Trojan.VBS.Agent.AIY_15104a2195
Trojan.Win32.Xtrat.aahj (Kaspersky), Trojan.VBS.Agent.AIY (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, WormAutoItGen.YR (Lavasoft MAS) Behaviour: Trojan, Worm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 15104a2195987a4926ee31d447dfa8b3
SHA1: 8749afa04945cd5771768edb980d37f90954227c
SHA256: 176a25e7fc0d2cbea50dbd142c0aec38c593b1b43e47231a1dabbb2a362135b2
SSDeep: 12288:A3nZMhJ ubNiRKPMn8WiScA/PAb0TwPRjNOs33h57x8/wzSIcEmVdXS:A3nZqfbpPM8Sc10QjNOW7m/weIBoi
Size: 747632 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Xacti, LLC
Created at: 2012-02-17 16:55:21
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
dvl07.exe:328
dvl07.exe:3448
csc.exe:4008
WScript.exe:3556
WScript.exe:3516
108.exe:532
RegSvcs.exe:3904
RegSvcs.exe:3332
RegSvcs.exe:1936
RegSvcs.exe:1592
836.exe:3980
6x7aj.exe:676
6x7aj.exe:1480
file.exe:3348
file.exe:3336
rundll32.exe:3736
Javatmp2539891.exe:672
jfd.exe:1368
jfd.exe:2904
%original file name%.exe:3404
The Trojan injects its code into the following process(es):
csc.exe:3528
6x7aj.exe:2632
Mutexes
The following mutexes were created/opened: No objects were found.
File activity
The process dvl07.exe:3448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (0 bytes)
The process csc.exe:4008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\nAgLlf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Adovetmp35891[1].exe (124320 bytes)
C:\nAgLlfnAgLlf\nAgLlf.vbs (207 bytes)
C:\nAgLlfnAgLlf\x (5441 bytes)
C:\nAgLlfnAgLlf\nAgLlf.exe (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\836.exe (62167 bytes)
The process csc.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\PfMycVPfMycV\PfMycV.exe (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9666.tmp (2712 bytes)
C:\PfMycVPfMycV\PfMycV.vbs (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Adovetmp35891[1].exe (102417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\PfMycV (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9665.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\108.exe (44515 bytes)
C:\PfMycVPfMycV\x (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619 (1290 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9665.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9666.tmp (0 bytes)
The process WScript.exe:3556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\qto4z\file.exe (593 bytes)
The process 108.exe:532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\qto4z\53bym.vbs (90 bytes)
C:\Users\"%CurrentUserName%"\qto4z\file.exe (2488 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\qto4z\__tmp_rar_sfx_access_check_350050 (0 bytes)
The process RegSvcs.exe:3332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (0 bytes)
The process RegSvcs.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (0 bytes)
The process 836.exe:3980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\xbq.jpg (209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\tlq.txt (766 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\xli.docx (713 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\iol.mp4 (885 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wqr.icm (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\tpg.ico (949 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\lka.mp4 (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wju.ppt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\iix.pdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\fwm.bmp (689 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\nhu.mp3 (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\ntr.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\smw.ppt (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wmd.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe (15154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\odo.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\ele.ppt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\obc.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wiq.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qam.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\mva.pdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qwf-nns (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\upr.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\cbj.dat (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\hui.txt (123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\hoo.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\vmh.ico (395 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\__tmp_rar_sfx_access_check_359785 (0 bytes)
The process 6x7aj.exe:676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (298 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (0 bytes)
The process file.exe:3348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\dvl07.exe (1853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\x (7410 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\__tmp_rar_sfx_access_check_350768 (0 bytes)
The process file.exe:3336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\6x7aj.exe (1853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\x (6098 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\__tmp_rar_sfx_access_check_335776 (0 bytes)
The process rundll32.exe:3736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\60FRU4FC\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2Q082UPM\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R6ZYRE63\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z1KVGK69\desktop.ini (67 bytes)
The process Javatmp2539891.exe:672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bnk.mp3 (482 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\vov.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bvf.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xtp.exe (15154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ppo.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xor.pdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\anp.docx (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\tlg.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\lsp.ico (490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\wel.mp4 (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\frr.ppt (205 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\sqg.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\idi.mp4 (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\igr.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\jcb-nuo (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\vlc.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\mqd.ico (515 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\fnq.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\mfq.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ugx.mp3 (416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bis.icm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\abx.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ebw.txt (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\dir.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\rko.ppt (485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\sgm.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\uxs.ppt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\exh.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\tox.ppt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bep.docx (776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\alr.ico (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\olk.xl (1 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\__tmp_rar_sfx_access_check_399612 (0 bytes)
The process jfd.exe:1368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\AYKHP (97 bytes)
The process jfd.exe:2904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Javatmp2539891.exe (157922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\spd (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Javatmp2539891[1].exe (587707 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\AYKHP (0 bytes)
The process %original file name%.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\h2x2x\file.exe (2488 bytes)
C:\Users\"%CurrentUserName%"\h2x2x\nktas.vbs (90 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\h2x2x\__tmp_rar_sfx_access_check_334372 (0 bytes)
Registry activity
The process dvl07.exe:328 makes changes in the system registry.
The Trojan deletes the following registry key(s):
[HKCU\Software\3448]
The process dvl07.exe:3448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\zUB8dknwC]
"ServerStarted" = "3/30/2017 16:22:27 PM"
[HKCU\Software\3448]
"Mutex" = "zUB8dknwC"
[HKCU\Software\zUB8dknwC]
"InstalledServer" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\dvl07.exe"
The process csc.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nAgLlf" = "C:\nAgLlfnAgLlf\nAgLlf.vbs"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process csc.exe:3528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"
[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\csc_RASMANCS]
"ConsoleTracingMask" = "4294901760"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"PfMycV" = "C:\PfMycVPfMycV\PfMycV.vbs"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process WScript.exe:3556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process WScript.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process 108.exe:532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process RegSvcs.exe:3904 makes changes in the system registry.
The Trojan deletes the following registry key(s):
[HKCU\Software\3332]
The process RegSvcs.exe:3332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\zUB8dknwC]
"ServerStarted" = "3/30/2017 16:23:08 PM"
[HKCU\Software\3332]
"Mutex" = "zUB8dknwC"
[HKCU\Software\zUB8dknwC]
"InstalledServer" = "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
The process RegSvcs.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\zUB8dknwC]
"ServerStarted" = "3/30/2017 16:23:13 PM"
"InstalledServer" = "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
[HKCU\Software\1936]
"Mutex" = "zUB8dknwC"
The process RegSvcs.exe:1592 makes changes in the system registry.
The Trojan deletes the following registry key(s):
[HKCU\Software\1936]
The process 836.exe:3980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process 6x7aj.exe:676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\zUB8dknwC]
"ServerStarted" = "3/30/2017 16:22:17 PM"
"InstalledServer" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\6x7aj.exe"
[HKCU\Software\676]
"Mutex" = "zUB8dknwC"
The process 6x7aj.exe:2632 makes changes in the system registry.
The Trojan deletes the following registry key(s):
[HKCU\Software\676]
The process file.exe:3348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process file.exe:3336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process Javatmp2539891.exe:672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process jfd.exe:2904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\jfd_RASAPI32]
"ConsoleTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdatemf" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qwf-nns"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process %original file name%.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| ea91e005c6920683a4526839f7745482 | c:\PfMycVPfMycV\PfMycV.exe |
| a984b83727565a4854b0d4834c99c38b | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Adovetmp35891[1].exe |
| 6f6323d9006f3a6ba57a86b78211a675 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Javatmp2539891[1].exe |
| 881873b613e3e0d7bf17a3c3f92fb52d | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Adovetmp35891[1].exe |
| a984b83727565a4854b0d4834c99c38b | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\108.exe |
| 881873b613e3e0d7bf17a3c3f92fb52d | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\836.exe |
| 6f6323d9006f3a6ba57a86b78211a675 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Javatmp2539891.exe |
| ea91e005c6920683a4526839f7745482 | c:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\6x7aj.exe |
| 71d8f6d5dc35517275bc38ebcc815f9f | c:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe |
| ea91e005c6920683a4526839f7745482 | c:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\dvl07.exe |
| a3965bf24f188ba39e9defa8b4cb2d8b | c:\Users\"%CurrentUserName%"\h2x2x\file.exe |
| 0ca2e93b7e2fca0d242d7c284b49f7c5 | c:\Users\"%CurrentUserName%"\qto4z\file.exe |
| ea91e005c6920683a4526839f7745482 | c:\nAgLlfnAgLlf\nAgLlf.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dvl07.exe:328
dvl07.exe:3448
csc.exe:4008
WScript.exe:3556
WScript.exe:3516
108.exe:532
RegSvcs.exe:3904
RegSvcs.exe:3332
RegSvcs.exe:1936
RegSvcs.exe:1592
836.exe:3980
6x7aj.exe:676
6x7aj.exe:1480
file.exe:3348
file.exe:3336
rundll32.exe:3736
Javatmp2539891.exe:672
jfd.exe:1368
jfd.exe:2904
%original file name%.exe:3404 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.dat (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.svr (365 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\zUB8dknwC\zUB8dknwC.nfo (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\nAgLlf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Adovetmp35891[1].exe (124320 bytes)
C:\nAgLlfnAgLlf\nAgLlf.vbs (207 bytes)
C:\nAgLlfnAgLlf\x (5441 bytes)
C:\nAgLlfnAgLlf\nAgLlf.exe (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\836.exe (62167 bytes)
C:\PfMycVPfMycV\PfMycV.exe (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9666.tmp (2712 bytes)
C:\PfMycVPfMycV\PfMycV.vbs (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Adovetmp35891[1].exe (102417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\PfMycV (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9665.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\108.exe (44515 bytes)
C:\PfMycVPfMycV\x (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619 (1290 bytes)
C:\Users\"%CurrentUserName%"\qto4z\file.exe (593 bytes)
C:\Users\"%CurrentUserName%"\qto4z\53bym.vbs (90 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\xbq.jpg (209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\tlq.txt (766 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\xli.docx (713 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\iol.mp4 (885 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wqr.icm (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\tpg.ico (949 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\lka.mp4 (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wju.ppt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\iix.pdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\fwm.bmp (689 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\nhu.mp3 (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\ntr.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\smw.ppt (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wmd.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe (15154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\odo.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\ele.ppt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\obc.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\wiq.dat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qam.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\mva.pdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qwf-nns (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\upr.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\cbj.dat (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\hui.txt (123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\hoo.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\vmh.ico (395 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\dvl07.exe (1853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\qto4z\x (7410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\6x7aj.exe (1853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\h2x2x\x (6098 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\60FRU4FC\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2Q082UPM\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R6ZYRE63\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z1KVGK69\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bnk.mp3 (482 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\vov.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bvf.bmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xtp.exe (15154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ppo.mp4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xor.pdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\anp.docx (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\tlg.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\lsp.ico (490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\wel.mp4 (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\frr.ppt (205 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\sqg.ico (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\idi.mp4 (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\igr.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\jcb-nuo (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\vlc.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\mqd.ico (515 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\fnq.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\mfq.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ugx.mp3 (416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bis.icm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\abx.mp3 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\ebw.txt (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\dir.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\rko.ppt (485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\sgm.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\uxs.ppt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\exh.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\tox.ppt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\bep.docx (776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\alr.ico (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\olk.xl (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\AYKHP (97 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Javatmp2539891.exe (157922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\spd (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Javatmp2539891[1].exe (587707 bytes)
C:\Users\"%CurrentUserName%"\h2x2x\file.exe (2488 bytes)
C:\Users\"%CurrentUserName%"\h2x2x\nktas.vbs (90 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nAgLlf" = "C:\nAgLlfnAgLlf\nAgLlf.vbs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"PfMycV" = "C:\PfMycVPfMycV\PfMycV.vbs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdatemf" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\jfd.exe C:\Users\"%CurrentUserName%"\AppData\Roaming\huw\qwf-nns" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 72754 | 73216 | 4.54393 | 6713f49bc050e40a4e491d5cf0444245 |
| .rdata | 77824 | 7221 | 7680 | 3.38071 | 76315cc3ce7c7f34b89c00e96fd3d919 |
| .data | 86016 | 87804 | 512 | 2.4627 | 6f9415022853d8e925bcb178dd62e322 |
| .CRT | 176128 | 16 | 512 | 0.152104 | d8690a66757c8eeab6988f4a858f4dcd |
| .rsrc | 180224 | 112620 | 112640 | 0.934972 | c9249bc5c25286bb68ccf41cc4520564 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://dryversdocumentsandfullcustomsoft.com/Adovetmp35891.exe |  192.185.135.72 |
| hxxp://dryversdocumentsandfullcloud.com/Adovetmp35891.exe | 192.185.39.254 |
| hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX+JrHYM= | |
| hxxp://dryversdocumentsandfullcloud.com/Javatmp2539891.exe | 192.185.39.254 |
| hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX+JrHYM= | 93.184.220.29 |
| www.google.com | 172.217.20.164 |
| dns.msftncsi.com | 131.107.255.255 |
| k4l1m3r4.publicvm.com |  187.189.61.175 |
| www.dropbox.com | 162.125.66.1 |
| wins10up.16-b.it | 189.149.244.162 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX+JrHYM= HTTP/1.1
Cache-Control: max-age = 517590
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 06:25:50 GMT
If-None-Match: "57ff28ee-1d7"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=172800
Content-Type: application/ocsp-response
Date: Thu, 30 Mar 2017 13:22:33 GMT
Etag: "58dca596-1d7"
Expires: Thu, 06 Apr 2017 01:22:33 GMT
Last-Modified: Thu, 30 Mar 2017 06:28:38 GMT
Server: ECS (fcn/41D2)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0.......>.i...G...&....cd ...20170329220000Z0s0q0I0... ............(..A...B..G@B.X....>.i...G...&....cd ....y.D.... .a_.k......20170329220000Z....20170405220000Z0...*.H..............F.C..Z.....tJ....N......0;..M.h.C......2P ..J&M.{~.y...m....j....6.>.-....R;....v..z.R.&..CE...q..#..(......o.k.5..>s.....rZ...........<.[..d.....u..JF....].1.s.....R4.....~..E{..7t2...(.......Y.i....... v..0.............).}..,.]t.}G)..rW...V...;U..O%"[..HTTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: public, max-age=172800..Content-Type: application/ocsp-response..Date: Thu, 30 Mar 2017 13:22:33 GMT..Etag: "58dca596-1d7"..Expires: Thu, 06 Apr 2017 01:22:33 GMT..Last-Modified: Thu, 30 Mar 2017 06:28:38 GMT..Server: ECS (fcn/41D2)..X-Cache: HIT..Content-Length: 471..0..........0..... .....0......0...0.......>.i...G...&....cd ...20170329220000Z0s0q0I0... ............(..A...B..G@B.X....>.i...G...&....cd ....y.D.... .a_.k......20170329220000Z....20170405220000Z0...*.H..............F.C..Z.....tJ....N......0;..M.h.C......2P ..J&M.{~.y...m....j....6.>.-....R;....v..z.R.&..CE...q..#..(......o.k.5..>s.....rZ...........<.[..d.....u..JF....].1.s.....R4.....~..E{..7t2...(.......Y.i....... v..0.............).}..,.]t.}G)..rW...V...;U..O%"[....
<<< skipped >>>
GET /Adovetmp35891.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dryversdocumentsandfullcloud.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 30 Mar 2017 13:22:22 GMT
Content-Type: application/x-msdownload
Content-Length: 1471344
Connection: keep-alive
Last-Modified: Wed, 29 Mar 2017 16:36:56 GMT
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............|...|...|.......|...}...|.......|.......|.......|.......|.......|.......|.Rich..|.........................PE..L...uM.O.................$...................@....@..................................................................\..3....L.......................................B...............................................@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...$w...`.......F..............@....CRT.... ............H..............@..@.rsrc................J..............@..@..................................................................................................................................................................................................................................................................................................................................................@s... s........................................D$..L$....L$.u..D$......S.....D$..d$....D$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$.........D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$...}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3......D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]^_....
<<< skipped >>>
GET /Adovetmp35891.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: dryversdocumentsandfullcustomsoft.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 30 Mar 2017 13:22:13 GMT
Server: Apache
Last-Modified: Tue, 28 Mar 2017 14:53:53 GMT
Accept-Ranges: bytes
Content-Length: 1018212
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........f..{5..{5..{5...5..{5..z5(.{5...5..{5...5..{5...5..{5...5..{5...5..{5...5..{5Rich..{5........PE..L...Yj>O.....................N...............0....@..................................................................K..3...L<.......................................2...............................................0...............................text...2........................... ..`.rdata..5....0......."..............@..@.data....V...P.......@..............@....CRT.................B..............@..@.rsrc................D..............@..@..................................................................................................................................................................................................................................................................................................................................................................@s... s........................................D$..L$....L$.u..D$......S.....D$..d$....D$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$.........D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$...}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3......D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]
<<< skipped >>>
GET /Javatmp2539891.exe HTTP/1.1
User-Agent: AutoIt
Host: dryversdocumentsandfullcloud.com
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Thu, 30 Mar 2017 13:22:57 GMT
Content-Type: application/x-msdownload
Content-Length: 1470465
Connection: keep-alive
Last-Modified: Wed, 29 Mar 2017 16:28:48 GMT
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............|...|...|.......|...}...|.......|.......|.......|.......|.......|.......|.Rich..|.........................PE..L...uM.O.................$...................@....@..................................................................\..3....L.......................................B...............................................@...............................text....#.......$.................. ..`.rdata.......@.......(..............@..@.data...$w...`.......F..............@....CRT.... ............H..............@..@.rsrc................J..............@..@..................................................................................................................................................................................................................................................................................................................................................@s... s........................................D$..L$....L$.u..D$......S.....D$..d$....D$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$.........D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$...}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3......D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]^_....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
SearchProtocolHost.exe_3428:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
MSSHooks.dll
MSSHooks.dll
IMM32.dll
IMM32.dll
SHLWAPI.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSLogin
SrchDSSPortManager
SrchDSSPortManager
SrchPHHttp
SrchPHHttp
SrchIndexerQuery
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerClient
SrchIndexerSchema
SrchIndexerSchema
Msidle.dll
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%s"
tagname="%s"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%s"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
SHELL32.dll
PROPSYS.dll
PROPSYS.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
SearchProtocolHost.pdb
2 2(20282|2
2 2(20282|2
4%5S5
4%5S5
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
https
https
kernel32.dll
kernel32.dll
msTracer.dll
msTracer.dll
msfte.dll
msfte.dll
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
tquery.dll
tquery.dll
%s\%s
%s\%s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
0xx
0xx
advapi32.dll
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
tagname="%S"
tagname="%S"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
SearchProtocolHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610
csc.exe_3528:
`.rsrc
`.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
76487-644-3177037-23510
76487-644-3177037-23510
55274-640-2673064-23950
55274-640-2673064-23950
sbiedll.dll
sbiedll.dll
dbghelp.dll
dbghelp.dll
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
PSAPI.dll
PSAPI.dll
UnitKeylogger
UnitKeylogger
application/x-www-form-urlencoded
application/x-www-form-urlencoded
compatible; MSIE 7.0; Windows NT 5.1; SV1)
compatible; MSIE 7.0; Windows NT 5.1; SV1)
\SysWOW64\svchost.exe
\SysWOW64\svchost.exe
ProcessHacker.exe
ProcessHacker.exe
avk.bin
avk.bin
hXXps://VVV.dropbox.com/s/vbnt8gud1d14zx8/avkplugin.bin?dl=1
hXXps://VVV.dropbox.com/s/vbnt8gud1d14zx8/avkplugin.bin?dl=1
kprocesshacker.sys
kprocesshacker.sys
Avast! Antivirus|aswRvrt|aswRdr|avastsvc.exe|AvastUI.exe|KLIM6|AVP|KLIF|klkbdflt|klmounflt|
Avast! Antivirus|aswRvrt|aswRdr|avastsvc.exe|AvastUI.exe|KLIM6|AVP|KLIF|klkbdflt|klmounflt|
avp.exe|avpui.exe|MBAMProtector|MBAMScheduler|MBAMService|MBAMSwissArmy|mbamgui.exe|mbam.exe|GDTdiInterceptor|GDBehave|
avp.exe|avpui.exe|MBAMProtector|MBAMScheduler|MBAMService|MBAMSwissArmy|mbamgui.exe|mbam.exe|GDTdiInterceptor|GDBehave|
GDMnIcpt|GDScan.exe|AVKWCtl.exe|AVKTray.exe|GDSC.exe|McMPFSvc|mcpltsvc|mfetdi2k|McProxy|mfevtp|McNaiAnn|mfeavfk|mfefirek|mfehidk|
GDMnIcpt|GDScan.exe|AVKWCtl.exe|AVKTray.exe|GDSC.exe|McMPFSvc|mcpltsvc|mfetdi2k|McProxy|mfevtp|McNaiAnn|mfeavfk|mfefirek|mfehidk|
mfendisk|mfencbdc|mfencrk|mferkdet|mfendisk|mfefire|HomeNetSvc|McAPExe|cfwids|HipShieldK|mfeapfk|mfeavfk|mfecore|McSvHost.exe|McUICnt.exe|McItInfo.exe|
mfendisk|mfencbdc|mfencrk|mferkdet|mfendisk|mfefire|HomeNetSvc|McAPExe|cfwids|HipShieldK|mfeapfk|mfeavfk|mfecore|McSvHost.exe|McUICnt.exe|McItInfo.exe|
mcupdate.exe|MsMpSvc|MpFilter|msseces.exe|MsMpeng.exe|bdselfpr|VSSERV|UPDATESRV|helpsvc|bdagent.exe|seccenter.exe|updatesrv.exe|
mcupdate.exe|MsMpSvc|MpFilter|msseces.exe|MsMpeng.exe|bdselfpr|VSSERV|UPDATESRV|helpsvc|bdagent.exe|seccenter.exe|updatesrv.exe|
vsserv.exe|TPSrv|PskSvcRetail|PavProc|NETFLTDI|NETIMFLT01060044|PSIMSVC|PSHost|PAVFNSVR|ShldDrv|psksvc.exe|iface.exe|PavFnSvr.exe|
vsserv.exe|TPSrv|PskSvcRetail|PavProc|NETFLTDI|NETIMFLT01060044|PSIMSVC|PSHost|PAVFNSVR|ShldDrv|psksvc.exe|iface.exe|PavFnSvr.exe|
pavsrvx86.exe|pavsrvx64.exe|AVENGINE.EXE|PsCtrlS.exe|psksvc.exe|SrvLoad.exe|PsImSvc.exe|ApVxdWin.exe|NCO|
pavsrvx86.exe|pavsrvx64.exe|AVENGINE.EXE|PsCtrlS.exe|psksvc.exe|SrvLoad.exe|PsImSvc.exe|ApVxdWin.exe|NCO|
eeCtrl|SRTSP|SymNetS|SymIRON|SymEFA|SymELAM|SymDS|SymEvent|NAV|NAV.exe|AntiVirWebService|AntiVirService|
eeCtrl|SRTSP|SymNetS|SymIRON|SymEFA|SymELAM|SymDS|SymEvent|NAV|NAV.exe|AntiVirWebService|AntiVirService|
AntiVirSchedulerService|Avipp|cfp.exe|avguard.exe|avshadow.exe|avgn|
AntiVirSchedulerService|Avipp|cfp.exe|avguard.exe|avshadow.exe|avgn|
:\love.scr
:\love.scr
taskmgr.exe
taskmgr.exe
processhacker.exe
processhacker.exe
KILLPROCESSHACKER
KILLPROCESSHACKER
Wireshark.exe
Wireshark.exe
egui.exe
egui.exe
bdagent.exe
bdagent.exe
avguard.exe
avguard.exe
ollydbg.exe
ollydbg.exe
rstrui.exe
rstrui.exe
regedit.exe
regedit.exe
msconfig.exe
msconfig.exe
vmware.exe
vmware.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild
%Program Files% (x86)\Kaspersky Lab
%Program Files% (x86)\Kaspersky Lab
%Program Files%\Kaspersky Lab
%Program Files%\Kaspersky Lab
svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
:Zone.Identifier
:Zone.Identifier
c:\debugg
c:\debugg
on error resume next:Set objShell = CreateObject("Shell.Application"):objShell.ShellExecute "C:\yw8oeyw8oe\yw8oe.exe", "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", "C:\yw8oeyw8oe", "open", 1
on error resume next:Set objShell = CreateObject("Shell.Application"):objShell.ShellExecute "C:\yw8oeyw8oe\yw8oe.exe", "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", "C:\yw8oeyw8oe", "open", 1
avgui.exe
avgui.exe
C:\Users\
C:\Users\
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
avpui.exe
avpui.exe
ruta.txt
ruta.txt
%Program Files%\Bitdefender
%Program Files%\Bitdefender
%Program Files%\Trend Micro
%Program Files%\Trend Micro
C:\Windows\System32\werfault.exe
C:\Windows\System32\werfault.exe
iu2.iua
iu2.iua
KWindows
KWindows
UrlMon
UrlMon
GetCPInfo
GetCPInfo
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
ShellExecuteExA
ShellExecuteExA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
shfolder.dll
shfolder.dll
URLMON.DLL
URLMON.DLL
user32.dll
user32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
List capacity out of bounds (%d)
List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
csc.exe_3528_rwx_00400000_00024000:
`.rsrc
`.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
76487-644-3177037-23510
76487-644-3177037-23510
55274-640-2673064-23950
55274-640-2673064-23950
sbiedll.dll
sbiedll.dll
dbghelp.dll
dbghelp.dll
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
PSAPI.dll
PSAPI.dll
UnitKeylogger
UnitKeylogger
application/x-www-form-urlencoded
application/x-www-form-urlencoded
compatible; MSIE 7.0; Windows NT 5.1; SV1)
compatible; MSIE 7.0; Windows NT 5.1; SV1)
\SysWOW64\svchost.exe
\SysWOW64\svchost.exe
ProcessHacker.exe
ProcessHacker.exe
avk.bin
avk.bin
hXXps://VVV.dropbox.com/s/vbnt8gud1d14zx8/avkplugin.bin?dl=1
hXXps://VVV.dropbox.com/s/vbnt8gud1d14zx8/avkplugin.bin?dl=1
kprocesshacker.sys
kprocesshacker.sys
Avast! Antivirus|aswRvrt|aswRdr|avastsvc.exe|AvastUI.exe|KLIM6|AVP|KLIF|klkbdflt|klmounflt|
Avast! Antivirus|aswRvrt|aswRdr|avastsvc.exe|AvastUI.exe|KLIM6|AVP|KLIF|klkbdflt|klmounflt|
avp.exe|avpui.exe|MBAMProtector|MBAMScheduler|MBAMService|MBAMSwissArmy|mbamgui.exe|mbam.exe|GDTdiInterceptor|GDBehave|
avp.exe|avpui.exe|MBAMProtector|MBAMScheduler|MBAMService|MBAMSwissArmy|mbamgui.exe|mbam.exe|GDTdiInterceptor|GDBehave|
GDMnIcpt|GDScan.exe|AVKWCtl.exe|AVKTray.exe|GDSC.exe|McMPFSvc|mcpltsvc|mfetdi2k|McProxy|mfevtp|McNaiAnn|mfeavfk|mfefirek|mfehidk|
GDMnIcpt|GDScan.exe|AVKWCtl.exe|AVKTray.exe|GDSC.exe|McMPFSvc|mcpltsvc|mfetdi2k|McProxy|mfevtp|McNaiAnn|mfeavfk|mfefirek|mfehidk|
mfendisk|mfencbdc|mfencrk|mferkdet|mfendisk|mfefire|HomeNetSvc|McAPExe|cfwids|HipShieldK|mfeapfk|mfeavfk|mfecore|McSvHost.exe|McUICnt.exe|McItInfo.exe|
mfendisk|mfencbdc|mfencrk|mferkdet|mfendisk|mfefire|HomeNetSvc|McAPExe|cfwids|HipShieldK|mfeapfk|mfeavfk|mfecore|McSvHost.exe|McUICnt.exe|McItInfo.exe|
mcupdate.exe|MsMpSvc|MpFilter|msseces.exe|MsMpeng.exe|bdselfpr|VSSERV|UPDATESRV|helpsvc|bdagent.exe|seccenter.exe|updatesrv.exe|
mcupdate.exe|MsMpSvc|MpFilter|msseces.exe|MsMpeng.exe|bdselfpr|VSSERV|UPDATESRV|helpsvc|bdagent.exe|seccenter.exe|updatesrv.exe|
vsserv.exe|TPSrv|PskSvcRetail|PavProc|NETFLTDI|NETIMFLT01060044|PSIMSVC|PSHost|PAVFNSVR|ShldDrv|psksvc.exe|iface.exe|PavFnSvr.exe|
vsserv.exe|TPSrv|PskSvcRetail|PavProc|NETFLTDI|NETIMFLT01060044|PSIMSVC|PSHost|PAVFNSVR|ShldDrv|psksvc.exe|iface.exe|PavFnSvr.exe|
pavsrvx86.exe|pavsrvx64.exe|AVENGINE.EXE|PsCtrlS.exe|psksvc.exe|SrvLoad.exe|PsImSvc.exe|ApVxdWin.exe|NCO|
pavsrvx86.exe|pavsrvx64.exe|AVENGINE.EXE|PsCtrlS.exe|psksvc.exe|SrvLoad.exe|PsImSvc.exe|ApVxdWin.exe|NCO|
eeCtrl|SRTSP|SymNetS|SymIRON|SymEFA|SymELAM|SymDS|SymEvent|NAV|NAV.exe|AntiVirWebService|AntiVirService|
eeCtrl|SRTSP|SymNetS|SymIRON|SymEFA|SymELAM|SymDS|SymEvent|NAV|NAV.exe|AntiVirWebService|AntiVirService|
AntiVirSchedulerService|Avipp|cfp.exe|avguard.exe|avshadow.exe|avgn|
AntiVirSchedulerService|Avipp|cfp.exe|avguard.exe|avshadow.exe|avgn|
:\love.scr
:\love.scr
taskmgr.exe
taskmgr.exe
processhacker.exe
processhacker.exe
KILLPROCESSHACKER
KILLPROCESSHACKER
Wireshark.exe
Wireshark.exe
egui.exe
egui.exe
bdagent.exe
bdagent.exe
avguard.exe
avguard.exe
ollydbg.exe
ollydbg.exe
rstrui.exe
rstrui.exe
regedit.exe
regedit.exe
msconfig.exe
msconfig.exe
vmware.exe
vmware.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild
%Program Files% (x86)\Kaspersky Lab
%Program Files% (x86)\Kaspersky Lab
%Program Files%\Kaspersky Lab
%Program Files%\Kaspersky Lab
svchost.exe
svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
:Zone.Identifier
:Zone.Identifier
c:\debugg
c:\debugg
on error resume next:Set objShell = CreateObject("Shell.Application"):objShell.ShellExecute "C:\yw8oeyw8oe\yw8oe.exe", "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", "C:\yw8oeyw8oe", "open", 1
on error resume next:Set objShell = CreateObject("Shell.Application"):objShell.ShellExecute "C:\yw8oeyw8oe\yw8oe.exe", "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe", "C:\yw8oeyw8oe", "open", 1
avgui.exe
avgui.exe
C:\Users\
C:\Users\
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
avpui.exe
avpui.exe
ruta.txt
ruta.txt
%Program Files%\Bitdefender
%Program Files%\Bitdefender
%Program Files%\Trend Micro
%Program Files%\Trend Micro
C:\Windows\System32\werfault.exe
C:\Windows\System32\werfault.exe
iu2.iua
iu2.iua
KWindows
KWindows
UrlMon
UrlMon
GetCPInfo
GetCPInfo
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
ShellExecuteExA
ShellExecuteExA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
shfolder.dll
shfolder.dll
URLMON.DLL
URLMON.DLL
user32.dll
user32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
List capacity out of bounds (%d)
List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
%s.Seek not implemented$Operation not allowed on sorted list
%s.Seek not implemented$Operation not allowed on sorted list
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot assign a %s to a %s%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation
SearchFilterHost.exe_2348:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
IMM32.dll
IMM32.dll
MSSHooks.dll
MSSHooks.dll
mscoree.dll
mscoree.dll
SHLWAPI.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
SearchFilterHost.pdb
SearchFilterHost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
name="Microsoft.Windows.Search.MSSFH"
3 3(30383|3 3 3(30383|3 kernel32.dll kernel32.dll Software\Microsoft\Windows Search Software\Microsoft\Windows Search SOFTWARE\Microsoft\Windows Search SOFTWARE\Microsoft\Windows Search HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE HKEY_USERS HKEY_USERS HKEY_PERFORMANCE_DATA HKEY_PERFORMANCE_DATA HKEY_DYN_DATA HKEY_DYN_DATA HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG Windows Search Service Windows Search Service tquery.dll tquery.dll advapi32.dll advapi32.dll API-MS-Win-Core-LocalRegistry-L1-1-0.dll API-MS-Win-Core-LocalRegistry-L1-1-0.dll Software\Microsoft\Windows Search\Tracing Software\Microsoft\Windows Search\Tracing Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported Software\Microsoft\Windows Search\Tracing\EventThrottleState Software\Microsoft\Windows Search\Tracing\EventThrottleState tid="0x%x" tid="0x%x" pid="0x%x" pid="0x%x" tagname="%S" tagname="%S" tagid="0x%x" tagid="0x%x" el="0x%x" el="0x%x" time="d/d/d d:d:d.d" time="d/d/d d:d:d.d" logname="%S" logname="%S" Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383} Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383} .\%s.mui .\%s.mui .\%s\%s.mui .\%s\%s.mui %s\%s.mui %s\%s.mui %s\%s\%s.mui %s\%s\%s.mui %s\%s %s\%s winhttp.dll winhttp.dll Microsoft Windows Search Filter Host Microsoft Windows Search Filter Host 7.00.7601.17610 (win7sp1_gdr.110503-1502) 7.00.7601.17610 (win7sp1_gdr.110503-1502) SearchFilterHost.exe SearchFilterHost.exe Windows Windows 7.00.7601.17610 7.00.7601.17610 6x7aj.exe_2632:
`.rsrc `.rsrc kernel32.dll kernel32.dll Windows Windows MSWHEEL_ROLLMSG MSWHEEL_ROLLMSG MSH_WHEELSUPPORT_MSG MSH_WHEELSUPPORT_MSG MSH_SCROLL_LINES_MSG MSH_SCROLL_LINES_MSG $*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $) $*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $) oleaut32.dll oleaut32.dll EVariantBadIndexError EVariantBadIndexError ssShift ssShift htKeyword htKeyword EInvalidOperation EInvalidOperation u%CNu u%CNu %s[%d] %s[%d] %s_%d %s_%d EIdCanNotBindPortInRange EIdCanNotBindPortInRange EIdInvalidPortRange\wc EIdInvalidPortRange\wc Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas WS2_32.DLL WS2_32.DLL MSWSOCK.DLL MSWSOCK.DLL getservbyport getservbyport WSAAsyncGetServByPort WSAAsyncGetServByPort WSAJoinLeaf WSAJoinLeaf WSARecvMsg WSARecvMsg WSASendMsg WSASendMsg Wship6.dll Wship6.dll Fwpuclnt.dll Fwpuclnt.dll TIdSocketListWindows TIdSocketListWindows TIdStackWindowsU TIdStackWindowsU Kernel32.dll Kernel32.dll EIdIPVersionUnsupportedP EIdIPVersionUnsupportedP 127.0.0.1 127.0.0.1 Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas EIdPortRequired EIdPortRequired EIdTCPConnectionError EIdTCPConnectionError EIdObjectTypeNotSupported EIdObjectTypeNotSupported ftpTransfer ftpTransfer ftpReady ftpReady ftpAborted ftpAborted PortT PortT Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas ClientPortMin ClientPortMin ClientPortMax ClientPortMax Port| Port| "EIdTransparentProxyUDPNotSupported "EIdTransparentProxyUDPNotSupported Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas %EIdSocksUDPNotSupportedBySOCKSVersion %EIdSocksUDPNotSupportedBySOCKSVersion saUsernamePassword saUsernamePassword Password Password PortD PortD 0.0.0.1 0.0.0.1 0.0.0.0 0.0.0.0 BoundPort BoundPort DefaultPortD DefaultPortD TIdTCPConnection TIdTCPConnection TIdTCPConnectionX TIdTCPConnectionX IdTCPConnection IdTCPConnection TIdTCPClientCustom TIdTCPClientCustom IdTCPClient IdTCPClient TIdTCPClient TIdTCPClient TIdTCPClientH TIdTCPClientH BoundPortT BoundPortT ole32.dll ole32.dll EInvalidGraphicOperation EInvalidGraphicOperation Please contact Cyber-Software support Please contact Cyber-Software support shlwapi.dll shlwapi.dll WbemScripting.SWbemLocator WbemScripting.SWbemLocator %s\%s %s\%s SELECT * FROM %s SELECT * FROM %s pathToSignedProductExe pathToSignedProductExe pathToSignedReportingExe pathToSignedReportingExe USER32.DLL USER32.DLL comctl32.dll comctl32.dll uxtheme.dll uxtheme.dll MAPI32.DLL MAPI32.DLL IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")") IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")") JumpID("","%s") JumpID("","%s") TKeyEvent TKeyEvent TKeyPressEvent TKeyPressEvent HelpKeyword HelpKeyword crSQLWait crSQLWait %s (%s) %s (%s) imm32.dll imm32.dll AutoHotkeys AutoHotkeys ssHotTrack ssHotTrack TWindowState TWindowState poProportional poProportional TWMKey TWMKey KeyPreview KeyPreview WindowState WindowState OnKeyDown46g OnKeyDown46g OnKeyPress OnKeyPress OnKeyUp OnKeyUp System\CurrentControlSet\Control\Keyboard Layouts\%.8x System\CurrentControlSet\Control\Keyboard Layouts\%.8x vcltest3.dll vcltest3.dll User32.dll User32.dll TWebcam TWebcam SetupApi.dll SetupApi.dll SetupDiOpenClassRegKey SetupDiOpenClassRegKey SetupDiOpenClassRegKeyExA SetupDiOpenClassRegKeyExA SetupDiOpenClassRegKeyExW SetupDiOpenClassRegKeyExW SetupDiCreateDeviceInterfaceRegKeyA SetupDiCreateDeviceInterfaceRegKeyA SetupDiCreateDeviceInterfaceRegKeyW SetupDiCreateDeviceInterfaceRegKeyW SetupDiOpenDeviceInterfaceRegKey SetupDiOpenDeviceInterfaceRegKey SetupDiDeleteDeviceInterfaceRegKey SetupDiDeleteDeviceInterfaceRegKey SetupDiCreateDevRegKeyA SetupDiCreateDevRegKeyA SetupDiCreateDevRegKeyW SetupDiCreateDevRegKeyW SetupDiOpenDevRegKey SetupDiOpenDevRegKey SetupDiDeleteDevRegKey SetupDiDeleteDevRegKey CM_DEVCAP_LOCKSUPPORTED CM_DEVCAP_LOCKSUPPORTED CM_DEVCAP_EJECTSUPPORTED CM_DEVCAP_EJECTSUPPORTED PDCAP_D0_SUPPORTED PDCAP_D0_SUPPORTED PDCAP_D1_SUPPORTED PDCAP_D1_SUPPORTED PDCAP_D2_SUPPORTED PDCAP_D2_SUPPORTED PDCAP_D3_SUPPORTED PDCAP_D3_SUPPORTED PDCAP_WAKE_FROM_D0_SUPPORTED PDCAP_WAKE_FROM_D0_SUPPORTED PDCAP_WAKE_FROM_D1_SUPPORTED PDCAP_WAKE_FROM_D1_SUPPORTED PDCAP_WAKE_FROM_D2_SUPPORTED PDCAP_WAKE_FROM_D2_SUPPORTED PDCAP_WAKE_FROM_D3_SUPPORTED PDCAP_WAKE_FROM_D3_SUPPORTED PDCAP_WARM_EJECT_SUPPORTED PDCAP_WARM_EJECT_SUPPORTED ISO_646.irv:1991 ISO_646.irv:1991 ISO_646.basic:1983 ISO_646.basic:1983 ISO_646.irv:1983 ISO_646.irv:1983 csISO16Portuguese csISO16Portuguese csISO84Portuguese2 csISO84Portuguese2 windows-936 windows-936 csShiftJIS csShiftJIS windows-874 windows-874 ISO-8859-1-Windows-3.0-Latin-1 ISO-8859-1-Windows-3.0-Latin-1 csWindows30Latin1 csWindows30Latin1 ISO-8859-1-Windows-3.1-Latin-1 ISO-8859-1-Windows-3.1-Latin-1 csWindows31Latin1 csWindows31Latin1 ISO-8859-2-Windows-Latin-2 ISO-8859-2-Windows-Latin-2 csWindows31Latin2 csWindows31Latin2 ISO-8859-9-Windows-Latin-5 ISO-8859-9-Windows-Latin-5 csWindows31Latin5 csWindows31Latin5 csMicrosoftPublishing csMicrosoftPublishing Windows-31J Windows-31J csWindows31J csWindows31J PTCP154 PTCP154 csPTCP154 csPTCP154 windows-1250 windows-1250 windows-1251 windows-1251 windows-1252 windows-1252 windows-1253 windows-1253 windows-1254 windows-1254 windows-1255 windows-1255 windows-1256 windows-1256 windows-1257 windows-1257 windows-1258 windows-1258 HTTP-EQUIV HTTP-EQUIV ()@,;:\"./ ()@,;:\"./ ()@,;:\"/[]?= ()@,;:\"/[]?= ()@,;:\"/[]?={} ()@,;:\"/[]?={} Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas EIdTCPNoOnExecute EIdTCPNoOnExecute TIdTCPServer TIdTCPServer TIdTCPServerX TIdTCPServerX IdTCPServer IdTCPServer OnExecute OnExecute Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas %s User %s User IdCustomTCPServer IdCustomTCPServer TIdCustomTCPServer TIdCustomTCPServer DefaultPort DefaultPort EIdTCPServerError EIdTCPServerError Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas CmdDelimiter CmdDelimiter Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas 'TIdCmdTCPServerAfterCommandHandlerEvent 'TIdCmdTCPServerAfterCommandHandlerEvent TIdCmdTCPServer TIdCmdTCPServer (TIdCmdTCPServerBeforeCommandHandlerEvent (TIdCmdTCPServerBeforeCommandHandlerEvent IdCmdTCPServer IdCmdTCPServer Displays commands that the servers supports. Displays commands that the servers supports. TIdTCPStream TIdTCPStream IdRead() method of TIdTCPStream class does not support seeking IdRead() method of TIdTCPStream class does not support seeking TIdHTTPProxyTransferMode TIdHTTPProxyTransferMode TIdHTTPProxyServerContextt TIdHTTPProxyServerContextt TIdHTTPProxyServerContext$ TIdHTTPProxyServerContext$ TOnHTTPContextEvent TOnHTTPContextEvent TIdHTTPProxyServerContext TIdHTTPProxyServerContext TOnHTTPDocument TOnHTTPDocument TIdHTTPProxyServer TIdHTTPProxyServer OnHTTPBeforeCommand OnHTTPBeforeCommand OnHTTPResponse OnHTTPResponse OnHTTPDocument OnHTTPDocument HTTP/1.0 HTTP/1.0 HTTP/1.0 200 Connection established HTTP/1.0 200 Connection established HNetCfg.FwMgr HNetCfg.FwMgr HNetCfg.FwAuthorizedApplication HNetCfg.FwAuthorizedApplication PSAPI.dll PSAPI.dll TWebcamThread TWebcamThread Uh.Uk Uh.Uk 789:;
789:;
iphlpapi.dll iphlpapi.dll AllocateAndGetTcpExTableFromStack AllocateAndGetTcpExTableFromStack AllocateAndGetUdpExTableFromStack AllocateAndGetUdpExTableFromStack SetTcpEntry SetTcpEntry GetExtendedTcpTable GetExtendedTcpTable GetExtendedUdpTable GetExtendedUdpTable SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ TSendKey TSendKey sqlite3_bind_blob sqlite3_bind_blob sqlite3_bind_text sqlite3_bind_text sqlite3_bind_double sqlite3_bind_double sqlite3_bind_int sqlite3_bind_int sqlite3_bind_int64 sqlite3_bind_int64 sqlite3_bind_null sqlite3_bind_null sqlite3_bind_parameter_index sqlite3_bind_parameter_index sqlite3_open sqlite3_open sqlite3_close sqlite3_close sqlite3_errmsg sqlite3_errmsg sqlite3_free sqlite3_free sqlite3_prepare_v2 sqlite3_prepare_v2 sqlite3_column_count sqlite3_column_count sqlite3_column_name sqlite3_column_name sqlite3_column_decltype sqlite3_column_decltype sqlite3_step sqlite3_step sqlite3_column_blob sqlite3_column_blob sqlite3_column_bytes sqlite3_column_bytes sqlite3_column_double sqlite3_column_double sqlite3_column_text sqlite3_column_text sqlite3_column_type sqlite3_column_type sqlite3_column_int64 sqlite3_column_int64 sqlite3_finalize sqlite3_finalize sqlite3_reset sqlite3_reset ESQLiteException ESQLiteException TSQLiteDatabaseD TSQLiteDatabaseD TSQLiteTable TSQLiteTable Failed to open database "%s" : %s Failed to open database "%s" : %s Failed to open database "%s" : unknown error Failed to open database "%s" : unknown error Error executing SQL Error executing SQL Could not prepare SQL statement Could not prepare SQL statement Error executing SQL statement Error executing SQL statement SQLite is Busy SQLite is Busy SOFTWARE\Mozilla\Mozilla Firefox SOFTWARE\Mozilla\Mozilla Firefox SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox SOFTWARE\Mozilla\Mozilla Firefox\ SOFTWARE\Mozilla\Mozilla Firefox\ SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\ SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\ 1234567890. 1234567890. mozsqlite3.dll mozsqlite3.dll sqlite3.dll sqlite3.dll mozcrt19.dll mozcrt19.dll msvcr100.dll msvcr100.dll mozglue.dll mozglue.dll mozutils.dll mozutils.dll nspr4.dll nspr4.dll plc4.dll plc4.dll plds4.dll plds4.dll nssutil3.dll nssutil3.dll nss3.dll nss3.dll PK11_GetInternalKeySlot PK11_GetInternalKeySlot \Mozilla\Firefox\profiles.ini \Mozilla\Firefox\profiles.ini \Mozilla\Firefox\ \Mozilla\Firefox\ signons.sqlite signons.sqlite SELECT * FROM moz_logins SELECT * FROM moz_logins encryptedPassword encryptedPassword Microsoft\Network\Connections\pbk\rasphone.pbk Microsoft\Network\Connections\pbk\rasphone.pbk rasapi32.dll rasapi32.dll rnaph.dll rnaph.dll RAS Passwords RAS Passwords SOFTWARE\Microsoft\Windows\CurrentVersion SOFTWARE\Microsoft\Windows\CurrentVersion Ps_Passwords Ps_Passwords advapi32.dll advapi32.dll WindowsLive:name=* WindowsLive:name=* \Mozilla Firefox\ \Mozilla Firefox\ MSVCR100.dll MSVCR100.dll softokn3.dll softokn3.dll userenv.dll userenv.dll profiles.ini profiles.ini \signons3.txt \signons3.txt \signons2.txt \signons2.txt \signons1.txt \signons1.txt \signons.txt \signons.txt ps_SafariPasswordRecovery ps_SafariPasswordRecovery AVURLProtocol_Classic AVURLProtocol_Classic \Apple Computer\Preferences\keychain.plist \Apple Computer\Preferences\keychain.plist \Apple\Apple Application Support\CFNetwork.dll \Apple\Apple Application Support\CFNetwork.dll hXXp:// hXXp:// PTF:// PTF:// *PTF:// *PTF:// hXXps:// hXXps:// Shell.Application Shell.Application hXXp://cyber-sec.org/email/asp/email.php?email= hXXp://cyber-sec.org/email/asp/email.php?email= TMemoryOperation TMemoryOperation %sysdir%\ %sysdir%\ %serverpath%\ %serverpath%\ %sysdir% %sysdir% %serverpath% %serverpath% Proxy Bypass Proxy Bypass ntdll.dll ntdll.dll TPasswordItem TPasswordItem TArrayPasswod TArrayPasswod Crypt32.dll Crypt32.dll shell32.dll shell32.dll Advapi32.dll Advapi32.dll SOFTWARE\MOZILLA\MOZILLA FIREFOX SOFTWARE\MOZILLA\MOZILLA FIREFOX SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main select * from moz_logins select * from moz_logins Firefox Firefox SOFTWARE\MOZILLA\MOZILLA FIREFOX\ SOFTWARE\MOZILLA\MOZILLA FIREFOX\ \Flock\Browser\profiles.ini \Flock\Browser\profiles.ini Flock-Firefox Flock-Firefox \1-abc\personal calendar\sqlite3.dll \1-abc\personal calendar\sqlite3.dll \clipdiary\sqlite3.dll \clipdiary\sqlite3.dll \conceptworld\recentx\sqlite3.dll \conceptworld\recentx\sqlite3.dll \darq software\transmute\sqlite3.dll \darq software\transmute\sqlite3.dll \delphish\sqlite3.dll \delphish\sqlite3.dll \ditto\sqlite3.dll \ditto\sqlite3.dll \du meter\sqlite3.dll \du meter\sqlite3.dll \fcleaner\sqlite3.dll \fcleaner\sqlite3.dll \file seeker\sqlite3.dll \file seeker\sqlite3.dll \flashnote\sqlite3.dll \flashnote\sqlite3.dll \flashpaste\sqlite3.dll \flashpaste\sqlite3.dll \gorecord\sqlite3.dll \gorecord\sqlite3.dll \gorecord2\sqlite3.dll \gorecord2\sqlite3.dll \linkcollector portable\sqlite3.dll \linkcollector portable\sqlite3.dll \ma-config.com\sqlite3.dll \ma-config.com\sqlite3.dll \macrovirus\sqlite3.dll \macrovirus\sqlite3.dll \msnsniffer2\sqlite3.dll \msnsniffer2\sqlite3.dll \notecable\sqlite3.dll \notecable\sqlite3.dll \nzbleecher\sqlite3.dll \nzbleecher\sqlite3.dll \outlook express\sqlite3.dll \outlook express\sqlite3.dll \page update watcher\sqlite3.dll \page update watcher\sqlite3.dll \pipi\sqlite3.dll \pipi\sqlite3.dll \qloud\sqlite3.dll \qloud\sqlite3.dll \qloud\winamp\sqlite3.dll \qloud\winamp\sqlite3.dll \qloud\windows media player\sqlite3.dll \qloud\windows media player\sqlite3.dll \recordtheradio\sqlite3.dll \recordtheradio\sqlite3.dll \rightload\sqlite3.dll \rightload\sqlite3.dll \smm\funny sms10\sqlite3.dll \smm\funny sms10\sqlite3.dll \smm\simple mail 7\sqlite3.dll \smm\simple mail 7\sqlite3.dll \spiceworks\bin\sqlite3.dll \spiceworks\bin\sqlite3.dll \spyware-secure\sqlite3.dll \spyware-secure\sqlite3.dll \timelog\sqlite3.dll \timelog\sqlite3.dll \video2webcam\sqlite3.dll \video2webcam\sqlite3.dll \webmarkers\sqlite3.dll \webmarkers\sqlite3.dll \webmediaplayer\sqlite3.dll \webmediaplayer\sqlite3.dll \windows media player\plugins\qloud\sqlite3.dll \windows media player\plugins\qloud\sqlite3.dll \Mozilla Firefox\sqlite3.dll \Mozilla Firefox\sqlite3.dll \VirusGuardPlus\sqlite3.dll \VirusGuardPlus\sqlite3.dll \Safari\sqlite3.dll \Safari\sqlite3.dll \AIMP2\sqlite3.dll \AIMP2\sqlite3.dll \Live-Player\sqlite3.dll \Live-Player\sqlite3.dll \TrustedProtection\sqlite3.dll \TrustedProtection\sqlite3.dll \PCTotalDefender\sqlite3.dll \PCTotalDefender\sqlite3.dll \Common Files\eEye Digital Security\Application Bus\sqlite3.dll \Common Files\eEye Digital Security\Application Bus\sqlite3.dll Windows Live Messenger Windows Live Messenger DynDNS\Updater\config.dyndns DynDNS\Updater\config.dyndns Password= Password= Software\DownloadManager\Passwords Software\DownloadManager\Passwords Software\DownloadManager\Passwords\ Software\DownloadManager\Passwords\ EncPassword EncPassword YLoginWnd YLoginWnd FileZilla\recentservers.xml FileZilla\recentservers.xml FileZilla\sitemanager.xml FileZilla\sitemanager.xml FileZilla\filezilla.xml FileZilla\filezilla.xml .purple\accounts.xml .purple\accounts.xml abe2869f-9b47-4cd9-a358-c22904dba7f7 abe2869f-9b47-4cd9-a358-c22904dba7f7 trillian.ini trillian.ini accounts.ini accounts.ini password password SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian Trillian\trillian.exe Trillian\trillian.exe Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ ###@@@!!! ###@@@!!! IMAP Password IMAP Password IMAP Password: IMAP Password: POP3 Password POP3 Password POP3 Password: POP3 Password: HNetCfg.NATUPnP HNetCfg.NATUPnP StaticPortMappingCollection StaticPortMappingCollection Uh%Fm Uh%Fm TCpuUsageU TCpuUsageU ##,##0.00 ##,##0.00 TNewFTPThreadU TNewFTPThreadU TPasswordU TPasswordU SHFileOperationW SHFileOperationW .hd'n .hd'n .hd*n .hd*n %s %s %s %s Windows NT %d.%d Windows NT %d.%d %s %s Server %s %s Server Unknown Platform ID (%d) Unknown Platform ID (%d) %d.%d %d.%d %s [Build: %d %s [Build: %d - Service Pack: %s - Service Pack: %s KERNEL32.DLL KERNEL32.DLL TIdTCPClientNewp TIdTCPClientNewp TIdTCPClientNew TIdTCPClientNew 1.2.3 1.2.3 deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly inflate 1.2.3 Copyright 1995-2005 Mark Adler inflate 1.2.3 Copyright 1995-2005 Mark Adler ?456789:;
?456789:;
!"#$%&'()* ,-./0123 !"#$%&'()* ,-./0123 com.apple.Safari com.apple.Safari com.apple.Safari0123456789ABCDEF com.apple.Safari0123456789ABCDEF 1iu2.iu 1iu2.iu 333333333333333333 333333333333333333 33333833 33333833 3333339 3333339 3333333333333338 3333333333333338 :*"*"$3338 :*"*"$3338 3333333 3333333 33333333 33333333 33333333333 33333333333 3333333333338 3333333333338 33338?383 33338?383 333333333333 333333333333 :*3:"$3338 :*3:"$3338 333333333333333 333333333333333 KWindows KWindows IdStackWindows IdStackWindows Sr_StartWebcam Sr_StartWebcam UrlMon UrlMon UnitWebcamAPI UnitWebcamAPI IdTCPStream IdTCPStream IdTCPServer IdTCPServer Sr_Windows Sr_Windows Cm_Keylogger Cm_Keylogger ~Sr_Ports ~Sr_Ports }Unitsndkey32 }Unitsndkey32 Vps_FireFox3_5 Vps_FireFox3_5 SQLiteTable3 SQLiteTable3 SQLite3 SQLite3 Ps_IEpasswords Ps_IEpasswords ps_URLHistory ps_URLHistory FPs_PasswordRecovery FPs_PasswordRecovery Ps_OperaPasswords Ps_OperaPasswords Sr_MemoryEXE Sr_MemoryEXE Sr_MemoryExecuteFunctions Sr_MemoryExecuteFunctions U_GrabFirefox10 U_GrabFirefox10 YU_GrabFirefox8 YU_GrabFirefox8 6U_GrabFirefox 6U_GrabFirefox \U_GrabChrome \U_GrabChrome U_GrabFirefox15 U_GrabFirefox15 U_Grabfirefox22 U_Grabfirefox22 {IdCmdTCPClient {IdCmdTCPClient SetNamedPipeHandleState SetNamedPipeHandleState GetWindowsDirectoryW GetWindowsDirectoryW GetProcessHeap GetProcessHeap GetCPInfo GetCPInfo CreatePipe CreatePipe RegQueryInfoKeyA RegQueryInfoKeyA RegOpenKeyExW RegOpenKeyExW RegOpenKeyExA RegOpenKeyExA RegOpenKeyW RegOpenKeyW RegOpenKeyA RegOpenKeyA RegFlushKey RegFlushKey RegEnumKeyExW RegEnumKeyExW RegEnumKeyExA RegEnumKeyExA RegDeleteKeyW RegDeleteKeyW RegCreateKeyExW RegCreateKeyExW RegCreateKeyExA RegCreateKeyExA RegCreateKeyW RegCreateKeyW RegCloseKey RegCloseKey CryptImportKey CryptImportKey CryptSetKeyParam CryptSetKeyParam CryptDestroyKey CryptDestroyKey SetViewportOrgEx SetViewportOrgEx GdiplusShutdown GdiplusShutdown ShellExecuteW ShellExecuteW FindExecutableW FindExecutableW SHDeleteKeyW SHDeleteKeyW URLDownloadToFileW URLDownloadToFileW keybd_event keybd_event VkKeyScanW VkKeyScanW UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExW SetWindowsHookExW SetWindowsHookExA SetWindowsHookExA SetKeyboardState SetKeyboardState MsgWaitForMultipleObjects MsgWaitForMultipleObjects MapVirtualKeyW MapVirtualKeyW MapVirtualKeyA MapVirtualKeyA LoadKeyboardLayoutA LoadKeyboardLayoutA GetKeyboardState GetKeyboardState GetKeyboardLayoutList GetKeyboardLayoutList GetKeyboardLayout GetKeyboardLayout GetKeyState GetKeyState GetKeyNameTextA GetKeyNameTextA ExitWindowsEx ExitWindowsEx EnumWindows EnumWindows EnumThreadWindows EnumThreadWindows ActivateKeyboardLayout ActivateKeyboardLayout GetKeyboardType GetKeyboardType FtpPutFileW FtpPutFileW FtpSetCurrentDirectoryW FtpSetCurrentDirectoryW InternetOpenUrlW InternetOpenUrlW InternetOpenUrlA InternetOpenUrlA HttpQueryInfoA HttpQueryInfoA .idata .idata .rdata .rdata P.reloc P.reloc P.rsrc P.rsrc [E.MyFull [E.MyFull -!GA?EXE -!GA?EXE LMsg LMsg AVICAP32.DLL AVICAP32.DLL crypt32.dll crypt32.dll gdi32.dll gdi32.dll gdiplus.dll gdiplus.dll mpr.dll mpr.dll msacm32.dll msacm32.dll powrprof.dll powrprof.dll pstorec.dll pstorec.dll URLMON.DLL URLMON.DLL user32.dll user32.dll version.dll version.dll wininet.dll wininet.dll winmm.dll winmm.dll wsock32.dll wsock32.dll HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE HKEY_USERS HKEY_USERS HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG Portugal Portugal Turkey Turkey WEBCAM WEBCAM *#%"{}|\^[]` *#%"{}|\^[]` uploadandexecute uploadandexecute uploadandexecuteyes| uploadandexecuteyes| uploadandexecuteno| uploadandexecuteno| webcam|webcamstream| webcam|webcamstream| webcam|webcamstop| webcam|webcamstop| webcamstart webcamstart [Execute] [Execute] KeyDelBackspace KeyDelBackspace CyberGateKeylogger CyberGateKeylogger software\microsoft\windows\currentversion\uninstall\ software\microsoft\windows\currentversion\uninstall\ Invalid Key Name Invalid Key Name Invalid KeyName Invalid KeyName %Username% %Username% %Country% %Country% Úte% Úte% FirstExecution FirstExecution keylogger|keyloggeronlinekey| keylogger|keyloggeronlinekey| keylogger|keyloggerativar|T| keylogger|keyloggerativar|T| keylogger|keyloggerativar|F| keylogger|keyloggerativar|F| webcamlist| webcamlist| webcam webcam filemanager|fmsendftpyes| filemanager|fmsendftpyes| filemanager|fmsendftpno| filemanager|fmsendftpno| FIREFOX2| FIREFOX2| FIREFOX8| FIREFOX8| FIREFOX10| FIREFOX10| FIREFOX15| FIREFOX15| FIREFOX22| FIREFOX22| \Opera\Opera\wand.dat \Opera\Opera\wand.dat OPERA| OPERA| \Google\Chrome\User Data\Default\Login Data \Google\Chrome\User Data\Default\Login Data CHROME| CHROME| \Google\Chrome\User Data\Default\Web Data \Google\Chrome\User Data\Default\Web Data getpasswords getpasswords downexec downexec openweb openweb HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\ fmexecnormal fmexecnormal filemanager|fmexecnormal| filemanager|fmexecnormal| fmexechide fmexechide filemanager|fmexechide| filemanager|fmexechide| fmexecparam fmexecparam filemanager|fmexecparam|F| filemanager|fmexecparam|F| filemanager|fmexecparam|T| filemanager|fmexecparam|T| fmsendftp fmsendftp filemanager|fmsendftp| filemanager|fmsendftp| listarportas listarportas listarportas|listadeportasativas| listarportas|listadeportasativas| listarportasdns listarportasdns listarportas|finalizarconexao| listarportas|finalizarconexao| finalizarprocessoportas finalizarprocessoportas listarportas|finalizarprocessoportas|Y| listarportas|finalizarprocessoportas|Y| listarportas|finalizarprocessoportas|N| listarportas|finalizarprocessoportas|N| tecaladoexecutar tecaladoexecutar webcamconfig webcamconfig keylogger keylogger keylogger|keyloggeronlinestart| keylogger|keyloggeronlinestart| keylogger|keyloggeronlinestop| keylogger|keyloggeronlinestop| keyloggerativar keyloggerativar keyloggerdesativar keyloggerdesativar keyloggerbaixar keyloggerbaixar keylogger|keyloggerbaixar| keylogger|keyloggerbaixar| keylogger|keyloggerbaixar|NOLOGS keylogger|keyloggerbaixar|NOLOGS keyloggerexcluir keyloggerexcluir keylogger|keyloggerexcluir| keylogger|keyloggerexcluir| keyloggeronlinestart keyloggeronlinestart keyloggeronlinestop keyloggeronlinestop chromepass chromepass chromepass| chromepass| keysearch keysearch keysearch|NO keysearch|NO keysearch|YES keysearch|YES sendkeyswindow sendkeyswindow enviarlogskey enviarlogskey enviarlogskey| enviarlogskey| rar.exe rar.exe rarreg.key rarreg.key vs.vbs vs.vbs bs.bat bs.bat memoryexecoperation memoryexecoperation TeamViewer.exe TeamViewer.exe TeamViewer_Resource.dll TeamViewer_Resource.dll TV.dll TV.dll x.html x.html Windows 3.1 Windows 3.1 Windows 95 (Release 2) Windows 95 (Release 2) Windows 95 Windows 95 Windows 98 SE Windows 98 SE Windows 98 Windows 98 Windows ME Windows ME Windows 8 Windows 8 Windows 7 Windows 7 Windows Vista Windows Vista Windows XP Professional x64 Windows XP Professional x64 Windows XP Home Windows XP Home Windows XP Professional Windows XP Professional Windows 2000 Professional Windows 2000 Professional Windows 2008 Windows 2008 Windows 2003 Server Datacenter Windows 2003 Server Datacenter Windows 2003 Server Enterprise Windows 2003 Server Enterprise Windows 2003 Server Web Edition Windows 2003 Server Web Edition Windows 2003 Server Windows 2003 Server Windows Home Server Windows Home Server Windows 2003 Server (Release 2) Windows 2003 Server (Release 2) Windows 2000 Server Datacenter Windows 2000 Server Datacenter Windows 2000 Server Enterprise Windows 2000 Server Enterprise Windows 2000 Server Web Edition Windows 2000 Server Web Edition Windows 2000 Server Windows 2000 Server Windows NT 4.0 Server Datacenter Windows NT 4.0 Server Datacenter Windows NT 4.0 Server Enterprise Windows NT 4.0 Server Enterprise Windows NT 4.0 Server Web Edition Windows NT 4.0 Server Web Edition Windows NT 4.0 Server Windows NT 4.0 Server SelfDelete.bat SelfDelete.bat Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\RunOnce Software\Microsoft\Windows\CurrentVersion\RunOnce Software\Microsoft\Windows NT\CurrentVersion\Windows Software\Microsoft\Windows NT\CurrentVersion\Windows SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe explorer.exe \Microsoft\Windows\ \Microsoft\Windows\ CYBERGATEPASS CYBERGATEPASS k4l1m3r4.publicvm.com k4l1m3r4.publicvm.com wins10up.16-b.it wins10up.16-b.it UIAutomsslwin.moneyhome.biz UIAutomsslwin.moneyhome.biz c0pywins.is-not-certified.com c0pywins.is-not-certified.com UIAutomh1h1tl3r.click UIAutomh1h1tl3r.click -certified.com -certified.com %USECRYPTER% %USECRYPTER% 2.5.2.0 2.5.2.0 webcamlizUB8dknwCPERSIST webcamlizUB8dknwCPERSIST ertified.com ertified.com PTF.ftpserver.com PTF.ftpserver.com ftpuser ftpuser ftppass ftppass pong|35953|Borrador Memorial de Aportaci pong|35953|Borrador Memorial de Aportaci hXXp://VVV.myserver.com/serverplugin.srv hXXp://VVV.myserver.com/serverplugin.srv hXXp://VVV.somehosting.com/tagger.php hXXp://VVV.somehosting.com/tagger.php C @ JAIME].ini C @ JAIME].ini Express.xlsx Express.xlsx ache_idx.db!018 ache_idx.db!018 Global\C::Users:crackmen:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs Global\C::Users:crackmen:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs DisableKeyboardD?id=%ID%&name=%Username% @ %PCName%&version=%Version% DisableKeyboardD?id=%ID%&name=%Username% @ %PCName%&version=%Version% ques y ahorro.pdfn ques y ahorro.pdfn example@email.com example@email.com No help keyword specified. No help keyword specified. No help found for %s#No context-sensitive help installed$No topic-based help system installed No help found for %s#No context-sensitive help installed$No topic-based help system installed Alt Clipboard does not support Icons/Menu '%s' is already being used by another form Alt Clipboard does not support Icons/Menu '%s' is already being used by another form Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters Unsupported clipboard format Unsupported clipboard format Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid. Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid. Reply Code is not valid: %s Reply Code is not valid: %s Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event. Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event. Command not supported. Command not supported. Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d) Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d) File "%s" not found File "%s" not found Object type not supported. Object type not supported. %s is not a valid IPv6 address:The requested IPVersion / Address family is not supported. %s is not a valid IPv6 address:The requested IPVersion / Address family is not supported. Set Size Exceeded.)UDP is not support in this SOCKS version. Set Size Exceeded.)UDP is not support in this SOCKS version. Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids. Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids. Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d) Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d) Connection Closed Gracefully.;Could not bind socket. Address and port are already in use. Connection Closed Gracefully.;Could not bind socket. Address and port are already in use. Invalid Port Range (%d - %d) Invalid Port Range (%d - %d) %s is not a valid service. %s is not a valid service. "Operation not supported on socket. "Operation not supported on socket. Protocol family not supported.0Address family not supported by protocol family. Protocol family not supported.0Address family not supported by protocol family. Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice. Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice. Operation would block. Operation would block. Operation now in progress. Operation now in progress. Operation already in progress. Operation already in progress. Socket operation on non-socket. Socket operation on non-socket. Protocol not supported. Protocol not supported. Socket type not supported. Socket type not supported. Invalid destination array"Character index out of bounds (%d) Invalid destination array"Character index out of bounds (%d) Start index out of bounds (%d) Start index out of bounds (%d) Invalid count (%d) Invalid count (%d) Invalid destination index (%d) Invalid destination index (%d) Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s) Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s) Resolving hostname %s. Resolving hostname %s. Connecting to %s. Connecting to %s. Socket Error # %d Socket Error # %d List capacity out of bounds (%d) List capacity out of bounds (%d) List count out of bounds (%d) List count out of bounds (%d) List index out of bounds (%d) Out of memory while expanding memory stream List index out of bounds (%d) Out of memory while expanding memory stream Error reading %s%s%s: %s Error reading %s%s%s: %s Failed to get data for '%s' Failed to get data for '%s' Resource %s not found Resource %s not found %s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group %s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group Property %s does not exist Property %s does not exist Thread creation error: %s Thread creation error: %s Thread Error: %s (%d) Thread Error: %s (%d) Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread Class %s not found Class %s not found A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates Cannot create file "%s". %s Cannot create file "%s". %s Cannot open file "%s". %s Cannot open file "%s". %s Invalid stream format$''%s'' is not a valid component name Invalid stream format$''%s'' is not a valid component name Invalid data type for '%s' Invalid data type for '%s' Ancestor for '%s' not found Ancestor for '%s' not found Cannot assign a %s to a %s Cannot assign a %s to a %s Interface not supported Interface not supported %s (%s, line %d) %s (%s, line %d) Abstract Error?Access violation at address %p in module '%s'. %s of address %p Abstract Error?Access violation at address %p in module '%s'. %s of address %p System Error. Code: %d. System Error. Code: %d. Invalid variant operation%Invalid variant operation (%s%.8x) Invalid variant operation%Invalid variant operation (%s%.8x) %s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s) %s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s) Operation not supported Operation not supported External exception %x External exception %x Invalid pointer operation Invalid pointer operation Invalid class typecast0Access violation at address %p. %s of address %p Invalid class typecast0Access violation at address %p. %s of address %p Operation aborted(Exception %s in module %s at %p. Operation aborted(Exception %s in module %s at %p. Application Error1Format '%s' invalid or incompatible with argument Application Error1Format '%s' invalid or incompatible with argument No argument for format '%s'"Variant method calls not supported No argument for format '%s'"Variant method calls not supported !'%s' is not a valid integer value('%s' is not a valid floating point value !'%s' is not a valid integer value('%s' is not a valid floating point value I/O error %d I/O error %d Integer overflow Invalid floating point operation Integer overflow Invalid floating point operation 6x7aj.exe_2632_rwx_01611000_0010D000:
kernel32.dll kernel32.dll Windows Windows MSWHEEL_ROLLMSG MSWHEEL_ROLLMSG MSH_WHEELSUPPORT_MSG MSH_WHEELSUPPORT_MSG MSH_SCROLL_LINES_MSG MSH_SCROLL_LINES_MSG $*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $) $*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $) oleaut32.dll oleaut32.dll EVariantBadIndexError EVariantBadIndexError ssShift ssShift htKeyword htKeyword EInvalidOperation EInvalidOperation u%CNu u%CNu %s[%d] %s[%d] %s_%d %s_%d EIdCanNotBindPortInRange EIdCanNotBindPortInRange EIdInvalidPortRange\wc EIdInvalidPortRange\wc Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStreamVCL.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdGlobal.pas WS2_32.DLL WS2_32.DLL MSWSOCK.DLL MSWSOCK.DLL getservbyport getservbyport WSAAsyncGetServByPort WSAAsyncGetServByPort WSAJoinLeaf WSAJoinLeaf WSARecvMsg WSARecvMsg WSASendMsg WSASendMsg Wship6.dll Wship6.dll Fwpuclnt.dll Fwpuclnt.dll TIdSocketListWindows TIdSocketListWindows TIdStackWindowsU TIdStackWindowsU Kernel32.dll Kernel32.dll EIdIPVersionUnsupportedP EIdIPVersionUnsupportedP 127.0.0.1 127.0.0.1 Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\System\IdStack.pas EIdPortRequired EIdPortRequired EIdTCPConnectionError EIdTCPConnectionError EIdObjectTypeNotSupported EIdObjectTypeNotSupported ftpTransfer ftpTransfer ftpReady ftpReady ftpAborted ftpAborted PortT PortT Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandler.pas ClientPortMin ClientPortMin ClientPortMax ClientPortMax Port| Port| "EIdTransparentProxyUDPNotSupported "EIdTransparentProxyUDPNotSupported Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdIOHandlerStack.pas %EIdSocksUDPNotSupportedBySOCKSVersion %EIdSocksUDPNotSupportedBySOCKSVersion saUsernamePassword saUsernamePassword Password Password PortD PortD 0.0.0.1 0.0.0.1 0.0.0.0 0.0.0.0 BoundPort BoundPort DefaultPortD DefaultPortD TIdTCPConnection TIdTCPConnection TIdTCPConnectionX TIdTCPConnectionX IdTCPConnection IdTCPConnection TIdTCPClientCustom TIdTCPClientCustom IdTCPClient IdTCPClient TIdTCPClient TIdTCPClient TIdTCPClientH TIdTCPClientH BoundPortT BoundPortT ole32.dll ole32.dll EInvalidGraphicOperation EInvalidGraphicOperation Please contact Cyber-Software support Please contact Cyber-Software support shlwapi.dll shlwapi.dll WbemScripting.SWbemLocator WbemScripting.SWbemLocator %s\%s %s\%s SELECT * FROM %s SELECT * FROM %s pathToSignedProductExe pathToSignedProductExe pathToSignedReportingExe pathToSignedReportingExe USER32.DLL USER32.DLL comctl32.dll comctl32.dll uxtheme.dll uxtheme.dll MAPI32.DLL MAPI32.DLL IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")") IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")") JumpID("","%s") JumpID("","%s") TKeyEvent TKeyEvent TKeyPressEvent TKeyPressEvent HelpKeyword HelpKeyword crSQLWait crSQLWait %s (%s) %s (%s) imm32.dll imm32.dll AutoHotkeys AutoHotkeys ssHotTrack ssHotTrack TWindowState TWindowState poProportional poProportional TWMKey TWMKey KeyPreview KeyPreview WindowState WindowState OnKeyDown46g OnKeyDown46g OnKeyPress OnKeyPress OnKeyUp OnKeyUp System\CurrentControlSet\Control\Keyboard Layouts\%.8x System\CurrentControlSet\Control\Keyboard Layouts\%.8x vcltest3.dll vcltest3.dll User32.dll User32.dll TWebcam TWebcam SetupApi.dll SetupApi.dll SetupDiOpenClassRegKey SetupDiOpenClassRegKey SetupDiOpenClassRegKeyExA SetupDiOpenClassRegKeyExA SetupDiOpenClassRegKeyExW SetupDiOpenClassRegKeyExW SetupDiCreateDeviceInterfaceRegKeyA SetupDiCreateDeviceInterfaceRegKeyA SetupDiCreateDeviceInterfaceRegKeyW SetupDiCreateDeviceInterfaceRegKeyW SetupDiOpenDeviceInterfaceRegKey SetupDiOpenDeviceInterfaceRegKey SetupDiDeleteDeviceInterfaceRegKey SetupDiDeleteDeviceInterfaceRegKey SetupDiCreateDevRegKeyA SetupDiCreateDevRegKeyA SetupDiCreateDevRegKeyW SetupDiCreateDevRegKeyW SetupDiOpenDevRegKey SetupDiOpenDevRegKey SetupDiDeleteDevRegKey SetupDiDeleteDevRegKey CM_DEVCAP_LOCKSUPPORTED CM_DEVCAP_LOCKSUPPORTED CM_DEVCAP_EJECTSUPPORTED CM_DEVCAP_EJECTSUPPORTED PDCAP_D0_SUPPORTED PDCAP_D0_SUPPORTED PDCAP_D1_SUPPORTED PDCAP_D1_SUPPORTED PDCAP_D2_SUPPORTED PDCAP_D2_SUPPORTED PDCAP_D3_SUPPORTED PDCAP_D3_SUPPORTED PDCAP_WAKE_FROM_D0_SUPPORTED PDCAP_WAKE_FROM_D0_SUPPORTED PDCAP_WAKE_FROM_D1_SUPPORTED PDCAP_WAKE_FROM_D1_SUPPORTED PDCAP_WAKE_FROM_D2_SUPPORTED PDCAP_WAKE_FROM_D2_SUPPORTED PDCAP_WAKE_FROM_D3_SUPPORTED PDCAP_WAKE_FROM_D3_SUPPORTED PDCAP_WARM_EJECT_SUPPORTED PDCAP_WARM_EJECT_SUPPORTED ISO_646.irv:1991 ISO_646.irv:1991 ISO_646.basic:1983 ISO_646.basic:1983 ISO_646.irv:1983 ISO_646.irv:1983 csISO16Portuguese csISO16Portuguese csISO84Portuguese2 csISO84Portuguese2 windows-936 windows-936 csShiftJIS csShiftJIS windows-874 windows-874 ISO-8859-1-Windows-3.0-Latin-1 ISO-8859-1-Windows-3.0-Latin-1 csWindows30Latin1 csWindows30Latin1 ISO-8859-1-Windows-3.1-Latin-1 ISO-8859-1-Windows-3.1-Latin-1 csWindows31Latin1 csWindows31Latin1 ISO-8859-2-Windows-Latin-2 ISO-8859-2-Windows-Latin-2 csWindows31Latin2 csWindows31Latin2 ISO-8859-9-Windows-Latin-5 ISO-8859-9-Windows-Latin-5 csWindows31Latin5 csWindows31Latin5 csMicrosoftPublishing csMicrosoftPublishing Windows-31J Windows-31J csWindows31J csWindows31J PTCP154 PTCP154 csPTCP154 csPTCP154 windows-1250 windows-1250 windows-1251 windows-1251 windows-1252 windows-1252 windows-1253 windows-1253 windows-1254 windows-1254 windows-1255 windows-1255 windows-1256 windows-1256 windows-1257 windows-1257 windows-1258 windows-1258 HTTP-EQUIV HTTP-EQUIV ()@,;:\"./ ()@,;:\"./ ()@,;:\"/[]?= ()@,;:\"/[]?= ()@,;:\"/[]?={} ()@,;:\"/[]?={} Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdThread.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdScheduler.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdServerIOHandlerSocket.pas EIdTCPNoOnExecute EIdTCPNoOnExecute TIdTCPServer TIdTCPServer TIdTCPServerX TIdTCPServerX IdTCPServer IdTCPServer OnExecute OnExecute Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdSchedulerOfThread.pas %s User %s User IdCustomTCPServer IdCustomTCPServer TIdCustomTCPServer TIdCustomTCPServer DefaultPort DefaultPort EIdTCPServerError EIdTCPServerError Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCustomTCPServer.pas CmdDelimiter CmdDelimiter Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas Z:\Projects\CyberGate Excel\Workplace\beta 2.5.2.0\Server\Indy10\Core\IdCommandHandlers.pas 'TIdCmdTCPServerAfterCommandHandlerEvent 'TIdCmdTCPServerAfterCommandHandlerEvent TIdCmdTCPServer TIdCmdTCPServer (TIdCmdTCPServerBeforeCommandHandlerEvent (TIdCmdTCPServerBeforeCommandHandlerEvent IdCmdTCPServer IdCmdTCPServer Displays commands that the servers supports. Displays commands that the servers supports. TIdTCPStream TIdTCPStream IdRead() method of TIdTCPStream class does not support seeking IdRead() method of TIdTCPStream class does not support seeking TIdHTTPProxyTransferMode TIdHTTPProxyTransferMode TIdHTTPProxyServerContextt TIdHTTPProxyServerContextt TIdHTTPProxyServerContext$ TIdHTTPProxyServerContext$ TOnHTTPContextEvent TOnHTTPContextEvent TIdHTTPProxyServerContext TIdHTTPProxyServerContext TOnHTTPDocument TOnHTTPDocument TIdHTTPProxyServer TIdHTTPProxyServer OnHTTPBeforeCommand OnHTTPBeforeCommand OnHTTPResponse OnHTTPResponse OnHTTPDocument OnHTTPDocument HTTP/1.0 HTTP/1.0 HTTP/1.0 200 Connection established HTTP/1.0 200 Connection established HNetCfg.FwMgr HNetCfg.FwMgr HNetCfg.FwAuthorizedApplication HNetCfg.FwAuthorizedApplication PSAPI.dll PSAPI.dll TWebcamThread TWebcamThread Uh.Uk Uh.Uk 789:;
789:;
iphlpapi.dll iphlpapi.dll AllocateAndGetTcpExTableFromStack AllocateAndGetTcpExTableFromStack AllocateAndGetUdpExTableFromStack AllocateAndGetUdpExTableFromStack SetTcpEntry SetTcpEntry GetExtendedTcpTable GetExtendedTcpTable GetExtendedUdpTable GetExtendedUdpTable SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ TSendKey TSendKey sqlite3_bind_blob sqlite3_bind_blob sqlite3_bind_text sqlite3_bind_text sqlite3_bind_double sqlite3_bind_double sqlite3_bind_int sqlite3_bind_int sqlite3_bind_int64 sqlite3_bind_int64 sqlite3_bind_null sqlite3_bind_null sqlite3_bind_parameter_index sqlite3_bind_parameter_index sqlite3_open sqlite3_open sqlite3_close sqlite3_close sqlite3_errmsg sqlite3_errmsg sqlite3_free sqlite3_free sqlite3_prepare_v2 sqlite3_prepare_v2 sqlite3_column_count sqlite3_column_count sqlite3_column_name sqlite3_column_name sqlite3_column_decltype sqlite3_column_decltype sqlite3_step sqlite3_step sqlite3_column_blob sqlite3_column_blob sqlite3_column_bytes sqlite3_column_bytes sqlite3_column_double sqlite3_column_double sqlite3_column_text sqlite3_column_text sqlite3_column_type sqlite3_column_type sqlite3_column_int64 sqlite3_column_int64 sqlite3_finalize sqlite3_finalize sqlite3_reset sqlite3_reset ESQLiteException ESQLiteException TSQLiteDatabaseD TSQLiteDatabaseD TSQLiteTable TSQLiteTable Failed to open database "%s" : %s Failed to open database "%s" : %s Failed to open database "%s" : unknown error Failed to open database "%s" : unknown error Error executing SQL Error executing SQL Could not prepare SQL statement Could not prepare SQL statement Error executing SQL statement Error executing SQL statement SQLite is Busy SQLite is Busy SOFTWARE\Mozilla\Mozilla Firefox SOFTWARE\Mozilla\Mozilla Firefox SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox SOFTWARE\Mozilla\Mozilla Firefox\ SOFTWARE\Mozilla\Mozilla Firefox\ SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\ SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\ 1234567890. 1234567890. mozsqlite3.dll mozsqlite3.dll sqlite3.dll sqlite3.dll mozcrt19.dll mozcrt19.dll msvcr100.dll msvcr100.dll mozglue.dll mozglue.dll mozutils.dll mozutils.dll nspr4.dll nspr4.dll plc4.dll plc4.dll plds4.dll plds4.dll nssutil3.dll nssutil3.dll nss3.dll nss3.dll PK11_GetInternalKeySlot PK11_GetInternalKeySlot \Mozilla\Firefox\profiles.ini \Mozilla\Firefox\profiles.ini \Mozilla\Firefox\ \Mozilla\Firefox\ signons.sqlite signons.sqlite SELECT * FROM moz_logins SELECT * FROM moz_logins encryptedPassword encryptedPassword Microsoft\Network\Connections\pbk\rasphone.pbk Microsoft\Network\Connections\pbk\rasphone.pbk rasapi32.dll rasapi32.dll rnaph.dll rnaph.dll RAS Passwords RAS Passwords SOFTWARE\Microsoft\Windows\CurrentVersion SOFTWARE\Microsoft\Windows\CurrentVersion Ps_Passwords Ps_Passwords advapi32.dll advapi32.dll WindowsLive:name=* WindowsLive:name=* \Mozilla Firefox\ \Mozilla Firefox\ MSVCR100.dll MSVCR100.dll softokn3.dll softokn3.dll userenv.dll userenv.dll profiles.ini profiles.ini \signons3.txt \signons3.txt \signons2.txt \signons2.txt \signons1.txt \signons1.txt \signons.txt \signons.txt ps_SafariPasswordRecovery ps_SafariPasswordRecovery AVURLProtocol_Classic AVURLProtocol_Classic \Apple Computer\Preferences\keychain.plist \Apple Computer\Preferences\keychain.plist \Apple\Apple Application Support\CFNetwork.dll \Apple\Apple Application Support\CFNetwork.dll hXXp:// hXXp:// PTF:// PTF:// *PTF:// *PTF:// hXXps:// hXXps:// Shell.Application Shell.Application hXXp://cyber-sec.org/email/asp/email.php?email= hXXp://cyber-sec.org/email/asp/email.php?email= TMemoryOperation TMemoryOperation %sysdir%\ %sysdir%\ %serverpath%\ %serverpath%\ %sysdir% %sysdir% %serverpath% %serverpath% Proxy Bypass Proxy Bypass ntdll.dll ntdll.dll TPasswordItem TPasswordItem TArrayPasswod TArrayPasswod Crypt32.dll Crypt32.dll shell32.dll shell32.dll Advapi32.dll Advapi32.dll SOFTWARE\MOZILLA\MOZILLA FIREFOX SOFTWARE\MOZILLA\MOZILLA FIREFOX SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main SOFTWARE\MOZILLA\MOZILLA FIREFOX\version.dll\Main select * from moz_logins select * from moz_logins Firefox Firefox SOFTWARE\MOZILLA\MOZILLA FIREFOX\ SOFTWARE\MOZILLA\MOZILLA FIREFOX\ \Flock\Browser\profiles.ini \Flock\Browser\profiles.ini Flock-Firefox Flock-Firefox \1-abc\personal calendar\sqlite3.dll \1-abc\personal calendar\sqlite3.dll \clipdiary\sqlite3.dll \clipdiary\sqlite3.dll \conceptworld\recentx\sqlite3.dll \conceptworld\recentx\sqlite3.dll \darq software\transmute\sqlite3.dll \darq software\transmute\sqlite3.dll \delphish\sqlite3.dll \delphish\sqlite3.dll \ditto\sqlite3.dll \ditto\sqlite3.dll \du meter\sqlite3.dll \du meter\sqlite3.dll \fcleaner\sqlite3.dll \fcleaner\sqlite3.dll \file seeker\sqlite3.dll \file seeker\sqlite3.dll \flashnote\sqlite3.dll \flashnote\sqlite3.dll \flashpaste\sqlite3.dll \flashpaste\sqlite3.dll \gorecord\sqlite3.dll \gorecord\sqlite3.dll \gorecord2\sqlite3.dll \gorecord2\sqlite3.dll \linkcollector portable\sqlite3.dll \linkcollector portable\sqlite3.dll \ma-config.com\sqlite3.dll \ma-config.com\sqlite3.dll \macrovirus\sqlite3.dll \macrovirus\sqlite3.dll \msnsniffer2\sqlite3.dll \msnsniffer2\sqlite3.dll \notecable\sqlite3.dll \notecable\sqlite3.dll \nzbleecher\sqlite3.dll \nzbleecher\sqlite3.dll \outlook express\sqlite3.dll \outlook express\sqlite3.dll \page update watcher\sqlite3.dll \page update watcher\sqlite3.dll \pipi\sqlite3.dll \pipi\sqlite3.dll \qloud\sqlite3.dll \qloud\sqlite3.dll \qloud\winamp\sqlite3.dll \qloud\winamp\sqlite3.dll \qloud\windows media player\sqlite3.dll \qloud\windows media player\sqlite3.dll \recordtheradio\sqlite3.dll \recordtheradio\sqlite3.dll \rightload\sqlite3.dll \rightload\sqlite3.dll \smm\funny sms10\sqlite3.dll \smm\funny sms10\sqlite3.dll \smm\simple mail 7\sqlite3.dll \smm\simple mail 7\sqlite3.dll \spiceworks\bin\sqlite3.dll \spiceworks\bin\sqlite3.dll \spyware-secure\sqlite3.dll \spyware-secure\sqlite3.dll \timelog\sqlite3.dll \timelog\sqlite3.dll \video2webcam\sqlite3.dll \video2webcam\sqlite3.dll \webmarkers\sqlite3.dll \webmarkers\sqlite3.dll \webmediaplayer\sqlite3.dll \webmediaplayer\sqlite3.dll \windows media player\plugins\qloud\sqlite3.dll \windows media player\plugins\qloud\sqlite3.dll \Mozilla Firefox\sqlite3.dll \Mozilla Firefox\sqlite3.dll \VirusGuardPlus\sqlite3.dll \VirusGuardPlus\sqlite3.dll \Safari\sqlite3.dll \Safari\sqlite3.dll \AIMP2\sqlite3.dll \AIMP2\sqlite3.dll \Live-Player\sqlite3.dll \Live-Player\sqlite3.dll \TrustedProtection\sqlite3.dll \TrustedProtection\sqlite3.dll \PCTotalDefender\sqlite3.dll \PCTotalDefender\sqlite3.dll \Common Files\eEye Digital Security\Application Bus\sqlite3.dll \Common Files\eEye Digital Security\Application Bus\sqlite3.dll Windows Live Messenger Windows Live Messenger DynDNS\Updater\config.dyndns DynDNS\Updater\config.dyndns Password= Password= Software\DownloadManager\Passwords Software\DownloadManager\Passwords Software\DownloadManager\Passwords\ Software\DownloadManager\Passwords\ EncPassword EncPassword YLoginWnd YLoginWnd FileZilla\recentservers.xml FileZilla\recentservers.xml FileZilla\sitemanager.xml FileZilla\sitemanager.xml FileZilla\filezilla.xml FileZilla\filezilla.xml .purple\accounts.xml .purple\accounts.xml abe2869f-9b47-4cd9-a358-c22904dba7f7 abe2869f-9b47-4cd9-a358-c22904dba7f7 trillian.ini trillian.ini accounts.ini accounts.ini password password SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian Trillian\trillian.exe Trillian\trillian.exe Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ ###@@@!!! ###@@@!!! IMAP Password IMAP Password IMAP Password: IMAP Password: POP3 Password POP3 Password POP3 Password: POP3 Password: HNetCfg.NATUPnP HNetCfg.NATUPnP StaticPortMappingCollection StaticPortMappingCollection Uh%Fm Uh%Fm TCpuUsageU TCpuUsageU ##,##0.00 ##,##0.00 TNewFTPThreadU TNewFTPThreadU TPasswordU TPasswordU SHFileOperationW SHFileOperationW .hd'n .hd'n .hd*n .hd*n %s %s %s %s Windows NT %d.%d Windows NT %d.%d %s %s Server %s %s Server Unknown Platform ID (%d) Unknown Platform ID (%d) %d.%d %d.%d %s [Build: %d %s [Build: %d - Service Pack: %s - Service Pack: %s KERNEL32.DLL KERNEL32.DLL TIdTCPClientNewp TIdTCPClientNewp TIdTCPClientNew TIdTCPClientNew 1.2.3 1.2.3 deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly inflate 1.2.3 Copyright 1995-2005 Mark Adler inflate 1.2.3 Copyright 1995-2005 Mark Adler ?456789:;
?456789:;
!"#$%&'()* ,-./0123 !"#$%&'()* ,-./0123 com.apple.Safari com.apple.Safari com.apple.Safari0123456789ABCDEF com.apple.Safari0123456789ABCDEF 1iu2.iu 1iu2.iu 333333333333333333 333333333333333333 33333833 33333833 3333339 3333339 3333333333333338 3333333333333338 :*"*"$3338 :*"*"$3338 3333333 3333333 33333333 33333333 33333333333 33333333333 3333333333338 3333333333338 33338?383 33338?383 333333333333 333333333333 :*3:"$3338 :*3:"$3338 333333333333333 333333333333333 KWindows KWindows IdStackWindows IdStackWindows Sr_StartWebcam Sr_StartWebcam UrlMon UrlMon UnitWebcamAPI UnitWebcamAPI IdTCPStream IdTCPStream IdTCPServer IdTCPServer Sr_Windows Sr_Windows Cm_Keylogger Cm_Keylogger ~Sr_Ports ~Sr_Ports }Unitsndkey32 }Unitsndkey32 Vps_FireFox3_5 Vps_FireFox3_5 SQLiteTable3 SQLiteTable3 SQLite3 SQLite3 Ps_IEpasswords Ps_IEpasswords ps_URLHistory ps_URLHistory FPs_PasswordRecovery FPs_PasswordRecovery Ps_OperaPasswords Ps_OperaPasswords Sr_MemoryEXE Sr_MemoryEXE Sr_MemoryExecuteFunctions Sr_MemoryExecuteFunctions U_GrabFirefox10 U_GrabFirefox10 YU_GrabFirefox8 YU_GrabFirefox8 6U_GrabFirefox 6U_GrabFirefox \U_GrabChrome \U_GrabChrome U_GrabFirefox15 U_GrabFirefox15 U_Grabfirefox22 U_Grabfirefox22 {IdCmdTCPClient {IdCmdTCPClient SetNamedPipeHandleState SetNamedPipeHandleState GetWindowsDirectoryW GetWindowsDirectoryW GetProcessHeap GetProcessHeap GetCPInfo GetCPInfo CreatePipe CreatePipe RegQueryInfoKeyA RegQueryInfoKeyA RegOpenKeyExW RegOpenKeyExW RegOpenKeyExA RegOpenKeyExA RegOpenKeyW RegOpenKeyW RegOpenKeyA RegOpenKeyA RegFlushKey RegFlushKey RegEnumKeyExW RegEnumKeyExW RegEnumKeyExA RegEnumKeyExA RegDeleteKeyW RegDeleteKeyW RegCreateKeyExW RegCreateKeyExW RegCreateKeyExA RegCreateKeyExA RegCreateKeyW RegCreateKeyW RegCloseKey RegCloseKey CryptImportKey CryptImportKey CryptSetKeyParam CryptSetKeyParam CryptDestroyKey CryptDestroyKey SetViewportOrgEx SetViewportOrgEx GdiplusShutdown GdiplusShutdown ShellExecuteW ShellExecuteW FindExecutableW FindExecutableW SHDeleteKeyW SHDeleteKeyW URLDownloadToFileW URLDownloadToFileW keybd_event keybd_event VkKeyScanW VkKeyScanW UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExW SetWindowsHookExW SetWindowsHookExA SetWindowsHookExA SetKeyboardState SetKeyboardState MsgWaitForMultipleObjects MsgWaitForMultipleObjects MapVirtualKeyW MapVirtualKeyW MapVirtualKeyA MapVirtualKeyA LoadKeyboardLayoutA LoadKeyboardLayoutA GetKeyboardState GetKeyboardState GetKeyboardLayoutList GetKeyboardLayoutList GetKeyboardLayout GetKeyboardLayout GetKeyState GetKeyState GetKeyNameTextA GetKeyNameTextA ExitWindowsEx ExitWindowsEx EnumWindows EnumWindows EnumThreadWindows EnumThreadWindows ActivateKeyboardLayout ActivateKeyboardLayout GetKeyboardType GetKeyboardType FtpPutFileW FtpPutFileW FtpSetCurrentDirectoryW FtpSetCurrentDirectoryW InternetOpenUrlW InternetOpenUrlW InternetOpenUrlA InternetOpenUrlA HttpQueryInfoA HttpQueryInfoA .idata .idata .rdata .rdata P.reloc P.reloc P.rsrc P.rsrc [E.MyFull [E.MyFull -!GA?EXE -!GA?EXE LMsg LMsg AVICAP32.DLL AVICAP32.DLL crypt32.dll crypt32.dll gdi32.dll gdi32.dll gdiplus.dll gdiplus.dll mpr.dll mpr.dll msacm32.dll msacm32.dll powrprof.dll powrprof.dll pstorec.dll pstorec.dll URLMON.DLL URLMON.DLL user32.dll user32.dll version.dll version.dll wininet.dll wininet.dll winmm.dll winmm.dll wsock32.dll wsock32.dll HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE HKEY_USERS HKEY_USERS HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG Portugal Portugal Turkey Turkey WEBCAM WEBCAM *#%"{}|\^[]` *#%"{}|\^[]` uploadandexecute uploadandexecute uploadandexecuteyes| uploadandexecuteyes| uploadandexecuteno| uploadandexecuteno| webcam|webcamstream| webcam|webcamstream| webcam|webcamstop| webcam|webcamstop| webcamstart webcamstart [Execute] [Execute] KeyDelBackspace KeyDelBackspace CyberGateKeylogger CyberGateKeylogger software\microsoft\windows\currentversion\uninstall\ software\microsoft\windows\currentversion\uninstall\ Invalid Key Name Invalid Key Name Invalid KeyName Invalid KeyName %Username% %Username% %Country% %Country% Úte% Úte% FirstExecution FirstExecution keylogger|keyloggeronlinekey| keylogger|keyloggeronlinekey| keylogger|keyloggerativar|T| keylogger|keyloggerativar|T| keylogger|keyloggerativar|F| keylogger|keyloggerativar|F| webcamlist| webcamlist| webcam webcam filemanager|fmsendftpyes| filemanager|fmsendftpyes| filemanager|fmsendftpno| filemanager|fmsendftpno| FIREFOX2| FIREFOX2| FIREFOX8| FIREFOX8| FIREFOX10| FIREFOX10| FIREFOX15| FIREFOX15| FIREFOX22| FIREFOX22| \Opera\Opera\wand.dat \Opera\Opera\wand.dat OPERA| OPERA| \Google\Chrome\User Data\Default\Login Data \Google\Chrome\User Data\Default\Login Data CHROME| CHROME| \Google\Chrome\User Data\Default\Web Data \Google\Chrome\User Data\Default\Web Data getpasswords getpasswords downexec downexec openweb openweb HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\ fmexecnormal fmexecnormal filemanager|fmexecnormal| filemanager|fmexecnormal| fmexechide fmexechide filemanager|fmexechide| filemanager|fmexechide| fmexecparam fmexecparam filemanager|fmexecparam|F| filemanager|fmexecparam|F| filemanager|fmexecparam|T| filemanager|fmexecparam|T| fmsendftp fmsendftp filemanager|fmsendftp| filemanager|fmsendftp| listarportas listarportas listarportas|listadeportasativas| listarportas|listadeportasativas| listarportasdns listarportasdns listarportas|finalizarconexao| listarportas|finalizarconexao| finalizarprocessoportas finalizarprocessoportas listarportas|finalizarprocessoportas|Y| listarportas|finalizarprocessoportas|Y| listarportas|finalizarprocessoportas|N| listarportas|finalizarprocessoportas|N| tecaladoexecutar tecaladoexecutar webcamconfig webcamconfig keylogger keylogger keylogger|keyloggeronlinestart| keylogger|keyloggeronlinestart| keylogger|keyloggeronlinestop| keylogger|keyloggeronlinestop| keyloggerativar keyloggerativar keyloggerdesativar keyloggerdesativar keyloggerbaixar keyloggerbaixar keylogger|keyloggerbaixar| keylogger|keyloggerbaixar| keylogger|keyloggerbaixar|NOLOGS keylogger|keyloggerbaixar|NOLOGS keyloggerexcluir keyloggerexcluir keylogger|keyloggerexcluir| keylogger|keyloggerexcluir| keyloggeronlinestart keyloggeronlinestart keyloggeronlinestop keyloggeronlinestop chromepass chromepass chromepass| chromepass| keysearch keysearch keysearch|NO keysearch|NO keysearch|YES keysearch|YES sendkeyswindow sendkeyswindow enviarlogskey enviarlogskey enviarlogskey| enviarlogskey| rar.exe rar.exe rarreg.key rarreg.key vs.vbs vs.vbs bs.bat bs.bat memoryexecoperation memoryexecoperation TeamViewer.exe TeamViewer.exe TeamViewer_Resource.dll TeamViewer_Resource.dll TV.dll TV.dll x.html x.html Windows 3.1 Windows 3.1 Windows 95 (Release 2) Windows 95 (Release 2) Windows 95 Windows 95 Windows 98 SE Windows 98 SE Windows 98 Windows 98 Windows ME Windows ME Windows 8 Windows 8 Windows 7 Windows 7 Windows Vista Windows Vista Windows XP Professional x64 Windows XP Professional x64 Windows XP Home Windows XP Home Windows XP Professional Windows XP Professional Windows 2000 Professional Windows 2000 Professional Windows 2008 Windows 2008 Windows 2003 Server Datacenter Windows 2003 Server Datacenter Windows 2003 Server Enterprise Windows 2003 Server Enterprise Windows 2003 Server Web Edition Windows 2003 Server Web Edition Windows 2003 Server Windows 2003 Server Windows Home Server Windows Home Server Windows 2003 Server (Release 2) Windows 2003 Server (Release 2) Windows 2000 Server Datacenter Windows 2000 Server Datacenter Windows 2000 Server Enterprise Windows 2000 Server Enterprise Windows 2000 Server Web Edition Windows 2000 Server Web Edition Windows 2000 Server Windows 2000 Server Windows NT 4.0 Server Datacenter Windows NT 4.0 Server Datacenter Windows NT 4.0 Server Enterprise Windows NT 4.0 Server Enterprise Windows NT 4.0 Server Web Edition Windows NT 4.0 Server Web Edition Windows NT 4.0 Server Windows NT 4.0 Server SelfDelete.bat SelfDelete.bat Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\RunOnce Software\Microsoft\Windows\CurrentVersion\RunOnce Software\Microsoft\Windows NT\CurrentVersion\Windows Software\Microsoft\Windows NT\CurrentVersion\Windows SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe explorer.exe \Microsoft\Windows\ \Microsoft\Windows\ CYBERGATEPASS CYBERGATEPASS k4l1m3r4.publicvm.com k4l1m3r4.publicvm.com wins10up.16-b.it wins10up.16-b.it UIAutomsslwin.moneyhome.biz UIAutomsslwin.moneyhome.biz c0pywins.is-not-certified.com c0pywins.is-not-certified.com UIAutomh1h1tl3r.click UIAutomh1h1tl3r.click -certified.com -certified.com %USECRYPTER% %USECRYPTER% 2.5.2.0 2.5.2.0 webcamlizUB8dknwCPERSIST webcamlizUB8dknwCPERSIST ertified.com ertified.com PTF.ftpserver.com PTF.ftpserver.com ftpuser ftpuser ftppass ftppass pong|35953|Borrador Memorial de Aportaci pong|35953|Borrador Memorial de Aportaci hXXp://VVV.myserver.com/serverplugin.srv hXXp://VVV.myserver.com/serverplugin.srv hXXp://VVV.somehosting.com/tagger.php hXXp://VVV.somehosting.com/tagger.php C @ JAIME].ini C @ JAIME].ini Express.xlsx Express.xlsx ache_idx.db!018 ache_idx.db!018 Global\C::Users:crackmen:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs Global\C::Users:crackmen:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs DisableKeyboardD?id=%ID%&name=%Username% @ %PCName%&version=%Version% DisableKeyboardD?id=%ID%&name=%Username% @ %PCName%&version=%Version% ques y ahorro.pdfn ques y ahorro.pdfn example@email.com example@email.com No help keyword specified. No help keyword specified. No help found for %s#No context-sensitive help installed$No topic-based help system installed No help found for %s#No context-sensitive help installed$No topic-based help system installed Alt Clipboard does not support Icons/Menu '%s' is already being used by another form Alt Clipboard does not support Icons/Menu '%s' is already being used by another form Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters Unsupported clipboard format Unsupported clipboard format Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid. Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid. Reply Code is not valid: %s Reply Code is not valid: %s Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event. Reply Code already exists: %s Thread must be specified for the scheduler.!You must have an OnExecute event. Command not supported. Command not supported. Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d) Address type not supported."%d: Circular links are not allowed"Not enough data in buffer. (%d/%d) File "%s" not found File "%s" not found Object type not supported. Object type not supported. %s is not a valid IPv6 address:The requested IPVersion / Address family is not supported. %s is not a valid IPv6 address:The requested IPVersion / Address family is not supported. Set Size Exceeded.)UDP is not support in this SOCKS version. Set Size Exceeded.)UDP is not support in this SOCKS version. Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids. Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids. Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d) Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d) Connection Closed Gracefully.;Could not bind socket. Address and port are already in use. Connection Closed Gracefully.;Could not bind socket. Address and port are already in use. Invalid Port Range (%d - %d) Invalid Port Range (%d - %d) %s is not a valid service. %s is not a valid service. "Operation not supported on socket. "Operation not supported on socket. Protocol family not supported.0Address family not supported by protocol family. Protocol family not supported.0Address family not supported by protocol family. Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice. Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice. Operation would block. Operation would block. Operation now in progress. Operation now in progress. Operation already in progress. Operation already in progress. Socket operation on non-socket. Socket operation on non-socket. Protocol not supported. Protocol not supported. Socket type not supported. Socket type not supported. Invalid destination array"Character index out of bounds (%d) Invalid destination array"Character index out of bounds (%d) Start index out of bounds (%d) Start index out of bounds (%d) Invalid count (%d) Invalid count (%d) Invalid destination index (%d) Invalid destination index (%d) Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s) Invalid codepage (%d)-Error on call to Winsock2 library function %s&Error on loading Winsock2 library (%s) Resolving hostname %s. Resolving hostname %s. Connecting to %s. Connecting to %s. Socket Error # %d Socket Error # %d List capacity out of bounds (%d) List capacity out of bounds (%d) List count out of bounds (%d) List count out of bounds (%d) List index out of bounds (%d) Out of memory while expanding memory stream List index out of bounds (%d) Out of memory while expanding memory stream Error reading %s%s%s: %s Error reading %s%s%s: %s Failed to get data for '%s' Failed to get data for '%s' Resource %s not found Resource %s not found %s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group %s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group Property %s does not exist Property %s does not exist Thread creation error: %s Thread creation error: %s Thread Error: %s (%d) Thread Error: %s (%d) Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread Class %s not found Class %s not found A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates Cannot create file "%s". %s Cannot create file "%s". %s Cannot open file "%s". %s Cannot open file "%s". %s Invalid stream format$''%s'' is not a valid component name Invalid stream format$''%s'' is not a valid component name Invalid data type for '%s' Invalid data type for '%s' Ancestor for '%s' not found Ancestor for '%s' not found Cannot assign a %s to a %s Cannot assign a %s to a %s Interface not supported Interface not supported %s (%s, line %d) %s (%s, line %d) Abstract Error?Access violation at address %p in module '%s'. %s of address %p Abstract Error?Access violation at address %p in module '%s'. %s of address %p System Error. Code: %d. System Error. Code: %d. Invalid variant operation%Invalid variant operation (%s%.8x) Invalid variant operation%Invalid variant operation (%s%.8x) %s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s) %s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s) Operation not supported Operation not supported External exception %x External exception %x Invalid pointer operation Invalid pointer operation Invalid class typecast0Access violation at address %p. %s of address %p Invalid class typecast0Access violation at address %p. %s of address %p Operation aborted(Exception %s in module %s at %p. Operation aborted(Exception %s in module %s at %p. Application Error1Format '%s' invalid or incompatible with argument Application Error1Format '%s' invalid or incompatible with argument No argument for format '%s'"Variant method calls not supported No argument for format '%s'"Variant method calls not supported !'%s' is not a valid integer value('%s' is not a valid floating point value !'%s' is not a valid integer value('%s' is not a valid floating point value I/O error %d I/O error %d Integer overflow Invalid floating point operation Integer overflow Invalid floating point operation xtp.exe_2764:
.text .text `.rdata `.rdata @.data @.data .rsrc .rsrc @.reloc @.reloc s%j.Zf s%j.Zf 8crtsu 8crtsu :crts :crts crts crts .ku`8iu~fiu .ku`8iu~fiu GetProcessWindowStation GetProcessWindowStation operator operator uxtheme.dll uxtheme.dll kernel32.dll kernel32.dll operand of unlimited repeat could match the empty string operand of unlimited repeat could match the empty string POSIX named classes are supported only within a class POSIX named classes are supported only within a class erroffset passed as NULL erroffset passed as NULL POSIX collating elements are not supported POSIX collating elements are not supported this version of PCRE is not compiled with PCRE_UTF8 support this version of PCRE is not compiled with PCRE_UTF8 support PCRE does not support \L, \l, \N{name}, \U, or \u PCRE does not support \L, \l, \N{name}, \U, or \u support for \P, \p, and \X has not been compiled support for \P, \p, and \X has not been compiled this version of PCRE is not compiled with PCRE_UCP support this version of PCRE is not compiled with PCRE_UCP support ICMP.DLL ICMP.DLL advapi32.dll advapi32.dll RegDeleteKeyExW RegDeleteKeyExW Error text not found (please report) Error text not found (please report) WSOCK32.dll WSOCK32.dll VERSION.dll VERSION.dll WINMM.dll WINMM.dll COMCTL32.dll COMCTL32.dll MPR.dll MPR.dll InternetCrackUrlW InternetCrackUrlW HttpQueryInfoW HttpQueryInfoW HttpOpenRequestW HttpOpenRequestW HttpSendRequestW HttpSendRequestW FtpOpenFileW FtpOpenFileW FtpGetFileSize FtpGetFileSize InternetOpenUrlW InternetOpenUrlW WININET.dll WININET.dll PSAPI.DLL PSAPI.DLL USERENV.dll USERENV.dll GetProcessHeap GetProcessHeap CreatePipe CreatePipe GetWindowsDirectoryW GetWindowsDirectoryW KERNEL32.dll KERNEL32.dll OpenWindowStationW OpenWindowStationW SetProcessWindowStation SetProcessWindowStation CloseWindowStation CloseWindowStation MapVirtualKeyW MapVirtualKeyW EnumChildWindows EnumChildWindows EnumWindows EnumWindows VkKeyScanW VkKeyScanW GetKeyState GetKeyState GetKeyboardState GetKeyboardState SetKeyboardState SetKeyboardState GetAsyncKeyState GetAsyncKeyState keybd_event keybd_event EnumThreadWindows EnumThreadWindows ExitWindowsEx ExitWindowsEx UnregisterHotKey UnregisterHotKey RegisterHotKey RegisterHotKey GetKeyboardLayoutNameW GetKeyboardLayoutNameW USER32.dll USER32.dll SetViewportOrgEx SetViewportOrgEx GDI32.dll GDI32.dll COMDLG32.dll COMDLG32.dll RegOpenKeyExW RegOpenKeyExW RegCloseKey RegCloseKey RegCreateKeyExW RegCreateKeyExW RegEnumKeyExW RegEnumKeyExW RegDeleteKeyW RegDeleteKeyW ADVAPI32.dll ADVAPI32.dll ShellExecuteW ShellExecuteW SHFileOperationW SHFileOperationW ShellExecuteExW ShellExecuteExW SHELL32.dll SHELL32.dll ole32.dll ole32.dll OLEAUT32.dll OLEAUT32.dll GetCPInfo GetCPInfo zcÁ zcÁ L.aVFY) L.aVFY) .ijjrc .ijjrc g%D`- g%D`- sssh6 sssh6 uW.MW uW.MW 3.3/464(5,5054585 3.3/464(5,5054585 8 8$8(8,808 8 8$8(8,808 = =$=(=,=0=4=8=
= =$=(=,=0=4=8=
0 0$0(0,0004080
0 0$0(0,0004080
:*;3;?;|; :*;3;?;|; 11 11 2 323[3.5 2 323[3.5 ? ?@?`? ? ?@?`? = =$=(=,=0=4= = =$=(=,=0=4= 5 5$5(5,5054585 5 5$5(5,5054585 mscoree.dll mscoree.dll nKERNEL32.DLL nKERNEL32.DLL - Attempt to initialize the CRT more than once. - Attempt to initialize the CRT more than once. - CRT not initialized - CRT not initialized - floating point support not loaded - floating point support not loaded WUSER32.DLL WUSER32.DLL CMDLINERAW CMDLINERAW CMDLINE CMDLINE /AutoIt3ExecuteLine /AutoIt3ExecuteLine /AutoIt3ExecuteScript /AutoIt3ExecuteScript %s (%d) : ==> %s.: %s (%d) : ==> %s.: Line %d: Line %d: Line %d (File "%s"): Line %d (File "%s"): %s (%d) : ==> %s: %s (%d) : ==> %s: AutoIt script files (*.au3, *.a3x) AutoIt script files (*.au3, *.a3x) *.au3;*.a3x *.au3;*.a3x All files (*.*) All files (*.*) #NoAutoIt3Execute #NoAutoIt3Execute APPSKEY APPSKEY Line %d: Line %d: 04090000 04090000 %u.%u.%u.%u %u.%u.%u.%u 0.0.0.0 0.0.0.0 Mddddd Mddddd %s (%d) : ==> %s: %s (%d) : ==> %s: UDPSTARTUP UDPSTARTUP UDPSHUTDOWN UDPSHUTDOWN UDPSEND UDPSEND UDPRECV UDPRECV UDPOPEN UDPOPEN UDPCLOSESOCKET UDPCLOSESOCKET UDPBIND UDPBIND TRAYGETMSG TRAYGETMSG TCPSTARTUP TCPSTARTUP TCPSHUTDOWN TCPSHUTDOWN TCPSEND TCPSEND TCPRECV TCPRECV TCPNAMETOIP TCPNAMETOIP TCPLISTEN TCPLISTEN TCPCONNECT TCPCONNECT TCPCLOSESOCKET TCPCLOSESOCKET TCPACCEPT TCPACCEPT SHELLEXECUTEWAIT SHELLEXECUTEWAIT SHELLEXECUTE SHELLEXECUTE REGENUMKEY REGENUMKEY MSGBOX MSGBOX ISKEYWORD ISKEYWORD HTTPSETUSERAGENT HTTPSETUSERAGENT HTTPSETPROXY HTTPSETPROXY HOTKEYSET HOTKEYSET GUIREGISTERMSG GUIREGISTERMSG GUIGETMSG GUIGETMSG GUICTRLSENDMSG GUICTRLSENDMSG GUICTRLRECVMSG GUICTRLRECVMSG FTPSETPROXY FTPSETPROXY \??\%s \??\%s GUI_RUNDEFMSG GUI_RUNDEFMSG SendKeyDelay SendKeyDelay SendKeyDownDelay SendKeyDownDelay TCPTimeout TCPTimeout AUTOITCALLVARIABLE%d AUTOITCALLVARIABLE%d 255.255.255.255 255.255.255.255 Keyword Keyword AutoIt.Error AutoIt.Error Null Object assignment in FOR..IN loop Null Object assignment in FOR..IN loop Incorrect Object type in FOR..IN loop Incorrect Object type in FOR..IN loop HOTKEYPRESSED HOTKEYPRESSED AUTOITEXE AUTOITEXE WINDOWSDIR WINDOWSDIR 3, 3, 8, 1 3, 3, 8, 1 HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG HKEY_CURRENT_USER HKEY_CURRENT_USER HKEY_USERS HKEY_USERS %d/d/d %d/d/d C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xtp.exe C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\xtp.exe C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\jcb-nuo C:\Users\"%CurrentUserName%"\AppData\Roaming\irq\jcb-nuo AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention. AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention. Missing operator in expression."Unbalanced brackets in expression. Missing operator in expression."Unbalanced brackets in expression. Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line. Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line. Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement. Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement. Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables. Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables. 3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner. 3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner. Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement. Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement. String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword. String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword. hXXp://VVV.autoitscript.com/autoit3/ hXXp://VVV.autoitscript.com/autoit3/ AutoIt3.exe AutoIt3.exe
0xx
0xx