

sqlite3_column_blob

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_bytes

sqlite3_column_double

sqlite3_column_double

sqlite3_column_text

sqlite3_column_text

sqlite3_column_type

sqlite3_column_type

sqlite3_column_int64

sqlite3_column_int64

sqlite3_finalize

sqlite3_finalize

sqlite3_reset

sqlite3_reset

ESQLiteException

ESQLiteException

TSQLiteDatabaseD

TSQLiteDatabaseD

TSQLiteTable

TSQLiteTable

Failed to open database "%s" : %s

Failed to open database "%s" : %s

Failed to open database "%s" : unknown error

Failed to open database "%s" : unknown error

Error executing SQL

Error executing SQL

Could not prepare SQL statement

Could not prepare SQL statement

Error executing SQL statement

Error executing SQL statement

SQLite is Busy

SQLite is Busy

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Mozilla\Mozilla Firefox\

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

1234567890.

1234567890.

mozsqlite3.dll

mozsqlite3.dll

sqlite3.dll

sqlite3.dll

mozcrt19.dll

mozcrt19.dll

msvcr100.dll

msvcr100.dll

mozglue.dll

mozglue.dll

mozutils.dll

mozutils.dll

nspr4.dll

nspr4.dll

plc4.dll

plc4.dll

plds4.dll

plds4.dll

nssutil3.dll

nssutil3.dll

nss3.dll

nss3.dll

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\profiles.ini

\Mozilla\Firefox\

\Mozilla\Firefox\

signons.sqlite

signons.sqlite

SELECT * FROM moz_logins

SELECT * FROM moz_logins

encryptedPassword

encryptedPassword

Microsoft\Network\Connections\pbk\rasphone.pbk

Microsoft\Network\Connections\pbk\rasphone.pbk

rasapi32.dll

rasapi32.dll

rnaph.dll

rnaph.dll

RAS Passwords

RAS Passwords

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

Ps_Passwords

Ps_Passwords

advapi32.dll

advapi32.dll

WindowsLive:name=*

WindowsLive:name=*

\Mozilla Firefox\

\Mozilla Firefox\

MSVCR100.dll

MSVCR100.dll

softokn3.dll

softokn3.dll

userenv.dll

userenv.dll

profiles.ini

profiles.ini

\signons3.txt

\signons3.txt

\signons2.txt

\signons2.txt

\signons1.txt

\signons1.txt

\signons.txt

\signons.txt

ps_SafariPasswordRecovery

ps_SafariPasswordRecovery

AVURLProtocol_Classic

AVURLProtocol_Classic

\Apple Computer\Preferences\keychain.plist

\Apple Computer\Preferences\keychain.plist

\Apple\Apple Application Support\CFNetwork.dll

\Apple\Apple Application Support\CFNetwork.dll

hXXp://

hXXp://

PTF://

PTF://

*PTF://

*PTF://

hXXps://

hXXps://

Shell.Application

Shell.Application

hXXp://cyber-sec.org/email/asp/email.php?email=

hXXp://cyber-sec.org/email/asp/email.php?email=

TMemoryOperation

TMemoryOperation

%sysdir%\

%sysdir%\

%serverpath%\

%serverpath%\

%sysdir%

%sysdir%

%serverpath%

%serverpath%

Proxy Bypass

Proxy Bypass

ntdll.dll

ntdll.dll

TPasswordItem

TPasswordItem

TArrayPasswod

TArrayPasswod

Crypt32.dll

Crypt32.dll

shell32.dll

shell32.dll

Advapi32.dll

Advapi32.dll

SOFTWARE\MOZILLA\MOZILLA FIREFOX

SOFTWARE\MOZILLA\MOZILLA FIREFOX

SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main

SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main

select * from moz_logins

select * from moz_logins

Firefox

Firefox

SOFTWARE\MOZILLA\MOZILLA FIREFOX\

SOFTWARE\MOZILLA\MOZILLA FIREFOX\

\Flock\Browser\profiles.ini

\Flock\Browser\profiles.ini

Flock-Firefox

Flock-Firefox

\1-abc\personal calendar\sqlite3.dll

\1-abc\personal calendar\sqlite3.dll

\clipdiary\sqlite3.dll

\clipdiary\sqlite3.dll

\conceptworld\recentx\sqlite3.dll

\conceptworld\recentx\sqlite3.dll

\darq software\transmute\sqlite3.dll

\darq software\transmute\sqlite3.dll

\delphish\sqlite3.dll

\delphish\sqlite3.dll

\ditto\sqlite3.dll

\ditto\sqlite3.dll

\du meter\sqlite3.dll

\du meter\sqlite3.dll

\fcleaner\sqlite3.dll

\fcleaner\sqlite3.dll

\file seeker\sqlite3.dll

\file seeker\sqlite3.dll

\flashnote\sqlite3.dll

\flashnote\sqlite3.dll

\flashpaste\sqlite3.dll

\flashpaste\sqlite3.dll

\gorecord\sqlite3.dll

\gorecord\sqlite3.dll

\gorecord2\sqlite3.dll

\gorecord2\sqlite3.dll

\linkcollector portable\sqlite3.dll

\linkcollector portable\sqlite3.dll

\ma-config.com\sqlite3.dll

\ma-config.com\sqlite3.dll

\macrovirus\sqlite3.dll

\macrovirus\sqlite3.dll

\msnsniffer2\sqlite3.dll

\msnsniffer2\sqlite3.dll

\notecable\sqlite3.dll

\notecable\sqlite3.dll

\nzbleecher\sqlite3.dll

\nzbleecher\sqlite3.dll

\outlook express\sqlite3.dll

\outlook express\sqlite3.dll

\page update watcher\sqlite3.dll

\page update watcher\sqlite3.dll

\pipi\sqlite3.dll

\pipi\sqlite3.dll

\qloud\sqlite3.dll

\qloud\sqlite3.dll

\qloud\winamp\sqlite3.dll

\qloud\winamp\sqlite3.dll

\qloud\windows media player\sqlite3.dll

\qloud\windows media player\sqlite3.dll

\recordtheradio\sqlite3.dll

\recordtheradio\sqlite3.dll

\rightload\sqlite3.dll

\rightload\sqlite3.dll

\smm\funny sms10\sqlite3.dll

\smm\funny sms10\sqlite3.dll

\smm\simple mail 7\sqlite3.dll

\smm\simple mail 7\sqlite3.dll

\spiceworks\bin\sqlite3.dll

\spiceworks\bin\sqlite3.dll

\spyware-secure\sqlite3.dll

\spyware-secure\sqlite3.dll

\timelog\sqlite3.dll

\timelog\sqlite3.dll

\video2webcam\sqlite3.dll

\video2webcam\sqlite3.dll

\webmarkers\sqlite3.dll

\webmarkers\sqlite3.dll

\webmediaplayer\sqlite3.dll

\webmediaplayer\sqlite3.dll

\windows media player\plugins\qloud\sqlite3.dll

\windows media player\plugins\qloud\sqlite3.dll

\Mozilla Firefox\sqlite3.dll

\Mozilla Firefox\sqlite3.dll

\VirusGuardPlus\sqlite3.dll

\VirusGuardPlus\sqlite3.dll

\Safari\sqlite3.dll

\Safari\sqlite3.dll

\AIMP2\sqlite3.dll

\AIMP2\sqlite3.dll

\Live-Player\sqlite3.dll

\Live-Player\sqlite3.dll

\TrustedProtection\sqlite3.dll

\TrustedProtection\sqlite3.dll

\PCTotalDefender\sqlite3.dll

\PCTotalDefender\sqlite3.dll

\Common Files\eEye Digital Security\Application Bus\sqlite3.dll

\Common Files\eEye Digital Security\Application Bus\sqlite3.dll

Windows Live Messenger

Windows Live Messenger

DynDNS\Updater\config.dyndns

DynDNS\Updater\config.dyndns

Password=

Password=

Software\DownloadManager\Passwords

Software\DownloadManager\Passwords

Software\DownloadManager\Passwords\

Software\DownloadManager\Passwords\

EncPassword

EncPassword

YLoginWnd

YLoginWnd

FileZilla\recentservers.xml

FileZilla\recentservers.xml

FileZilla\sitemanager.xml

FileZilla\sitemanager.xml

FileZilla\filezilla.xml

FileZilla\filezilla.xml

.purple\accounts.xml

.purple\accounts.xml

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

trillian.ini

trillian.ini

accounts.ini

accounts.ini

password

password

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian

Trillian\trillian.exe

Trillian\trillian.exe

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

###@@@!!!

###@@@!!!

IMAP Password

IMAP Password

IMAP Password:

IMAP Password:

POP3 Password

POP3 Password

POP3 Password:

POP3 Password:

HNetCfg.NATUPnP

HNetCfg.NATUPnP

StaticPortMappingCollection

StaticPortMappingCollection

Uh%Fm

Uh%Fm

TCpuUsageU

TCpuUsageU

##,##0.00

##,##0.00

TNewFTPThreadU

TNewFTPThreadU

TPasswordU

TPasswordU

SHFileOperationW

SHFileOperationW

.hd'n

.hd'n

.hd*n

.hd*n

%s %s

%s %s

Windows NT %d.%d

Windows NT %d.%d

%s %s Server

%s %s Server

Unknown Platform ID (%d)

Unknown Platform ID (%d)

%d.%d

%d.%d

%s [Build: %d

%s [Build: %d

- Service Pack: %s

- Service Pack: %s

KERNEL32.DLL

KERNEL32.DLL

TIdTCPClientNewp

TIdTCPClientNewp

TIdTCPClientNew

TIdTCPClientNew

1.2.3

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

inflate 1.2.3 Copyright 1995-2005 Mark Adler

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

com.apple.Safari

com.apple.Safari

com.apple.Safari0123456789ABCDEF

com.apple.Safari0123456789ABCDEF

1iu2.iu

1iu2.iu

333333333333333333

333333333333333333

33333833

33333833

3333339

3333339

3333333333333338

3333333333333338

:*"*"$3338

:*"*"$3338

3333333

3333333

33333333

33333333

33333333333

33333333333

3333333333338

3333333333338

33338?383

33338?383

333333333333

333333333333

:*3:"$3338

:*3:"$3338

333333333333333

333333333333333

KWindows

KWindows

IdStackWindows

IdStackWindows

Sr_StartWebcam

Sr_StartWebcam

UrlMon

UrlMon

UnitWebcamAPI

UnitWebcamAPI

IdTCPStream

IdTCPStream

IdTCPServer

IdTCPServer

Sr_Windows

Sr_Windows

Cm_Keylogger

Cm_Keylogger

~Sr_Ports

~Sr_Ports

}Unitsndkey32

}Unitsndkey32

Vps_FireFox3_5

Vps_FireFox3_5

SQLiteTable3

SQLiteTable3

SQLite3

SQLite3

Ps_IEpasswords

Ps_IEpasswords

ps_URLHistory

ps_URLHistory

FPs_PasswordRecovery

FPs_PasswordRecovery

Ps_OperaPasswords

Ps_OperaPasswords

Sr_MemoryEXE

Sr_MemoryEXE

Sr_MemoryExecuteFunctions

Sr_MemoryExecuteFunctions

U_GrabFirefox10

U_GrabFirefox10

YU_GrabFirefox8

YU_GrabFirefox8

6U_GrabFirefox

6U_GrabFirefox

\U_GrabChrome

\U_GrabChrome

U_GrabFirefox15

U_GrabFirefox15

U_Grabfirefox22

U_Grabfirefox22

{IdCmdTCPClient

{IdCmdTCPClient

SetNamedPipeHandleState

SetNamedPipeHandleState

GetWindowsDirectoryW

GetWindowsDirectoryW

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

CreatePipe

CreatePipe

RegQueryInfoKeyA

RegQueryInfoKeyA

RegOpenKeyExW

RegOpenKeyExW

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyW

RegOpenKeyW

RegOpenKeyA

RegOpenKeyA

RegFlushKey

RegFlushKey

RegEnumKeyExW

RegEnumKeyExW

RegEnumKeyExA

RegEnumKeyExA

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyExW

RegCreateKeyExW

RegCreateKeyExA

RegCreateKeyExA

RegCreateKeyW

RegCreateKeyW

RegCloseKey

RegCloseKey

CryptImportKey

CryptImportKey

CryptSetKeyParam

CryptSetKeyParam

CryptDestroyKey

CryptDestroyKey

SetViewportOrgEx

SetViewportOrgEx

GdiplusShutdown

GdiplusShutdown

ShellExecuteW

ShellExecuteW

FindExecutableW

FindExecutableW

SHDeleteKeyW

SHDeleteKeyW

URLDownloadToFileW

URLDownloadToFileW

keybd_event

keybd_event

VkKeyScanW

VkKeyScanW

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

SetWindowsHookExA

SetWindowsHookExA

SetKeyboardState

SetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyW

MapVirtualKeyW

MapVirtualKeyA

MapVirtualKeyA

LoadKeyboardLayoutA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyNameTextA

GetKeyNameTextA

ExitWindowsEx

ExitWindowsEx

EnumWindows

EnumWindows

EnumThreadWindows

EnumThreadWindows

ActivateKeyboardLayout

ActivateKeyboardLayout

GetKeyboardType

GetKeyboardType

FtpPutFileW

FtpPutFileW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

InternetOpenUrlW

InternetOpenUrlW

InternetOpenUrlA

InternetOpenUrlA

HttpQueryInfoA

HttpQueryInfoA

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

[E.MyFull

[E.MyFull

-!GA?EXE

-!GA?EXE

LMsg

LMsg

AVICAP32.DLL

AVICAP32.DLL

crypt32.dll

crypt32.dll

gdi32.dll

gdi32.dll

gdiplus.dll

gdiplus.dll

mpr.dll

mpr.dll

msacm32.dll

msacm32.dll

powrprof.dll

powrprof.dll

pstorec.dll

pstorec.dll

URLMON.DLL

URLMON.DLL

user32.dll

user32.dll

version.dll

version.dll

wininet.dll

wininet.dll

winmm.dll

winmm.dll

wsock32.dll

wsock32.dll

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

Portugal

Portugal

Turkey

Turkey

WEBCAM

WEBCAM

*#%"{}|\^[]`

*#%"{}|\^[]`

uploadandexecute

uploadandexecute

uploadandexecuteyes|

uploadandexecuteyes|

uploadandexecuteno|

uploadandexecuteno|

webcam|webcamstream|

webcam|webcamstream|

webcam|webcamstop|

webcam|webcamstop|

webcamstart

webcamstart

[Execute]

[Execute]

KeyDelBackspace

KeyDelBackspace

CyberGateKeylogger

CyberGateKeylogger

software\microsoft\windows\currentversion\uninstall\

software\microsoft\windows\currentversion\uninstall\

Invalid Key Name

Invalid Key Name

Invalid KeyName

Invalid KeyName

%Username%

%Username%

%Country%

%Country%

Úte%

Úte%

FirstExecution

FirstExecution

keylogger|keyloggeronlinekey|

keylogger|keyloggeronlinekey|

keylogger|keyloggerativar|T|

keylogger|keyloggerativar|T|

keylogger|keyloggerativar|F|

keylogger|keyloggerativar|F|

webcamlist|

webcamlist|

webcam

webcam

filemanager|fmsendftpyes|

filemanager|fmsendftpyes|

filemanager|fmsendftpno|

filemanager|fmsendftpno|

FIREFOX2|

FIREFOX2|

FIREFOX8|

FIREFOX8|

FIREFOX10|

FIREFOX10|

FIREFOX15|

FIREFOX15|

FIREFOX22|

FIREFOX22|

\Opera\Opera\wand.dat

\Opera\Opera\wand.dat

OPERA|

OPERA|

\Google\Chrome\User Data\Default\Login Data

\Google\Chrome\User Data\Default\Login Data

CHROME|

CHROME|

\Google\Chrome\User Data\Default\Web Data

\Google\Chrome\User Data\Default\Web Data

getpasswords

getpasswords

downexec

downexec

openweb

openweb

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\

fmexecnormal

fmexecnormal

filemanager|fmexecnormal|

filemanager|fmexecnormal|

fmexechide

fmexechide

filemanager|fmexechide|

filemanager|fmexechide|

fmexecparam

fmexecparam

filemanager|fmexecparam|F|

filemanager|fmexecparam|F|

filemanager|fmexecparam|T|

filemanager|fmexecparam|T|

fmsendftp

fmsendftp

filemanager|fmsendftp|

filemanager|fmsendftp|

listarportas

listarportas

listarportas|listadeportasativas|

listarportas|listadeportasativas|

listarportasdns

listarportasdns

listarportas|finalizarconexao|

listarportas|finalizarconexao|

finalizarprocessoportas

finalizarprocessoportas

listarportas|finalizarprocessoportas|Y|

listarportas|finalizarprocessoportas|Y|

listarportas|finalizarprocessoportas|N|

listarportas|finalizarprocessoportas|N|

tecaladoexecutar

tecaladoexecutar

webcamconfig

webcamconfig

keylogger

keylogger

keylogger|keyloggeronlinestart|

keylogger|keyloggeronlinestart|

keylogger|keyloggeronlinestop|

keylogger|keyloggeronlinestop|

keyloggerativar

keyloggerativar

keyloggerdesativar

keyloggerdesativar

keyloggerbaixar

keyloggerbaixar

keylogger|keyloggerbaixar|

keylogger|keyloggerbaixar|

keylogger|keyloggerbaixar|NOLOGS

keylogger|keyloggerbaixar|NOLOGS

keyloggerexcluir

keyloggerexcluir

keylogger|keyloggerexcluir|

keylogger|keyloggerexcluir|

keyloggeronlinestart

keyloggeronlinestart

keyloggeronlinestop

keyloggeronlinestop

chromepass

chromepass

chromepass|

chromepass|

keysearch

keysearch

keysearch|NO

keysearch|NO

keysearch|YES

keysearch|YES

sendkeyswindow

sendkeyswindow

enviarlogskey

enviarlogskey

enviarlogskey|

enviarlogskey|

rar.exe

rar.exe

rarreg.key

rarreg.key

vs.vbs

vs.vbs

bs.bat

bs.bat

memoryexecoperation

memoryexecoperation

TeamViewer.exe

TeamViewer.exe

TeamViewer_Resource.dll

TeamViewer_Resource.dll

TV.dll

TV.dll

x.html

x.html

Windows 3.1

Windows 3.1

Windows 95 (Release 2)

Windows 95 (Release 2)

Windows 95

Windows 95

Windows 98 SE

Windows 98 SE

Windows 98

Windows 98

Windows ME

Windows ME

Windows 8

Windows 8

Windows 7

Windows 7

Windows Vista

Windows Vista

Windows XP Professional x64

Windows XP Professional x64

Windows XP Home

Windows XP Home

Windows XP Professional

Windows XP Professional

Windows 2000 Professional

Windows 2000 Professional

Windows 2008

Windows 2008

Windows 2003 Server Datacenter

Windows 2003 Server Datacenter

Windows 2003 Server Enterprise

Windows 2003 Server Enterprise

Windows 2003 Server Web Edition

Windows 2003 Server Web Edition

Windows 2003 Server

Windows 2003 Server

Windows Home Server

Windows Home Server

Windows 2003 Server (Release 2)

Windows 2003 Server (Release 2)

Windows 2000 Server Datacenter

Windows 2000 Server Datacenter

Windows 2000 Server Enterprise

Windows 2000 Server Enterprise

Windows 2000 Server Web Edition

Windows 2000 Server Web Edition

Windows 2000 Server

Windows 2000 Server

Windows NT 4.0 Server Datacenter

Windows NT 4.0 Server Datacenter

Windows NT 4.0 Server Enterprise

Windows NT 4.0 Server Enterprise

Windows NT 4.0 Server Web Edition

Windows NT 4.0 Server Web Edition

Windows NT 4.0 Server

Windows NT 4.0 Server

SelfDelete.bat

SelfDelete.bat

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows NT\CurrentVersion\Windows

Software\Microsoft\Windows NT\CurrentVersion\Windows

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

explorer.exe

explorer.exe

\Microsoft\Windows\

\Microsoft\Windows\

CYBERGATEPASS

CYBERGATEPASS

k4l1m3r4.publicvm.com

k4l1m3r4.publicvm.com

wins10up.16-b.it

wins10up.16-b.it

UIAutomsslwin.moneyhome.biz

UIAutomsslwin.moneyhome.biz

c0pywins.is-not-certified.com

c0pywins.is-not-certified.com

UIAutomh1h1tl3r.click

UIAutomh1h1tl3r.click

-certified.com

-certified.com

%USECRYPTER%

%USECRYPTER%

2.5.2.0

2.5.2.0

webcamlizUB8dknwCPERSIST

webcamlizUB8dknwCPERSIST

ertified.com

ertified.com

PTF.ftpserver.com

PTF.ftpserver.com

ftpuser

ftpuser

ftppass

ftppass

pong|35953|Borrador Memorial de Aportaci

pong|35953|Borrador Memorial de Aportaci

hXXp://VVV.myserver.com/serverplugin.srv

hXXp://VVV.myserver.com/serverplugin.srv

hXXp://VVV.somehosting.com/tagger.php

hXXp://VVV.somehosting.com/tagger.php

C @ JAIME].ini

C @ JAIME].ini

Express.xlsx

Express.xlsx

ache_idx.db!018

ache_idx.db!018

Global\C::Users:crackmen:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs

Global\C::Users:crackmen:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs

DisableKeyboardD?id=%ID%&name=%Username% @ %PCName%&version=%Version%

DisableKeyboardD?id=%ID%&name=%Username% @ %PCName%&version=%Version%

ques y ahorro.pdfn

ques y ahorro.pdfn

example@email.com

example@email.com

No help keyword specified.

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt Clipboard does not support Icons/Menu '%s' is already being used by another form

Alt Clipboard does not support Icons/Menu '%s' is already being used by another form

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Unsupported clipboard format

Unsupported clipboard format

Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.

Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.

Reply Code is not valid: %s

Reply Code is not valid: %s

Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event.

Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event.

Command not supported.

Command not supported.

Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)

Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d)

File "%s" not found

File "%s" not found

Object type not supported.

Object type not supported.

%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.

%s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.

Set Size Exceeded.)UDP is not support in this SOCKS version.

Set Size Exceeded.)UDP is not support in this SOCKS version.

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.

Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.

Invalid Port Range (%d - %d)

Invalid Port Range (%d - %d)

%s is not a valid service.

%s is not a valid service.

"Operation not supported on socket.

"Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

Protocol family not supported.0Address family not supported by protocol family.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Operation would block.

Operation would block.

Operation now in progress.

Operation now in progress.

Operation already in progress.

Operation already in progress.

Socket operation on non-socket.

Socket operation on non-socket.

Protocol not supported.

Protocol not supported.

Socket type not supported.

Socket type not supported.

Invalid destination array"Character index out of bounds (%d)

Invalid destination array"Character index out of bounds (%d)

Start index out of bounds (%d)

Start index out of bounds (%d)

Invalid count (%d)

Invalid count (%d)

Invalid destination index (%d)

Invalid destination index (%d)

Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)

Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s)

Resolving hostname %s.

Resolving hostname %s.

Connecting to %s.

Connecting to %s.

Socket Error # %d

Socket Error # %d

List capacity out of bounds (%d)

List capacity out of bounds (%d)

List count out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to get data for '%s'

Resource %s not found

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Property %s does not exist

Thread creation error: %s

Thread creation error: %s

Thread Error: %s (%d)

Thread Error: %s (%d)

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot create file "%s". %s

Cannot open file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s'

Invalid data type for '%s'

Ancestor for '%s' not found

Ancestor for '%s' not found

Cannot assign a %s to a %s

Cannot assign a %s to a %s

Interface not supported

Interface not supported

%s (%s, line %d)

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

Operation not supported

External exception %x

External exception %x

Invalid pointer operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

Operation aborted(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value('%s' is not a valid floating point value

!'%s' is not a valid integer value('%s' is not a valid floating point value

I/O error %d

I/O error %d

Integer overflow Invalid floating point operation

Integer overflow Invalid floating point operation

xtp.exe_2764:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

s%j.Zf

s%j.Zf

8crtsu

8crtsu

:crts

:crts

crts

crts

.ku`8iu~fiu

.ku`8iu~fiu

GetProcessWindowStation

GetProcessWindowStation

operator

operator

uxtheme.dll

uxtheme.dll

kernel32.dll

kernel32.dll

operand of unlimited repeat could match the empty string

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

POSIX named classes are supported only within a class

erroffset passed as NULL

erroffset passed as NULL

POSIX collating elements are not supported

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N{name}, \U, or \u

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with PCRE_UCP support

this version of PCRE is not compiled with PCRE_UCP support

ICMP.DLL

ICMP.DLL

advapi32.dll

advapi32.dll

RegDeleteKeyExW

RegDeleteKeyExW

Error text not found (please report)

Error text not found (please report)

WSOCK32.dll

WSOCK32.dll

VERSION.dll

VERSION.dll

WINMM.dll

WINMM.dll

COMCTL32.dll

COMCTL32.dll

MPR.dll

MPR.dll

InternetCrackUrlW

InternetCrackUrlW

HttpQueryInfoW

HttpQueryInfoW

HttpOpenRequestW

HttpOpenRequestW

HttpSendRequestW

HttpSendRequestW

FtpOpenFileW

FtpOpenFileW

FtpGetFileSize

FtpGetFileSize

InternetOpenUrlW

InternetOpenUrlW

WININET.dll

WININET.dll

PSAPI.DLL

PSAPI.DLL

USERENV.dll

USERENV.dll

GetProcessHeap

GetProcessHeap

CreatePipe

CreatePipe

GetWindowsDirectoryW

GetWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

OpenWindowStationW

OpenWindowStationW

SetProcessWindowStation

SetProcessWindowStation

CloseWindowStation

CloseWindowStation

MapVirtualKeyW

MapVirtualKeyW

EnumChildWindows

EnumChildWindows

EnumWindows

EnumWindows

VkKeyScanW

VkKeyScanW

GetKeyState

GetKeyState

GetKeyboardState

GetKeyboardState

SetKeyboardState

SetKeyboardState

GetAsyncKeyState

GetAsyncKeyState

keybd_event

keybd_event

EnumThreadWindows

EnumThreadWindows

ExitWindowsEx

ExitWindowsEx

UnregisterHotKey

UnregisterHotKey

RegisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

GetKeyboardLayoutNameW

USER32.dll

USER32.dll

SetViewportOrgEx

SetViewportOrgEx

GDI32.dll

GDI32.dll

COMDLG32.dll

COMDLG32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegEnumKeyExW

RegEnumKeyExW

RegDeleteKeyW

RegDeleteKeyW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHFileOperationW

SHFileOperationW

ShellExecuteExW

ShellExecuteExW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

GetCPInfo

GetCPInfo

zcÁ

zcÁ

L.aVFY)

L.aVFY)

.ijjrc

.ijjrc

g%D`-

g%D`-

sssh6

sssh6

uW.MW

uW.MW

3.3/464(5,5054585

3.3/464(5,5054585

8 8$8(8,808

8 8$8(8,808

= =$=(=,=0=4=8=

= =$=(=,=0=4=8=

0 0$0(0,0004080

0 0$0(0,0004080

:*;3;?;|;

:*;3;?;|;

11

11

2 323[3.5

2 323[3.5

? ?@?`?

? ?@?`?

= =$=(=,=0=4=

= =$=(=,=0=4=

5 5$5(5,5054585

5 5$5(5,5054585

mscoree.dll

mscoree.dll

nKERNEL32.DLL

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

CMDLINERAW

CMDLINERAW

CMDLINE

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

%s (%d) : ==> %s.:

Line %d:

Line %d:

Line %d (File "%s"):

Line %d (File "%s"):

%s (%d) : ==> %s:

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

*.au3;*.a3x

All files (*.*)

All files (*.*)

#NoAutoIt3Execute

#NoAutoIt3Execute

APPSKEY

APPSKEY

Line %d:

Line %d:

04090000

04090000

%u.%u.%u.%u

%u.%u.%u.%u

0.0.0.0

0.0.0.0

Mddddd

Mddddd

%s (%d) : ==> %s:

%s (%d) : ==> %s:

UDPSTARTUP

UDPSTARTUP

UDPSHUTDOWN

UDPSHUTDOWN

UDPSEND

UDPSEND

UDPRECV

UDPRECV

UDPOPEN

UDPOPEN

UDPCLOSESOCKET

UDPCLOSESOCKET

UDPBIND

UDPBIND

TRAYGETMSG

TRAYGETMSG

TCPSTARTUP

TCPSTARTUP

TCPSHUTDOWN

TCPSHUTDOWN

TCPSEND

TCPSEND

TCPRECV

TCPRECV

TCPNAMETOIP

TCPNAMETOIP

TCPLISTEN

TCPLISTEN

TCPCONNECT

TCPCONNECT

TCPCLOSESOCKET

TCPCLOSESOCKET

TCPACCEPT

TCPACCEPT

SHELLEXECUTEWAIT

SHELLEXECUTEWAIT

SHELLEXECUTE

SHELLEXECUTE

REGENUMKEY

REGENUMKEY

MSGBOX

MSGBOX

ISKEYWORD

ISKEYWORD

HTTPSETUSERAGENT

HTTPSETUSERAGENT

HTTPSETPROXY

HTTPSETPROXY

HOTKEYSET

HOTKEYSET

GUIREGISTERMSG

GUIREGISTERMSG

GUIGETMSG

GUIGETMSG

GUICTRLSENDMSG

GUICTRLSENDMSG

GUICTRLRECVMSG

GUICTRLRECVMSG

FTPSETPROXY

FTPSETPROXY

\??\%s

\??\%s

GUI_RUNDEFMSG

GUI_RUNDEFMSG

SendKeyDelay

SendKeyDelay

SendKeyDownDelay

SendKeyDownDelay

TCPTimeout

TCPTimeout

AUTOITCALLVARIABLE%d

AUTOITCALLVARIABLE%d

255.255.255.255

255.255.255.255

Keyword

Keyword

AutoIt.Error

AutoIt.Error

Null Object assignment in FOR..IN loop

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

HOTKEYPRESSED

AUTOITEXE

AUTOITEXE

WINDOWSDIR

WINDOWSDIR

3, 3, 8, 1

3, 3, 8, 1

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_USERS

HKEY_USERS

%d/d/d

%d/d/d

C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xtp.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xtp.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\jcb-nuo

C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\jcb-nuo

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

hXXp://VVV.autoitscript.com/autoit3/

hXXp://VVV.autoitscript.com/autoit3/

AutoIt3.exe

AutoIt3.exe