Worm.Win32.AutoItGen_dd43973ddd

by malwarelabrobot on May 22nd, 2017 in Malware Descriptions.

Trojan-Spy.MSIL (Ikarus), Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan-Spy, Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: dd43973ddd86a9f7333c6c145bc31ee9
SHA1: 59aeb650b717c7ca1900547b7764bcf9307b5857
SHA256: 670e9121b873d1b8acb83bf7575fd8bc805c411da2d1ceb6d5b730728e25839c
SSDeep: 98304:HPVReU7aEnMEsF/Kmkc9LccuCx9La5FDmMPcLqyQ5ZOQrlynxbi1v1jWpaBfmsvq:7DpkKqBa5 05jZSxbi19jPVHtp8h
Size: 7286849 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2007-03-31 18:09:55
Analyzed on: Windows7 SP1 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

csc.exe:2916
cvtres.exe:1004
RSBot Cracked.exe:1776
%original file name%.exe:1908

The Worm injects its code into the following process(es):

RegAsm.exe:2904
javaw.exe:316

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process csc.exe:2916 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.dll (5062 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC86FA.tmp (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.out (396 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC86FA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES86FB.tmp (0 bytes)

The process cvtres.exe:1004 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES86FB.tmp (3762 bytes)

The process RegAsm.exe:2904 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.out (438 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.0.cs (28756 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB83A.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB838.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (344 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB839.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.cmdline (343 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB837.tmp (51 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.out (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.0.cs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB83A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB838.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB839.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.cmdline (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.err (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB837.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.tmp (0 bytes)

The process RSBot Cracked.exe:1776 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsHost\WindowsHostService.exe (22336 bytes)

The process %original file name%.exe:1908 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RSBot Cracked.exe (55178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\OSBot 2.4.121.jar (179028 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss8046.tmp (0 bytes)

Registry activity

The process RegAsm.exe:2904 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

The process RSBot Cracked.exe:1776 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Corporation" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsHost\WindowsHostService.exe"

The process %original file name%.exe:1908 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5	File path
2842d8ad8045b94825513b83985d10a7	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RSBot Cracked.exe
2842d8ad8045b94825513b83985d10a7	c:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsHost\WindowsHostService.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23482	23552	4.48952	399636e1cf123faa9dc0c1c1ed9a4a52
.rdata	28672	4592	4608	3.65683	f359cd50555a06c1946c9624440c5811
.data	36864	155860	1024	3.57555	b6778f27be20a78cfc5e0496758eda32
.ndata	196608	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	229376	371272	371712	1.7905	7e44aec05d32f07d52c20ef0d5ced3d6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	62.140.236.163
windows-host997.ddns.net	144.217.242.133
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86407

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/vnd.ms-cab-compressed

Last-Modified: Wed, 19 Apr 2017 22:43:31 GMT

Accept-Ranges: bytes

ETag: "80ab755e5eb9d21:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Content-Length: 52608

Date: Sun, 21 May 2017 18:02:16 GMT

Connection: keep-alive

X-CCC: UA

X-CID: 2
MSCF............,...................I.......f..........Je} .authroot.s
tl..Q...6..CK...8...........].y.Q..!Jv..%k.....!..DH.....^..*.E)7k..Rq
...Lu..........[.y..s...~.4.~....4.0a..f.;.~7'M...a<.... .IO'....Z.
.E..F.XuV.....L..@..Y.L......GW.{fd<.8...*~...*...@.e...Xx).{....3T
.C....'..v..A.X......l....3.=..w....P...s#..;...C.(./.. .C.tC...gnI..j
W89.JQ...y..gq.3.Z&.Gz...NV.t...(J.../..%9..W..>.h;$.@..f..La.k....
..s ......`..G..C......@.....@b.....G...x...l".s.c.0......X...C.H.....
.....T.....}.R.`..../...1Z......X..oX...;....f.......LG[....~;.}mw.'. 
..v......`.7ZR..-.........8.....>.:(..........keX.. r......B...Z.ax
C....... 0.#....\.8.....$t:$(.Q....kQ........s.}3b.e.xb....7...r:.<
..>m..:.V.u....kn.3.Y.ar.,.y..b.....{.OO?c/;m.v..k.o.Kj...0G.m.....
j*.U....... ..~.....Z.dS.J..S.y.c...y.......{..Co...i.U....7.i]......W
...T...Y..X..........e.b.`*Uk.T..a....*...M^m..Jvk..g........<d:l..
Sq.H...*y...x1.e....<..V.q..u."v.};G.Px.......{....Y.........5..`..
..x..b_.....W.Mn...5d.,.0|.9".g..L..R.....g..............."  z(.F.$.@.
@......}r..O8P.W.Tr./}\.....X..f=..d`,.X..'.r.8....q.Or:..<v.zFW.Y.
.....nk.:..G.K...GxQ._2!.....t?..(.q...e.&F.............2JG.....b...~.
./....M.6.~.b<...).(.Iy..P..$n. ....._..#.aBz....)..[.2............
..........Ew..9-.2;...2.g.5.-..G.o....K.J..,...(...bd.$..0..r..Z....*.
....._.B.)b<.w}t....]..t....=....b.?...u..A..Z.....6........n12j.0"
.U..,..fd_$A."....... .G.c.u...k.....l....$.@.`A.>,....L}.O......X.
.....rL.GM..p..H;....O@..Q2..T........]..e.G...9.W..06~..R..@V|...<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

javaw.exe_316:

.text

`.rdata

@.data

.rsrc

RCv=kAv.SCvs

/Xusage.txt

-Djava.class.path=%s

Unable to locate JRE meeting specification "%s"

1.6.0_18-b07

JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s

Syntax error in version specification "%s"

Invalid or corrupt jarfile %s

Unable to access jarfile %s

-Djava.awt.headless=

-Djava.awt.headless=true

option[-] = '%s'

ignoreUnrecognized is %s,

sun.jnu.encoding

isSupported

-Dsun.java.command=

-Dsun.java.launcher=SUN_STANDARD

A %c separated list of directories, JAR archives,

load Java programming language agent, see java.lang.instrument

The default VM is %s%s

is a synonym for the "%s" VM [deprecated]

to select the "%s" VM

Usage: %s [-options] class [args...]

(to execute a class)

or %s [-options] -jar jarfile [args...]

(to execute a jar file)

Can't open %s

Could not find the main class: %s. Program will exit.

Failed to load Main Class: %s

Could not find the main class: %s. Program will exit.

argv[-] = '%s'

Apps' argc is %d

Main-Class is '%s'

Warning: %s VM not supported; %s VM will be used

Error: %s VM not supported

Error: Unable to resolve VM alias %s

Error: Corrupt jvm.cfg file; cycle in alias list.

Default VM: %s

%s requires class path specification

%s full version "%s"

Warning: %s option is no longer supported.

-Xrunhprof:cpu=old,file=java.prof

-Xrunhprof:cpu=old,file=%s

%ld micro seconds to parse jvm.cfg

name: %s vmType: %s alias: %s

name: %s vmType: %s server_class: %s

jvm.cfg[%d] = ->%s<-

Warning: unknown VM type on line %d of `%s'

Warning: missing server class VM on line %d of `%s'

Warning: missing VM alias on line %d of `%s'

Warning: missing VM type on line %d of `%s'

Warning: no leading - on line %d of `%s'

Error: could not open `%s'

\jvm.cfg

\bin\splashscreen.dll

%s\jvm.dll

%s\bin\%s\jvm.dll

Version major.minor.micro = %s.%s

Failed reading value of registry key:

Software\JavaSoft\Java Runtime Environment\%s\JavaHome

Error opening registry key 'Software\JavaSoft\Java Runtime Environment\%s'

Registry key 'Software\JavaSoft\Java Runtime Environment\CurrentVersion'

has value '%s', but '1.6' is required.

Error opening registry key 'Software\JavaSoft\Java Runtime Environment'

-Dsun.java2d.opengl

-Dsun.java2d.d3d

-Dsun.java2d.noddraw

-Dsun.awt.warmup

Unable to resolve path to current %s executable: %s

CreateProcess(%s, ...) failed: %s

ReExec Args: %s

ReExec Command: %s (%s)

ExecJRE: new: %s

ExecJRE: old: %s

Error: could not find java.dll

JRE path is %s

%s\jre\bin\java.dll

%s\bin\java.dll

Error loading: %s

CRT path is %s

\bin\msvcr71.dll

EnsureJreInstallation:%s:load failed

\bin\jkernel.dll

EnsureJreInstallation:<%s>:not found

EnsureJreInstallation:unsupported platform

Error: can't find JNI interfaces in: %s

JVM path is %s

\bin\awt.dll

\bin\java.dll

\bin\verify.dll

Error: no `%s' JVM at `%s'.

Error: no known VMs. (check for corrupt jvm.cfg file)

before: "%s"

after : "%s"

META-INF/MANIFEST.MF

1.1.3

inflate 1.1.3 Copyright 1995-1998 Mark Adler

mscoree.dll

Broken pipe

Inappropriate I/O control operation

Operation not permitted

kernel32.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

C:\BUILD_~1\jdk6_18\control\build\WINDOW~1\tmp\java\javaw\obj\javaw.pdb

RegCloseKey

RegOpenKeyExA

RegEnumKeyA

ADVAPI32.dll

USER32.dll

GetCPInfo

KERNEL32.dll

%Program Files%\Java\jre6\bin\javaw.exe

<assemblyIdentity version="6.0.180.7"

name="javaw.exe"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

3333333333330

333333333307

PP%d(jjjjj

6.0.180.7

javaw.exe

RSBot Cracked.exe_1776:

.text

`.rdata

@.data

.rsrc

s%j.Zf

8crtsu

:crts

crts

Av9.jkj

Bv.SCvt

GetProcessWindowStation

operator

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

uxtheme.dll

kernel32.dll

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with PCRE_UCP support

ICMP.DLL

advapi32.dll

RegDeleteKeyExW

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

USERENV.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

]F.AaJ2

^F.AaJ3

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

#NoAutoIt3Execute

APPSKEY

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

%s (%d) : ==> %s:

UDPSTARTUP

UDPSHUTDOWN

UDPSEND

UDPRECV

UDPOPEN

UDPCLOSESOCKET

UDPBIND

TRAYGETMSG

TCPSTARTUP

TCPSHUTDOWN

TCPSEND

TCPRECV

TCPNAMETOIP

TCPLISTEN

TCPCONNECT

TCPCLOSESOCKET

TCPACCEPT

SHELLEXECUTEWAIT

SHELLEXECUTE

REGENUMKEY

MSGBOX

ISKEYWORD

HTTPSETUSERAGENT

HTTPSETPROXY

HOTKEYSET

GUIREGISTERMSG

GUIGETMSG

GUICTRLSENDMSG

GUICTRLRECVMSG

FTPSETPROXY

\??\%s

GUI_RUNDEFMSG

SendKeyDelay

SendKeyDownDelay

TCPTimeout

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AutoIt.Error

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

AUTOITEXE

WINDOWSDIR

3, 3, 8, 1

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RSBot Cracked.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

WinSCP: SFTP, FTP, WebDAV and SCP client

5.9.3.7136

winscp.exe

5.9.3.0

hXXps://winscp.net/

RegAsm.exe_2904:

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

fSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj

QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

System.Drawing.Icon

System.Drawing.Size

fSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />

<supportedRuntime version="v4.0" />

<supportedRuntime version="v2.0.50727" />

<supportedRuntime version="v4.0.30319" sku=".NETFramework,Version=v4.0,Profile=Client" />

2'.fmY4

<o.Yl3,sE

.Bm&E8

q.Ng6

Y.Og::

o.tSl

9.LP=

XsIMFK7]˜u

4%DN4

z.Im1

-#™))%

Y.pl

0<=89;=58

0<186:<68

cE9'%c"

%S*]w

Y.-G}H

L>.Ew

.G.EC^

ev.dn

.Fgcm

ho%f>8

.ovcs?

MG.HFf

PHuD%c]

.ie=t4

vnr .Wi

^7%fn0

P/.nl

l)F%d

K.Dl\`

.Fdg"

4.nmi

v2.0.50727

i.iNiYini

`.aqa

o.oyoOp

u%u4uQu

Orcus.exe

System.Core

System.Windows.Forms

Orcus.Shared

Orcus.Plugins

Orcus.StaticCommands

System.Drawing

System.ServiceModel

System.ServiceProcess

Microsoft.Win32.TaskScheduler

System.DirectoryServices.AccountManagement

System.Management

System.Xml

starksoft.aspen

Orcus.Shared.Utilities

AForge.Video.DirectShow

AForge.Video

System.Speech

SharpDX.Direct3D9

SharpDX.DXGI

SharpDX.Direct3D11

Lidgren.Network

ICSharpCode.SharpZipLib

System.Web.Extensions

System.Security

advapi32.dll

gdi32.dll

iphlpapi.dll

kernel32.dll

setupapi.dll

shell32.dll

user32.dll

User32.dll

msvcrt.dll

Srclient.dll

ntdll.dll

Shlwapi.dll

winmm.dll

Wintrust.dll

Kernel32.dll

shlwapi.dll

Orcus.Commands.TextChat.TextChatForm.resources

Orcus.InstallationPromptForm.resources

Orcus.MainForm.resources

Orcus.Properties.Resources.resources

Orcus.StaticCommands.SystemLock.SystemLockForm.resources

costura.microsoft.win32.taskscheduler.dll.zip

costura.orcus.plugins.dll.zip

costura.orcus.shared.dll.zip

costura.orcus.shared.utilities.dll.zip

costura.orcus.staticcommands.dll.zip

costura.starksoft.aspen.dll.zip

.cctor

System.ComponentModel

.ctor

System.Resources

Orcus.Shared.Settings

System.Net

TcpClient

System.Net.Sockets

get_Port

System.Runtime.CompilerServices

System.Threading

System.Collections.Generic

System.IO

System.Diagnostics

System.Linq

System.Globalization

Orcus.Shared.Client

<>9__8_0

<>9__8_1

<>9__8_2

<KeyLoggerService>k__BackingField

<AsyncOperation>k__BackingField

AsyncOperation

IClientOperator

KeyloggerBuilderProperty

System.Reflection

get_KeyLoggerService

get_AsyncOperation

set_AsyncOperation

Orcus.Shared.NetSerializer

Orcus.Shared.Commands.ExceptionHandling

AsyncOperationManager

CreateOperation

KeyLoggerService

Orcus.StaticCommands.System

Orcus.Plugins.StaticCommands

get_WallpaperUrl

Orcus.Shared.Commands.FunActions

RequestKeyLogCommandEx

RequestKeyLogCommand

Orcus.StaticCommands.Client

PasswordRecoveryCommandEx

PasswordRecoveryCommand

PasswordData

Orcus.Shared.Commands.Password

Orcus.Shared.Connection

_closeWindowsTimer

_closeWindowsInterval

get_CloseOtherWindows

StartExecute

StopExecute

System.Runtime.InteropServices

CloseWindowsCallback

System.Security.Cryptography

set_WindowStyle

ProcessWindowStyle

UpdateFromUrlCommandEx

UpdateFromUrlCommand

WebClient

get_DownloadUrl

UriSchemeHttp

set_Port

Orcus.StaticCommands.SystemLock

System.Drawing.Drawing2D

System.Drawing.Text

<>9__10_0

<>9__10_1

<>9__10_2

<>9__10_3

<>9__10_4

Orcus.Service

<Pipe>k__BackingField

IServicePipe

NetNamedPipeBinding

System.ServiceModel.Channels

get_Pipe

Pipe

<>9__0_0

Orcus.Protection

RegistryKey

Microsoft.Win32

OpenSubKey

get_RegistryKeyName

System.Collections

<>9__2_0

<>9__3_0

<>9__7_0

Orcus.Plugins.ClientPlugin

Orcus.Shared.Core

Orcus.Plugins.PropertyGrid

Orcus.Plugins.Builder

System.IO.Compression

<>9__22_0

<>9__22_1

<>9__22_2

<>9__22_3

<>9__22_4

<>9__23_0

<>9__23_1

Orcus.Extensions

_is64BitOperatingSystem

get_Is64BitOperatingSystem

System.Text

get_WindowsFolder

Is64BitOperatingSystem

WindowsFolder

System.Drawing.Imaging

Orcus.Shared.Commands.Registry

Orcus.StaticCommandManagement

Orcus.Shared.DynamicCommands

<ExecutingCommand>k__BackingField

get_ExecutingCommand

GetLastLogin

System.Xml.Serialization

KeyValuePair`2

get_Key

<ExecuteActiveCommand>b__0

<ExecuteActiveCommand>b__1

<ExecuteActiveCommand>b__2

<>9__14_0

DownloadAndExecuteCommand

DownloadAndExecuteFromUrlCommand

OpenWebsiteCommand

Orcus.StaticCommands.Computer

Orcus.StaticCommands.Interaction

ContainsKey

get_ExecutionEvent

add_ExecutionStopped

ActiveStaticCommandOnExecutionStopped

<>9__6_0

<>9__6_1

<>9__19_0

<>9__27_0

<.ctor>b__6_0

<.ctor>b__6_1

<ExecuteCommand>b__0

<ExecutePotentialCommand>b__0

<ExecutePotentialCommand>b__1

<ActiveStaticCommandOnExecutionStopped>b__0

_executionEvents

_executePotentialCommandDelegate

IExecutionEvent

Orcus.Shared.DynamicCommands.ExecutionEvents

get_CanExecute

<>9__4_0

<>9__4_1

<.ctor>b__4_0

<.ctor>b__4_1

IdleExecutionEvent

Orcus.StaticCommandManagement.ExecutionEvents

_executeAtDateTime

System.Timers

CanExecute

DateTimeExecutionEvent

Orcus.Properties

System.CodeDom.Compiler

System.Configuration

Orcus.Native

hKey

RegOpenKeyEx

subKey

ProcessHandle

GetExtendedTcpTable

pTcpTable

GetExtendedUdpTable

System.Runtime.ConstrainedExecution

uCmd

LoadKeyboardLayout

GetKeyboardLayout

EnumThreadWindows

EnumWindows

keybd_event

GetKeyState

vKey

uVirtKey

lpbKeyState

lpwTransKey

lpKeyState

GetKeyboardState

pbKeyState

SetWindowsHookEx

UnhookWindowsHookEx

GetProcessWindowStation

EnumDesktopWindows

EnumChildWindows

nCmdShow

MapVirtualKey

processHandle

EnumWindowsProc

EnumDesktopWindowsProc

KEYBOARD

uMsg

KEYBDINPUT

KEYEVENTF

EXTENDEDKEY

KEYUP

MapVirtualKeyMapTypes

dwWindowStatus

Init_ByExeName

Open_ByExeName

DDEIfExec

DelegateExecute

SupportedUriProtocols

GetWindow_Cmd

WH_KEYBOARD

WH_SYSMSGFILTER

WH_KEYBOARD_LL

KeyboardHookStruct

VirtualKeyCode

MIB_TCPROW_OWNER_PID

localPort1

localPort2

localPort3

localPort4

remotePort1

remotePort2

remotePort3

remotePort4

get_LocalPort

get_RemotePort

LocalPort

RemotePort

MIB_TCPTABLE_OWNER_PID

MIB_UDPROW_OWNER_PID

MIB_UDPTABLE_OWNER_PID

TCP_TABLE_CLASS

TCP_TABLE_BASIC_LISTENER

TCP_TABLE_BASIC_CONNECTIONS

TCP_TABLE_BASIC_ALL

TCP_TABLE_OWNER_PID_LISTENER

TCP_TABLE_OWNER_PID_CONNECTIONS

TCP_TABLE_OWNER_PID_ALL

TCP_TABLE_OWNER_MODULE_LISTENER

TCP_TABLE_OWNER_MODULE_CONNECTIONS

TCP_TABLE_OWNER_MODULE_ALL

TernaryRasterOperations

UDP_TABLE_CLASS

UDP_TABLE_BASIC

UDP_TABLE_OWNER_PID

UDP_TABLE_OWNER_MODULE

VKEYTOITEM

SETHOTKEY

GETHOTKEY

KEYFIRST

KEYDOWN

SYSKEYDOWN

SYSKEYUP

KEYLAST

IME_KEYLAST

CTLCOLORMSGBOX

IME_KEYDOWN

IME_KEYUP

HOTKEY

Orcus.Native.Shell

Orcus.Native.Display

DeviceKey

DISPLAYCONFIG_OUTPUT_TECHNOLOGY_DISPLAYPORT_EXTERNAL

DISPLAYCONFIG_OUTPUT_TECHNOLOGY_DISPLAYPORT_EMBEDDED

ClientOperator

Orcus.Core

Orcus.Plugins.IClientOperator.get_DatabaseConnection

Orcus.Plugins.IClientOperator.DatabaseConnection

PortableLibrary

portableLibrary

System.Text.RegularExpressions

PortableLibraryNameAttribute

PortableLibraryMatch

<>9__9_1

<>9__9_2

<>9__9_3

<>9__11_0

<>9__11_3

<>9__11_4

Orcus.Connection

Orcus.Shared.Communication

Orcus.Plugins.IClientInfo.get_ServerConnection

Orcus.Plugins.IClientInfo.get_ClientOperator

get_ClientOperator

System.Net.Security

Starksoft.Aspen.Proxy

set_ProxyPort

get_ProxyPort

RemoteCertificateValidationCallback

System.Security.Authentication

tcpClient

UserCertificateValidationCallback

X509Certificate

System.Security.Cryptography.X509Certificates

certificate

KeyDatabase

GetKey

Orcus.Plugins.IClientInfo.ServerConnection

Orcus.Plugins.IClientInfo.ClientOperator

OperatingSystem

set_OperatingSystemName

get_OperatingSystemName

set_OperatingSystemType

GetSubKeyNames

RegistryKeyPermissionCheck

System.Net.NetworkInformation

<>9__1_0

<>9__1_1

<>9__1_2

<>9__1_3

ImportPlugin

<TcpClient>k__BackingField

get_TcpClient

Orcus.Shared.Compression

PortableLibraryInfo

Orcus.Shared.Utilities.Compression

Orcus.Connection.Args

Orcus.Config

<KeyLogFile>k__BackingField

get_ExecutablePath

get_KeyLogFile

Orcus.Plugins.IPathInformation.get_ExceptionFile

Orcus.Plugins.IPathInformation.get_PluginsDirectory

Orcus.Plugins.IPathInformation.get_ApplicationPath

Orcus.Plugins.IPathInformation.get_FileTransferTempDirectory

Orcus.Plugins.IPathInformation.get_PotentialCommandsDirectory

Orcus.Plugins.IPathInformation.get_StaticCommandPluginsDirectory

Orcus.Plugins.IPathInformation.get_SendToServerPackages

Orcus.Plugins.IPathInformation.get_KeyLogFile

Orcus.Plugins.IPathInformation.get_LibrariesDirectory

KeyLogFile

Orcus.Plugins.IPathInformation.ExceptionFile

Orcus.Plugins.IPathInformation.PluginsDirectory

Orcus.Plugins.IPathInformation.ApplicationPath

Orcus.Plugins.IPathInformation.FileTransferTempDirectory

Orcus.Plugins.IPathInformation.PotentialCommandsDirectory

Orcus.Plugins.IPathInformation.StaticCommandPluginsDirectory

Orcus.Plugins.IPathInformation.SendToServerPackages

Orcus.Plugins.IPathInformation.KeyLogFile

Orcus.Plugins.IPathInformation.LibrariesDirectory

Orcus.Shared.Encryption

Orcus.Utilities

Orcus.Shared.Commands.ClipboardManager

get_Msg

Cert

RevocationCheckEndCert

pwszURLReference

Orcus.Shared.Csv

ErrorReporter

ReportError

port

CopyPixelOperation

WindowsIdentity

System.Security.Principal

WindowsPrincipal

WindowsBuiltInRole

Orcus.Utilities.KeyLogger

KeyboardHook

WM_KEYDOWN

WM_SYSKEYDOWN

WM_KEYUP

WM_SYSKEYUP

_keyboardDelegate

_keyboardHookHandle

_keyProcessing

KeyDown

KeyEventHandler

KeyUp

_keyProcessing_StringDown

_keyProcessing_StringUp

add_KeyDown

remove_KeyDown

add_KeyUp

remove_KeyUp

KeyEventArgs

Keys

KeyboardHookProc

_keyboardHook

_keyLog

KeyLog

Orcus.Shared.Commands.Keylogger

TryPushKeyLog

_keyLog_Saved

SpecialKeyType

KeyLogEntry

SpecialKey

StandardKey

WriteSpecialKey

_keyboardHook_StringUp

_keyboardHook_StringDown

get_KeyLog

PushKeyLog

KeysToSpecialKey

KeyProcessing

_deadKeys

_deadKeyOver

_lastWasDeadKey

OnKeyActionFurtherProcessing2

ProcessKeyAction

MyGetKeyboardState

IsPrintableKey

IsDeadKey

get_ModifierKeys

Orcus.Utilities.WindowsDesktop

VMW_EXECUTE_MENU

Orcus.Shared.Commands.RemoteDesktop

SC_KEYMENU

SC_HOTKEY

WindowStyles

System.Collections.Specialized

m_windows

GetWindows

DesktopWindowsProc

<>9__44_0

<GetWindows>b__44_0

Orcus.Commands.WindowsCustomizer

registryKey

CreateSubKey

WindowsPropertyInfo`1

System.Linq.Expressions

Orcus.Commands.WindowsCustomizer.IWindowsPropertyInfo.get_Value

Orcus.Commands.WindowsCustomizer.IWindowsPropertyInfo.set_Value

Orcus.Commands.WindowsCustomizer.IWindowsPropertyInfo.Value

IWindowsPropertyInfo

WindowsCustomizerCommand

_windowsPropertyInfos

WindowsCustomizerCommunication

Orcus.Shared.Commands.WindowsCustomizer

set_IsWindows10Enabled

IsWindows10

Orcus.Commands.WindowsCustomizer.Core

get_DisplayWindowsVersion

set_DisplayWindowsVersion

get_WindowSnap

set_WindowSnap

DeleteSubKey

DisplayWindowsVersion

WindowSnap

get_EnableWinKeys

set_EnableWinKeys

get_DoErrorReport

set_DoErrorReport

EnableWinKeys

DoErrorReport

Windows10

Orcus.Commands.WindowManager

Orcus.Shared.Commands.WindowManager

GetAllWindows

GetChildWindows

<GetChildWindows>d__1

System.IDisposable.Dispose

System.Collections.Generic.IEnumerator<Orcus.Shared.Commands.WindowManager.WindowInformation>.get_Current

NotSupportedException

System.Collections.IEnumerator.Reset

System.Collections.IEnumerator.get_Current

System.Collections.Generic.IEnumerable<Orcus.Shared.Commands.WindowManager.WindowInformation>.GetEnumerator

System.Collections.IEnumerable.GetEnumerator

System.Collections.Generic.IEnumerator<Orcus.Shared.Commands.WindowManager.WindowInformation>.Current

System.Collections.IEnumerator.Current

WebcamCommand

Orcus.Commands.Webcam

_webcamSettings

WebcamSettings

Orcus.Shared.Commands.Webcam

WebcamCommunication

WebcamInfo

Orcus.Shared.Data

<>9__11_2

WebcamResolution

<>9__11_1

Orcus.Commands.UserInteraction

Orcus.Shared.Commands.UserInteraction

System.Speech.Synthesis

System.Collections.ObjectModel

Orcus.Commands.UninstallPrograms

Orcus.Shared.Commands.UninstallPrograms

<>3__registryKey

<subKey>5__1

System.Collections.Generic.IEnumerator<Orcus.Shared.Commands.UninstallPrograms.UninstallableProgram>.get_Current

System.Collections.Generic.IEnumerable<Orcus.Shared.Commands.UninstallPrograms.UninstallableProgram>.GetEnumerator

System.Collections.Generic.IEnumerator<Orcus.Shared.Commands.UninstallPrograms.UninstallableProgram>.Current

Orcus.Commands.TextChat

Orcus.Shared.Commands.TextChat

get_KeyCode

set_SuppressKeyPress

MessageTextBox_KeyDown

Orcus.Commands.TextChat.Utilities

Orcus.Commands.TaskManager

Orcus.Shared.Commands.TaskManager

<>9__5_0

<>9__5_6

Orcus.Commands.SystemRestore

Orcus.Shared.Commands.SystemRestore

Orcus.Commands.StartupManager

Orcus.Shared.Commands.StartupManager

GetAutostartProgramsFromRegistryKey

GetRegistryKeyFromAutostartLocation

GetDisabledSubKey

CreateDisabledSubKey

Orcus.Commands.RegistryExplorer

RegistrySubKey

GetRegistrySubKeys

RegistrySubKeysPackage

set_RegistrySubKeys

DeleteSubKeyTree

RegistrySubKeyAction

set_Key

Orcus.Commands.MessageBox

Orcus.Shared.Commands.MessageBox

Orcus.Commands.LivePerformance

Orcus.Shared.Commands.LivePerformance

GetCpuSpeedInGHz

<>9__2_1

LiveKeyloggerCommand

Orcus.Commands.LiveKeylogger

LiveKeyloggerCommunication

Orcus.Shared.Commands.LiveKeylogger

Orcus.Commands.HVNC

Orcus.Shared.Commands.HVNC

Orcus.Commands.HiddenApplication

Orcus.Shared.Commands.HiddenApplication

set_Windows

get_Windows

Orcus.Commands.FunActions

Microsoft.CSharp

set_GenerateExecutable

InvalidOperationException

KeyboardLayout

SetKeyboardLayout

MyEnumThreadWindowsProc

WindowsModules

Orcus.Commands.EventLog

Orcus.Shared.Commands.EventLog

Orcus.Commands.Console

_cmdProcess

Orcus.Shared.Commands.Console

set_UseShellExecute

CmdProcess_OutputDataReceived

Orcus.Commands.ComputerInformation

Orcus.Shared.Commands.ComputerInformation

OperatingSystemInformation

set_AdminPasswordStatus

set_ProductKey

GetOperatingSystemInformation

set_SupportedLanguages

IWebProxy

get_OperationalStatus

OperationalStatus

WebException

Join

AdminPasswordStatusToString

<>9__3_7

<>9__4_2

regKey

<GetOperatingSystemInformation>b__0

<GetOperatingSystemInformation>b__1

<GetOperatingSystemInformation>b__2

<GetOperatingSystemInformation>b__3

<GetOperatingSystemInformation>b__4

<GetOperatingSystemInformation>b__5

<GetOperatingSystemInformation>b__6

<GetOperatingSystemInformation>b__7

Orcus.Commands.Code

Orcus.Shared.Commands.Code

Microsoft.VisualBasic

<>9__0_1

Orcus.Commands.Audio

Orcus.Shared.Commands.Audio

CSCore.CoreAudioAPI

CSCore.SoundOut

get_IsSupportedOnCurrentPlatform

CSCore.DirectSound

CSCore.Codecs.MP3

System.Web.Script.Serialization

<>9__0_5

Orcus.Commands.AudioVolumeControl

Orcus.Shared.Commands.AudioVolumeControl

CSCore.Win32

System.Collections.Generic.IEnumerator<Orcus.Shared.Commands.AudioVolumeControl.AudioDevice>.get_Current

System.Collections.Generic.IEnumerable<Orcus.Shared.Commands.AudioVolumeControl.AudioDevice>.GetEnumerator

System.Collections.Generic.IEnumerator<Orcus.Shared.Commands.AudioVolumeControl.AudioDevice>.Current

Orcus.Commands.ActiveConnections

Orcus.Shared.Commands.ActiveConnections

MIB_TCP_STATE_ESTAB

MIB_TCP_STATE_TIME_WAIT

MIB_TCP_STATE_LISTEN

MIB_TCP_STATE_CLOSE_WAIT

GetUdpConnections

GetTcpConnections

set_LocalPort

set_RemotePort

<GetUdpConnections>b__4_0

<GetTcpConnections>b__5_0

WindowsDriversCommand

Orcus.Commands.WindowsDrivers

WindowsDriversCommunication

Orcus.Shared.Commands.WindowsDrivers

WindowsDriversFile

windowsDriversFile

Orcus.Commands.VoiceChat

Orcus.Shared.Commands.VoiceChat

Orcus.Commands.VoiceChat.Utilities

CSCore.Streams

CSCore.SoundIn

OpusWrapper.Native

Orcus.Commands.ReverseProxy

<Port>k__BackingField

Port

Orcus.Shared.Commands.ReverseProxy

Orcus.Commands.ReverseProxy.Args

<LocalPort>k__BackingField

localPort

Orcus.Commands.RemoteDesktop

DoKeyboardAction

RemoteDesktopKeyboardAction

keyboardAction

get_SupportsStream

<>9__13_0

<>9__13_1

<>9__13_2

<.ctor>b__13_0

<.ctor>b__13_1

<.ctor>b__13_2

Orcus.Commands.RemoteDesktop.Compression

Orcus.Commands.RemoteDesktop.Capture

get_IsSupported

IsSupported

Orcus.Commands.RemoteDesktop.Capture.GDI

<IsSupported>k__BackingField

Orcus.Commands.RemoteDesktop.Capture.FrontBuffer

SharpDX.Mathematics.Interop

Orcus.Commands.RemoteDesktop.Capture.DesktopDuplication

IsWindows8OrNewer

DropAndExecuteCommand

Orcus.Commands.DropAndExecute

DropAndExecuteCommunication

Orcus.Shared.Commands.DropAndExecute

get_ExecutionMode

_renderWindows

StopExecution

set_AllWindows

get_NewWindows

get_UpdatedWindows

<>9__12_0

<>9__12_1

Orcus.Commands.DeviceManager

System.Collections.Generic.IEnumerator<Orcus.Commands.DeviceManager.HardwareHelper.TemporaryDeviceInfo>.get_Current

System.Collections.Generic.IEnumerable<Orcus.Commands.DeviceManager.HardwareHelper.TemporaryDeviceInfo>.GetEnumerator

System.Collections.Generic.IEnumerator<Orcus.Commands.DeviceManager.HardwareHelper.TemporaryDeviceInfo>.Current

Orcus.Shared.Commands.DeviceManager

Orcus.Commands.ConnectionInitializer

Orcus.Shared.DataTransferProtocol

Orcus.Shared.Commands.ConnectionInitializer

UdpConnectionInformation

set_UdpConnectionInformation

get_UdpConnectionInformation

InitializeUdpLanConnection

InitializeTcpLanConnection

Orcus.Shared.Utilities.STUN

UdpHolePunchingFeedback

InitializeUdpPunchHolingConnection

ConnectUdpPunchHolingConnection

TcpConnection

_tcpClient

<SupportsStream>k__BackingField

SupportsStream

UdpHolePunchingConnection

UdpLanConnection

Orcus.Commands.Passwords

IPasswordRecovery

GetPasswords

RecoveredPassword

PasswordsCommand

set_Passwords

get_Passwords

RecoverPasswords

Orcus.Commands.Passwords.Utilities

set_Password

set_PasswordType

PasswordType

Passwords

set_HttpOnly

KeyDecoder

GetWindowsProductKey

DecodeProductKey

DecodeProductKeyWin8AndUp

HiveKeys

Microsoft.Win32.SafeHandles

PlatformNotSupportedException

OpenBaseKey

EnumerateSubKeys

RegistryKeyExtensions

keyName

OpenReadonlySubKeySafe

OpenWritableSubKeySafe

GetFormattedKeyValues

<GetFormattedKeyValues>b__0

keyVal

<GetFormattedKeyValues>b__4_1

<GetFormattedKeyValues>d__4

<>3__key

System.Collections.Generic.IEnumerator<System.String>.get_Current

System.Collections.Generic.IEnumerable<System.String>.GetEnumerator

System.Collections.Generic.IEnumerator<System.String>.Current

RegistryKeyHelper

AddRegistryKeyValue

OpenReadonlySubKey

DeleteRegistryKeyValue

SQLiteHandler

_sqlDataTypeSize

sqlite_master_entry

sql_statement

Orcus.Commands.Passwords.Applications.Yandex

Orcus.Commands.Passwords.Applications.WinSCP

<GetPasswords>d__0

<key>5__1

<accountKey>5__2

System.Collections.Generic.IEnumerator<Orcus.Shared.Commands.Password.RecoveredPassword>.get_Current

System.Collections.Generic.IEnumerable<Orcus.Shared.Commands.Password.RecoveredPassword>.GetEnumerator

System.Collections.Generic.IEnumerator<Orcus.Shared.Commands.Password.RecoveredPassword>.Current

keyf

Windows

Orcus.Commands.Passwords.Applications.Windows

Orcus.Commands.Passwords.Applications.Pidgin

<password>5__1

Opera

Orcus.Commands.Passwords.Applications.Opera

Orcus.Commands.Passwords.Applications.JDownloader

Orcus.Commands.Passwords.Applications.InternetExplorer

KeyStr

DecryptIePassword

GetUrlHashString

wstrUrl

DoesUrlMatchWithHash

urlHash

ExplorerUrlHistory

_urlHistoryList

_urlHistory

pocsUrl

QueryUrl

STATURLEnumerator

_staturl

GetUrlHistory

<GetPasswords>d__1

<urlHistory>5__3

ADDURL_FLAG

Orcus.Commands.Passwords.Applications.InternetExplorer.Native

ADDURL_ADDTOHISTORYANDCACHE

ADDURL_ADDTOCACHE

IEnumSTATURL

IUrlHistoryStg

AddUrl

DeleteUrl

lpSTATURL

get_EnumUrls

EnumUrls

IUrlHistoryStg2

AddUrlAndNotify

System.Collections.IComparer.Compare

System.Runtime.InteropServices.ComTypes

STATURL

pwcsUrl

get_URL

get_UrlString

UrlString

STATURLFLAGS

STATURLFLAG_ISCACHED

STATURLFLAG_ISTOPLEVEL

STATURL_QUERYFLAGS

STATURL_QUERYFLAG_ISCACHED

STATURL_QUERYFLAG_NOURL

STATURL_QUERYFLAG_NOTITLE

STATURL_QUERYFLAG_TOPLEVEL

UrlHistoryClass

SHGFI_EXETYPE

UrlCanonicalize

pszUrl

CannonializeURL

shlwapi_URL

URL_DONT_SIMPLIFY

URL_ESCAPE_PERCENT

URL_ESCAPE_SPACES_ONLY

URL_ESCAPE_UNSAFE

URL_PLUGGABLE_PROTOCOL

URL_UNESCAPE

Orcus.Commands.Passwords.Applications.FileZilla

<GetPasswords>b__1_0

CoreFtp

Orcus.Commands.Passwords.Applications.CoreFTP

DecryptCoreFtpPassword

Chrome

Orcus.Commands.Passwords.Applications.Chrome

MozillaDecryptor

Orcus.Commands.Passwords.Applications.Mozilla

_privateKey

<PasswordList>k__BackingField

passwordList

get_PasswordList

set_PasswordList

<Initialize>g__CheckPassword7_4

password

PasswordList

<>9__7_1

<>9__7_2

<>9__7_3

<>9__7_5

<>9__7_6

Firefox

FirefoxLogins

logins

LoginData

encryptedPassword

formSubmitURL

httprealm

passwordField

timePasswordChanged

<Keys>k__BackingField

get_Keys

get_Password

<GetPasswords>b__0

<GetPasswords>b__1

Orcus.Commands.Passwords.Applications.Mozilla.Cryptography

MozillaPBE

<MasterPassword>k__BackingField

<Key>k__BackingField

masterPassword

get_MasterPassword

MasterPassword

PasswordCheck

<Passwordcheck>k__BackingField

get_Passwordcheck

set_Passwordcheck

Passwordcheck

Orcus.Commands.FileExplorer

Orcus.Shared.Commands.FileExplorer

ICSharpCode.SharpZipLib.Tar

ICSharpCode.SharpZipLib.Zip

ICSharpCode.SharpZipLib.GZip

ICSharpCode.SharpZipLib.Zip.Compression.Streams

ICSharpCode.SharpZipLib.BZip2

ICSharpCode.SharpZipLib.LZW

ProgressHandler

ICSharpCode.SharpZipLib.Core

reportCompressionStatus

set_AESKeySize

ReportCompressionStatus

<>9__4_7

WindowsThumbnailProvider

<>9__1_4

<.ctor>b__13_18

<.ctor>b__13_19

<.ctor>b__13_20

<.ctor>b__13_21

<.ctor>b__13_24

<.ctor>b__13_25

<.ctor>b__13_29

WebHeaderCollection

<.ctor>b__13_32

<.ctor>b__13_37

<.ctor>g__RemoveProcessingEntry13_38

<.ctor>b__1

<.ctor>b__4

<.ctor>b__12

<.ctor>b__14

<.ctor>b__15

<.ctor>b__22

<.ctor>b__23

<.ctor>b__26

<.ctor>b__27

<.ctor>b__30

<.ctor>b__31

webClient

<.ctor>b__33

<.ctor>b__34

<.ctor>b__35

<.ctor>b__39

<.ctor>b__40

<.ctor>b__41

<>9__13_3

<>9__13_5

<>9__13_6

<>9__13_7

<>9__13_8

<>9__13_9

<>9__13_10

<>9__13_11

<>9__13_13

<>9__13_16

<>9__13_17

<>9__13_28

<>9__13_36

<>9__13_42

<>9__13_43

<>9__16_0

<.ctor>b__13_3

<.ctor>b__13_5

<.ctor>b__13_6

<.ctor>b__13_7

<.ctor>b__13_8

<.ctor>b__13_9

get_Hotkey

<.ctor>b__13_10

<.ctor>b__13_11

ShellLibrary.Native

PropertyKey

get_PropertyKey

<.ctor>b__13_13

<.ctor>b__13_16

<.ctor>b__13_17

<.ctor>b__13_28

<.ctor>b__13_36

<.ctor>b__13_42

<.ctor>b__13_43

Orcus.Commands.ClipboardManager

<>9__9_0

<.ctor>b__9_0

Orcus.Commands.ClientCommands

Orcus.Shared.Commands.ClientCommands

Orcus.CommandManagement

<>9__3_1

<.ctor>b__3_0

<.ctor>b__3_1

<ExecuteCommand>b__1

_executionLockObject

<ServicePipe>k__BackingField

get_ServicePipe

ServicePipe

GetExecutingAssembly

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

14.0.0.0

$43826d1e-e718-42ee-bc55-a1e261c37bfe

$bcc18b79-ba16-442f-80c4-8a59c30c463b

$3C374A42-BAE4-11CF-BF7D-00AA006946EE

$3C374A41-BAE4-11CF-BF7D-00AA006946EE

$AFA0DC11-C313-11D0-831A-00C04FD5AE38

$3C374A40-BAE4-11CF-BF7D-00AA006946EE

$3601a898-0fe1-4710-ac30-2e6c417f46bd

1.0.0.0

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

_CorExeMain

mscoree.dll

<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>

If you want to change the Windows User Account Control level replace the

requestedExecutionLevel node with one of the following.

<requestedExecutionLevel level="asInvoker" uiAccess="false" />

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

<requestedExecutionLevel level="highestAvailable" uiAccess="false" />

Specifying requestedExecutionLevel element will disable file and registry virtualization.

<requestedExecutionLevel level="asInvoker" uiAccess="false" />

<!-- A list of the Windows versions that this application has been tested on and is

is designed to work with. Uncomment the appropriate elements and Windows will

<!-- Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />

<!-- Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />

<!-- Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />

<!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher

DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need

to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should

also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. -->

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

$this.Icon

Orcus is a Remote Administration Tool for Windows. It allows the administrator to make changes to the system remotely. You should only install this client from sources you trust.

Orcus is a Remote Administration Tool for Windows. It allows the administrator to make changes to this system remotely.

.orcusInstallation

Activating keylogger

ping 127.0.0.1 > nul

https

net.pipe://localhost/69e001dd06a44ff1b3260a75a6f10381/OrcusUtilities

Orcus.Service.exe.gz

WindowsInput

WindowsInput.exe

WinInput.exe

WinInp.exe

Input.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Orcus.Watchdog.exe.gz

.config

*.new

schedulerInfo.xml

*.PotentialCommand

Orcus.Properties.Resources

^(?<name>(. ?))(_(?<number>([0-9]{1,2})))?\.dll

*.dll

(_(?<number>([0-9]{1,2})))?\.dll

@=<VY]BUQM{sp&hH%xbLJcUd/2sWgR YA&-_Z>/$skSXZR!:(yZ5!>t>ZxaPTrS[Z/'R,ssg'.&4yZN?S)My :QV2(c&x/TU]Yq2?g?*w7*r@pmh

Windows 3.1

Win32 Windows

Windows 7

Windows 8

Windows 10

Windows CE

SELECT Caption FROM Win32_OperatingSystem

win32_logicaldisk.deviceid="

case FromAdministrationPackage.GetActiveWindow

case FromAdministrationPackage.GetScreen

g7Nd27L6w4y5lzCzTHxZDq94yU1uP40fKRRs/2HxRExQEvj0H8gDlO1JSY wWRAyLP8Iaih5PE0doNWxcGF8/8mTsBL5zDV k7Az9kTkMB7Ny/NBwOK52druI  Hwoh9zk8aly0j7tg7uuZ/Nf3ENpNwQgbMi4pF1NnB5YzbYHt4a0nFUN1FUaQx/Ipv/tRTHpnCoM4utAS X01mh5GXB0Dg4wL75Qda 0b Syf4H3ZMg7nWqJo48YHGa7GqFZuAJY2vi24zpFS1VtjrKJLfSb1aToW0mjbW9FM8tjc92OFReXuWJVu3yx1L9ZGuJ/x70D3vNsm8lQc3ElIT0unI3FFiRJlP5ImcMgGGUv1uvdv3/rPIuYZy9S jPW1OPm6mG A7X KcL8CrVVIT9KuJ3psfNUI6fnLJ KVUKgTsTUj3eZuHLiLLt0dCnLWCkCDUr  wnbek0T6ZVpXdHn97Acq7f0ax0jEtW4MwoBPmOZlKpGUwWjC1uS4mkAwJd3Bfy6IkOZI18nYWs6FZ68 Yr9Y1kdLczK2uGhK939nFFAxjOcQtPbp1F/3em6g0crXPFKxT8x1PuuWgY2cIB6N0VbetY7PNOTTrFJzfGfXNdSDKlyuL338qxbfbsXS/KwTh6Ginbrrl2pBmNBYlDvojPeYbmOKxxJ8Y4vLf uMIP jmnQ2KmboYAINTSgRPZ9JFVo01UKUX8PxLwU9sBodE8GWdOp3dMl8PcdwIedfytJ1s5g3DbQeLNYQ3 /Z3PNxxS5cpnkVpM6zD33oY7HiZmRhavH nQgTWj4fT3xJANrReYeWWh37/s7A2dFPdUlOJSn15ahu7/wavw/ D6AZ5k9kM1T49pMtkB9zvRRKLlg3eLzzW2IiSpNGz3i7B5co0SLNxAwQzqPJCM5ziZTCnu16Tv1C PXTkNY2nu8cOnNFOxQnEvim70gU a5pWQCGjsQRuTsqp7J6Brzxg8Aw1bnaUOSndvnO70zYYoYpMbSJIscGyBSqonnYvZQ04P6aPts7CLCcsWoFEF8sz  MREqDx0DkvHEyXylT6Jaa3SajBS0nfETHumD0GdcNmD8Xo5NipIYEMOtsEihggR2KsOL/Z96N6VMXeLqyQFYkKOZmjxZm8SmL9e05fDt74K 5OvQCbbFnErIzhINYFOj1yaZ4JbbtQdzbvUUNNraA/V7Ag/6Nu0NLObbhPbTzai6j8CtI8ogcyi5v1cEuZQ7E0P4M huel9b9nPbecw0X MYP1Qx0z/rrFxvDDqbP3gpqFPe0YSnAmBxzneJMet9w6i AYElxDOSaXVVKjrriiTBqG4ZxkDX1zK9jt0PNNoINwLluWVO15GiOm1I9BKyVwBy fG/i4gv7IMKkKC4bi4B3HrkQh6LLHTM9uyCM0NqWGUWmg0smaD S1b6hIHPSDztpZgalnR3ZgQlKzcz5u/amcgwmc4EAMKVtsnu5JVZySVgPpyMaVQ3mYMZIVJc2jTh/H5nFlZ8R9yKfj8DENgxPWa9L0qXP5r3aOw6rfNQOnSWtrZ65mV68afQuhdfeU5gxUUvylULWCXokDoSFPi1s 4aUQay6CfdhHQXp63nWLc6iOo1Oqhxy0w7V262yxjFp WwJywSUVGO1ZKJ1k7qJ6yRvobBv HjoY A2hDrJwQsrcrzKusA3q qCVqPwe7K4V3gBjvLNL3slkGQ 09B53M16L4eOeuf4ac9IzzRxHHzgWF2eXzJRBFk2FrQKvmkxkfy9PuPry3wuuZJ0i8utf2ZoR047V8xu0R/YzjeF9 WH6/lFQjS3zgYta l4OX9gFN/AMx/PumEZGXHq673F5ZOG/euXoT1T E/UKgva4NLxxSnQErK6HLna0p0sGDV6ZUEtCYW26XibAW8B6JjlB83cx6ED4O3uF7Obe4Qq0qp14JJjVDqUf6dIMS0 4mWFfwAM2EokxNSN3d4DEL8QfGLJQgYYk4fU3ZbEIQW6UFfp5k6gsXP8tHmrXeIt2Ju/Fs/zvoLLGrH8NlvsMD7L/jk4knY4A6xn3YHpeF4YAi7FGaeeA gVUIm7OxZ5Mx9ybxGGrYWT7ydY6YBWCG7yAnVQX10QRtK6zRsb2RmoOkWtcHAIJFHcsFX4PtjxKCBqmpauqSLUE4j/EWdl05qoWa6/b/ku6zzAgeD8zWe61RY3gn2fUnJIMLcUrgw9algX1Qt9vTSVf9Jrux6KlV1/8ew/BafUzCxqwXigSsGZPaskTJXg49J7q1yYX/qvFEc2okYGziSFOi0m0CBDuBAN6sbsinnAzSVxoxMJBqiIdijMROfxKmplspVQn26hVw3mcqbFXC2nIQ54C/wrv18z1S5o6Vh1D8xA3 7WjphIHIF2XAVL3XJH97pmjMTkuggpEx0GVLtupZAqOQGjsagOKZalU8kmwKMVSsmp9lF1JFwVqmnb9ARg/Y/toxKIr0z7 hYPGwqwfwqvduOd0RYFPVap3dHk5xqwjhwVh8kPxu/XiEiPhYR 9hXsiNPO5FBivUKl9amHkCNMm ngaWXrIi7vnhuDjLq0G3qAD/EOta/xosYJ50iNKbdedmsi9 THHe44I 1NRN9TufBQl4uRiSw5A8yqJwd8b7M2tAT6fkiYh3YtEfsCCoP5SCuj3ezFvigcSdn7sWN7vBYuoY3xJwhNmNGOjrzbDg3nSsklQjAE4Zt5kYhOqKAk/ZdBfS1C3 WphFrCKFUV/TvqIbWguyXsFiXYK8btaZTyeagZ9G28a/P2YFgL3NByBXrG2LFKh5HF9qLiQcBpvLRKubpAia4NpetdefValdbtCsuBpf1pYq3Bx73jWH9XUi slsc2O8512RyTwPBBQuaaAOQAh9H0owMd27II9/5iNSV4nNjJ5t5 gCYNbeT6k64prdXVjSgKxGYpCsbTJtJap46SqfYIyW39Ghiyap5dUOxzjcR/rmTG2YlCZtGdeSmTRw4AlKtpZiOqDTHS5gOYGELISWGrhypeXfIUyhhdnlJODZxfg/YKi81dWNB2Lr/59NCT3IWZZsuNjN nBWKpFPHusEiCOCDVJCmJkLVuBQpMxMfE54VOWtAdXaXTLVEd279rIufBQyRPFqOTMKGqeu84RoVW0CvO83qhQyU0jlI1Atcu 1PLpXVEGvlph/s97YFP/93AjmtPWiEg8xAhaqxy2CLqq3TLi5vlw07OjiHd4QEtIkFEg7go4KEyQ/wiw27kjzMJAHzIGAoLXwDE8t5r68VJjUhvSPo9l8VFjmiLcqetyQIiO6IOfxwTBeqf0XlAffq5Tq9Ux6ze8PDlIyparg/ArRvKcf3WhsK2dthdvr50 fo9C6QI2I3sdf//iBnMKYdxbCqh9IQBba6STDDSsEVntHqF07S8xtzZJiC363QcWTA8U6eLh08jofP8E WwI pp2rWilI5om3DaX0NUW8xJ56BA7IkveARBJZJhr4j6QbUD2lU8d5e0j7H3vpvAqIwarbtELm20g9LGkG2gHup7R1bWR4L1qp35J6SIvOz8ocaz6s1RoQxqtIIk5snFJUH2J82Zhj1Ry4RbDFUtbLUONwZu3YEmGI7jBzwT6GPbL0PaC8vhr3/ChgPL126Lq06GabPThh/jR6cMJ3C4g8GPrDexipXbm2LnF 7y3yZMaCYlBEe19nJM09DPK1aK4fyAugzCEfOwVVsmtDW38//BgNXqXhw6tUmB ufjZuMnMD7o4Lva9V27LTTyF O8ScjnBrnA2fUvs432fcoPGCoShzbrkB2/5ZgkdQU9HTuJpRp08oNnc3SXKavpVncURV4Lmyj97UpNbkXzk4RlFzxdp4oVS8DISlr7RhwOFOWfA2uHWMEw1d/jxUP8vcfcon8/u6aQX GkICjNKXScu6s37et8/WjiVo3PkfgIXcdfDetZBPHoFJmclkWQGdkJ1oQMT4bmEw0uoZ//LsOcRjS0W6OjpzQJBDFnNVpr3uPdxpCbhOoAasJx4NLsh4VEQoX/fnu6NURJ9uNFXt3Fh6H3k1qtxyGZxBNc4/vul7Y3Z8y3Qyk090jYhKXRAtGfOBOSFQpZDMWEBNh/a/U2jgOaLJk6QksGyj6aNVXbkMmn0locTCkjbkr2V3bFrXvQeFlIdpf zG2ZPo11sr926rUXJD84AzyMhIN6tcmYTA8PJAWPwZwe5yLaPyTwGS9U86WCADwiBWDFLZraqZf5sKniQKJOpFO2Hn41WKBr8gWnuQ65Zcvan4RWnqg1TSp09rcSpntct1g6I3CVt NiaB1DFF2ifO9r11L5bLIoAjk5iv YWbYmoyL9B1Np9TKZ8XeOGLpfkdt7CXJgZpzOSg4ZGVkO0C/JgPclurMdoY0j4BWBnGYmPkE9Aj 5aaUq3pU5Ah15S/08WZyaPkeoNmSbIt8SH8qCMUiUdju7btove Syp/Vya2CH9M6inLIujpFim6XC6F3rcJYIqA4NEwVJGgiW d0zWllb4Ps25X843S6Gz HKvKuhCrjUveaUqBdSr3r77ynlB7YGuo4u7qt8HUTtsLGyqkO1dYwFQoENIkiJoX1vwEUERm1Hn099A9dgztnDDFY6/IfGAs67TRJSK2s5bubfxX2vCdTQgUH6YhTmEZWPM IcetqudZx9syGpZq88fyQauqE2qeEfJNTByxSyYNjM5GS0uIV 7Y74CPmt4yCVIN0jmwAX5PBtzklXjxaf62DUGOQSVtlT9xHiV4a7oqEO0x79MmgKgdoRK3TAA2uLgwmmgP5bZOI6GMPXv9xKqvrghFhzI/VCjZe5j2Tk9KoYcNw3QsNMzQOPti0vdvsT2h/kfnboOYQF2khhBpXvuNO8qErsa4xoGuXvhIsgamYOR1eZ/y7hl176Xt85ySHd6ovn3V8T4dLr0EM6J/29oXpgs/ DGyDfdzpZ2elbQy6Tiow8 LHZKgMFZSd3TwmA7kqk68FztfKRZ Q17LC9L6I7XR16FwhEWLG7iqsyyQneafAoVHSHuPnbaNDx55ca uDP9OdXfJ3LrxGktu1xni3S5HdfP8OsgiZgyo2Y3/Vz7K9O2mPhCqhpBOSIItBYmsjHH07/gMsVXEKflkWFdKjtF1hu4EzHFVvElMaJR4rYbYZMtZMqePRUT1fsRrUSzVZlDvDEUTHKOoGQm5y7UWLIk881C5nSXY9Lb2 4GArZDwAEUZoVSE/9akS/9xrQq0nCLyUK2ZLolQQG VGqEiLeyt6W2TczYK6IiC6xyLAuKdo72qO5CRK01d31PC0lF1aPwi2KlfINNjLb5y6Nn9vyZDSim8Sb OA3luH9IWI3aAiXy4NqgSgRyrYTBqO5FbaBzSbBcUFaBMGQncj/ugRdVERbeJXcb8FjrQfD9tXqykU8tRlYUNskGm6x72JB47Xv GXbKxnvJ8Hqm0b8s8lYdkXEwf2oZbYb Bxrs/V9YxpXsNtmQboJy8k x45gyKJniUvCw6zOR p2f4bEnI3irW0QG/R6O5xcPZOKtDszly8Uau0Zw00gjX8bwsHYIiMq6ReZX9Dgs4zcOZlmyoGHCYi5vFBGknO4S2MeUmPZ9Xf/NSyQ0fSoJRgLmecmM469Hdf8Tq4hrnEK1qJzauF E91Stt7iOMCFuC 8698aFQMfUWUtWX14Z03Yp b8Bg5Sixn3ft9NS1mZ8OwMDW6SvTLgP45EvoQcUGBsYLqKbXv2s/YDO9VN1NLK9ySzD1DpOzRKC6YUVKvgyhtIACERYkrQTxthzCQAiLOH2OgMrfgK4sEJu b/rN/V5XewQEW0oCUTkaefFh42Tvv/dtLhYKaJIrDB44OHu0YPckTWINSCIWFcSh3luNhfx3DMw4TbRbB2YmOW7D1ArA4T/wSSy5AFLhvrHkCuNHSfijkzq7lxCAQQai2LN42vlPC9MpMfb369ORu4tq7DzIlQVSz7xRESWOg36EXex3IZr8TjP8th4Px7RFii6V ezRKNok5 4QR4VrseK73isc82WVaBSAO4krxTH2l3GtxVLqfplKi TzgbEQxW1X/f0fQtIw9yvkpLJBK/ZY7NQ8qpwhPjml6SsMmJvtS/CvRCvIoh5LmouwULk8TjORW2RPmAHQNZmfyNxhKOwuDZBtzTSRcHC h2tlcbpcs0JaJUkL53w45pxfJCmtzs5jER/sOrbGkOtiB8fBW3NWAEJHWUadLaLEU8EOjpXhZpryYCzFBPSuOAWkgoOkB JLlkHgp53KrYfKq3EIE4wR6iNsCTS8mT1IPXyF2UgBIvEIIMdE2DgG KCKBMoe/Kbu7IYFwEinY/8KfQUWsBClLr5 NU4aV7C4knFAIYCF9yZmQHYNvm4HSLtGrReKAG73SUGg MXiyh7lggf0A6UKBmfLW8PE1YapIWdAUtVus6QrnPaMToa5Rr5XO0MZLV7bCYXF bM4Vvqs7XqgToddAze80r/kecvCewyjxQyo JQG1p95zcxakRyW6B5Z0VGxf1qTs3IfBOZKJ/I xydLG29wyIZ7azegS9kpWQxgX4all5ghi5LX lS7RK270bNqjEP2jZs Rx0Pf8vC6Gc68w9bj1VtEaBF2Ewab5HEPCAxUjXgZKEjjGmxy4e0SwmJ/nWL1iA03k2/VHkTGrSmTFbW72CLQtCZtJr4OevClPvJMq6Oi44uPKEkM/ylIverUaJU9IZ1NIj33/hqBL4nsP9gwLAvOOzMEfGGe H0n6UR64PCCgt 3EUhjyG3Y2s7bWu etg8sG3PYCdBef4j5FWiTibNdc1UdNY3YD35dEFvCWWnDdp/0tPQK BNaBHCLeAoeAof02yCg3FCYJMatwkrEYztx2F0Uslau8KZMypMWW44 nNTSUHmegzgspeB3rwv8QuQhFSRkN8eiuDTy2Iex7xEjfmR5wDMWCgGnGqQR/ky0SQ9b5tWckWubUOF7FopKIdm579HqtJP62UvG1qwIW/EHk7ek3dZpgDFPwTHUygzXYHfL9zL/WDH1ALq8FyZD1XDGUnn0soh yr1y5aiorzMC0ht45FGZQyIOeLV gmrOvJegfXIYdqK6IF1Ko/ROqFJgcGzVd GkyPKrRzjBCE7bKSSk2io99H2tLhN3T/dUdlBu4Z yRoqiISLaF7Ivv1iDVlONrOFdd8D26H06yXqXkDy6Vm/jLLgwGzEuVuNNqrCEImsAFgc6jAvSZKHViEOEAgjWHAT5QSFRgxwdkKdXO1OHAAuXmTM33IlJzR8MMod8xh0sR2VBxvh/JEcvwsxnkJ/kyhfl3IEN v jXgLtIlydJvn8RxFmzU0qNFdnvOjpcnmqyLmS9M1FzGL5A6HtSIVNZrvHMJMXGvSgsH3OYfbo23bM35wuOjDsEOab/w9NOZWvXS8XJdlNjJevuDFeMuoh67ratqcFpagWRFard9E/mf4OaBrkZLLSEdAZQXcefSkM53Hh1Gnsv4hCVIh9W9m2m6alaGE8OQdiFfHiIvBxIPKVjJlx0KMk7cKwWX9MYkjyro1gGSuGRHBFuR50OqQ7dIxrbUr Q62 sMuflUF5 wPU39dbdW3zA XBNpoQCKfmXF/jI5VwWpNkFMu AlpqHz5bOiG/sYY20ltrhKaXTMfLwSD 9QP Ojitc2 BNsIuNMs55Vrb7lSdZtTEtVreoFhLR /rc9LDulWL0ulnx7XKghCqDJ9OS2Ldy4HaTHIfmb56lo9itdtfGxnXHuHDZjuwJgrYUG8F6hFTN3cF1V0lDG2d0rPM xcvhvyzCkNWqvoRkuuWjJtM4I2f5miUYg08yx7urwb4196VN9/moGaA8lb3kLWXS9C/CRf7KEjuhNaZMrkiSLAt AHzV0H0Z8Umb17UL2JUMGIM6l6NIk6Uil4VIR7Thm Ah98Ji65YoKCSaUS/gA/KV3crhknuTSObNZQDXov9W5xLCZE5/oNTHbwXkHflqbLk6j39Q2ffLHdkaCyjhdHmmj2m88swbrZm9GKhIWx fMmWp7fkKsqiwi/e2/uVOJpV10CELFv1DydO5J/Xti WUBtXJKEsO vfPljomq8Y2p0 avSCv23gtLfls8L 1Ze0hU VVj39ZOO5g6OhnvedTngmHS0iMVFGm DUsN0w S8RiXskiGKBMXCc5/VoXp6yPwm/u40TyY12DnjCziU76RQFtf1Q1tNwYjf/O1US/aX4QYnZvZ4uWk3avYGMp3Jkq9yB/54HX9 Siz56F2cS20LYJ0YP7zM1/qvo4sZgbAijgsH4xmaRDO IvoCQ8 b3GSqd7EbH5zg27SRGBxRBv/QaEXg7JrNjvv5mbyJKo/5slAoRnyN1BPwTAs/QL bKWhatDK2PuCml05ngWJfh1SQDC1rGDSWK T5deXjhndXE MuuPAugq7UNAHOAToR5B b6X/NGogXBoE1ku/3ItxB/GnLMydeJBvME8MKohr1Od16f8Uj/9QwVSniMiI0KdAWOKYvax4/uBK5rcCyR3amYM32s9b iCPlm80bKiKRTnpMi3Xoe54PrQtC2D1v7C4HAMfN6OQNjbNkYzI/gDbG531EmnQvd0gP7zIpj6V5Y0 gkWzCVo/aNFlO9Su hgHx/n2W ukrSS0i4RSvmNNWpnw 5R93gOQ7 TlgI3lClJU3mTE2gb OVx4SWcDGGrIFdBpjUc/zd0yjJzz0Onlyx67hQ2Gi FDlCrLZ420c8VYSP7 vafzyl99UWxI0bPnosz/PJ JOv/vIWSYVivEoykO24PRewqP4hiZfNwFo/pdbV7Kv2Qvi9yEhDJjAZjc/o A jHS3v TtGZ9HZz0z/1KdagUEJOy0ViVNWZ9SihePFmLpVkNl57v1n4lvQx0anpZPWLlgEPq BehT1er 8j5ddx60zPaExAM8FmS32gyUJ12Ri1y0QBzZbHn/GBOmRXlinwlKgomlzG2BrVAbvaOlL5WRcjLOoF/j8rPzY1WyytgZQEqh5zdQQnw1 4Zx8aoQaEffyxgmijbyVIjdZac8RhDVglDpMa2aNBW2qkirPeeeWodtuY6 QpZTcn0s5nLkmmvJvmVUWuVGXEpXv/lMcyyroL9xi0gY5qFlEK0db/Y6Z7zUl4WFd/Kz60GfJqsvp RC4edFgR2DehvfBbgD2n/8WNBhvWTgDYHhQlyvbEY2pIE782t4VBn/yMyTISnb0QMaW QNP/d8uNXrCYzTooOIsg0nesxpT7f UT9aZUZXfqMDD64uBW21nMEYhbmGCRUiiPqEaiHhlRYBpyzopXj3s75hP7GEM6RoIFTCHUIbni9t6FRZFhdTWo4gryc4Fk7QpAyjhpLulpzDulg36hIMMsxHs/x8I/dc qu/wNT0sFsrMa6vNu5c10ddJe3DsbV2eGEUB0UsH7Dk1EiTQqX7pZlUthz2Ye6XYZzuh9yYwRdECfiPbB OzqeWjCZ3klTMxlJCkNMvBvYSYKySfycb9W9U6vNSIUGWvzALsuokXB4eGHggjq8Mfwms6cv88 CrvIjMgVg2RneErfXnE0BssKgLWUN DUl80qC7ZLt7o0riYlmcyrBtuS0dFrvrdpBFfpUqQdi49R3/sTm70kV2xjm1FDXAkiax3javhT TKphQ9ZcBeuAWQWUHjnvJ8bCFpGazNsE/Y WD AYWotZbHZdt1o5HALzKzf/9E5PhrXYEhB3k5hrlgSgiqArlGZLsoN6jFBSrlAXHpPMc 7dZ43ZvWrXo3pZENfr7LP1DzTMjQnDordcrYxzmhWw6feEOhgh46bzY90hmF5wHcsrbJYHzaf6l71Y ehM4JSuWCCZZD6m2weOxwzCeD68/WrQYEn2tH6RRVNRAhoqPokY4Tkmn2GzZ5KvwQprzhgHSCEDP8mvVRK4xech6F0ueVRsnL0QD J5KB4y HIeea0XPdM969z1I2n1jtcdnPg9 95Lpk04NNGsHvkZbNm1iD81XJjCZ/ov/8rOv7En1OazdAhvFADIbY7nLe8uUKuat8 kFwgAm2LrtXhfQGwz0ntsBcGWEoSVoQV9E4W6H48/YR2hOKj6jMxkJz7od8ODcC3BoLpUl5wf2jMa9nRmcfFxe1fRy6yJCbPMlNQi6X3mVbwuYw7qh7tPbLYV2ajYKkWIO/7zbtqwAUHFWBsjybVX9pFekZ5qOh8ky2UCMpJJzO/cMMJ5d9CnkrjUP6uh8MJo1hk4fceG8jWtxOShHkdGJPFJKLV8F 0lBXhZTqHgednes6mFGljSfd2qk1J 111PlmkQUnYNYB2qFNtgOZ3y7Zka u/7vDtlbO11g08f7nSLh38KYrJYJf FE4ATz0f7pcbtDpiFd07oQQr9ZAt4s VPXEx9kkb52x2WX0GumP4l4Bk4vYtXU1jY5/neovwKR298hyUp00IqCMz5PlHew8EeVYyFgyeB6uEe9J09NrwkHuSlggu0BBQhS68kM1BfaVTZEBXyydKw/boJPWFx3BDpunaaqEylvkfs0qOJsgvYgFB9Tp3l85oCfN9vUItXj 6PtojkBGDjjyxfuQf3eUQSmrpFVnn0/vTF2udSt/fepL6j7jOiO9xJrv4WWTHnKaM1UUKLST 8fZEH0V NRJPjAz38LWhAqk3OaExZpjkIe7GfjgaR Hcx1Z8k5w43N/p65Ujfazcnwv1udgLD3/4fWiqaSv4QzxBnZhx9Vc5DRwRp46YgnIuXVSMIRECp0gLVf2iWMpS/O76cdVcf7Gp5sy2iTvvV7xCV1cYHP8ppbUykkXazrpZK6vTgQ5LZmzNsNS6Oml7ycfndl56Eo 3 6gKvyXTMwg5eR7pjtCmFsHTcum48qOPL5XhYtljcJY xb/h35JADWfZShh4uDW7g66/EjH7yYnOLE5O5d0MIhPCEJnsmTXd/FPhtUh15IuDrqvKxbiUzsT8y8ml5ExNPpQloy73bJt2r3gnQKl47HikdlDFy7cASx brl7AzSZgd1B/7Qwm5SPKfuqt2sjozH4tc1mdMZKihwy sEs8YjW 2uQ7zirkMO6g7KgA3ATtkFgDIdFFpmT1R8N9oWsmWRJHyRrSZ3SVZ9V/YEBqRhXta6LZdF TndAwzNu8a/961PQp hUuzUrHYfMkFrGFEBCsFiWWvnV/8tyhLPpYmnRoP/isG36XDagnfT2cCE8Qz7i2tLORVm1vtSZQg8y1fOC0IexsCCW/GVOKbjv20oZXVXlcP5vLPacw9lQSwqK9L48TDoNPQG9dRpukiokTKF2cC5MB2rKVdyi8bxC59ZeOrjULOeQJPRAoXKMgGjFhAEqWnm04whw8bje91QxtlCcZAVdOryP9ZwnP4znwvcejYVVuJqc3L1wYinWJcEbxa4 XLJirIbrB3o7SHPM17pn6KtiGB/ UDLVE1BoSy9vhAMYtRZzUAaWqINMjnDokibfBbkRMzcxj0KVTK67B1nApxxAd/s0TK6Uxq7rXB3oy aIjJhoJA8jsA0AvVPMmFH7bNX1tNfpr0h nmuiCQ2X7LizaxLqYg0CWAPaW3R5Et40UtBMk0wKoABQAPRt1ENCCKxHOjWDvkrgb0Q5 ZkbOaL5JzmEjRBJEg1StAL3VDJNuD4tgjZoSKu8syEN2222WwGjxk0LWu1wYNPhP0 0 ix0HIMyTcY3Baeg4VBgOvvCJbvtLeQnrnbPERo XtKCOxZ9K19tXT89sy6MvKqrPsNlk46znNiaf/v73vuV0CqAC/fkw9oJurhRR4tHBJe TKOsm1PbWYaPwSNzxzjj0TGwc7ynC7uU6jR6Qzx8TvYju9qxwo7WonpkjoH9O4H/Ge5nGP ck6PYa55uY8zPAawPFOH2ebfHZzUPfGhqY89Pbs 93RvhN10wo3Sh5PIeJsET9 4JhCo5PY8a PdYasCeNXor3VU9TX Yyx8W3v9QlpcMFfbAfhnPVAKj5ZabT9T2jpw7NY6uYNx5juEc3/tKXkt960feWnIlnJ3tk7nTMMqCVVi/RkL86h3JS1VWOgZEa4FmsQFQLV2GDeJJyq8J6QB/IlAiRIr3YKgkhPshlqSESZ697ZbhFKtZYCly3KzA VnYDCrJ l5SzDZ7bRIG02HxhuKqBuTHfNNY/P4 GTKp8l3PZUoYOnRvZi l6KHV0RF/zM2TryjEpbX3B 8GF8ke7Riktdgo4 xefA7EHStVe5SWeKohXq rRzXgBbVlMK5shRq0GnM5W83uOQAFEhazTC5UX2wxPLD0Q6EUvFJbkK6Gwo/mvAiRkMrkfv1NVp3M3V0fMOVa5E2lbEqmxJ9hHp16vypfaZiPSD1sLJ1rf/n8uwsAz/hpLhkZ5YsvV8OLAk1JRlHHquWWHCYxxnicHQnV2c/z9sWd46bUWQezNyaRWGwLgPRQxRfeKJ0VKwq5/d/8HXVhABhshJwLzbtrCLyOHBFhLbErOgfOA7IePmFT yqTG4FoS6p51GohQ9whzM1BKQ4l4lMvSYZJOW1DNewOXTBgu2hnccZa/q/xtdpfD0natqoMzDyvev8f10mX 4xPV3kjjJTS4pMDMXQiWtMK5Ds1R/7ZoCZqugIghFcp9nq/8OaPygqV/1v4stJtVZiLPNqYIWN5nmqkvd7mIz95IesqjTevD sGTStawiv3DHhQX4XnMEYmNRpcI7swFilPhRN3Sm5zNzQLB9H5oCkHcoylC1LV9JIM8nIS35fC0cM6WjYaHE04mO pQMqtYYUp3Ep9WCmp3hz7gU5kwXMi50MP ipSCtbGMYMYQVsXaptw3eDah0EVVBVuqYJRe7Wo7pTczMsSLLqgQDZtvm1bwDTec0G 0AxstXAAKP2Ff7DcxPfq0BiUmzDA v9i4drHVZhuKsJ1GXnxslXlod3cDQnY60sgesaD51/yohBLUmBaXOVhDz5a7eWG1hHO8Q4S2Tz2nMqJajlavRv7Dkq9hB3D0im5WQveFg66jmgh6QcsEegyMoBu4fZIa2jXzpSH9ICTzPN/YV0GOY3YFMpRSpneYdahvUUXSleKKHd5qmDNeQ7qItlKlkt8AtXPhu3899HoaKloLWJN7W3IPAATVj1CtyKJfCQc6Mhou3ZRNMsd/9FAFuKuci3IgMeTXcN2yIs/mARzW0kwjsiJibF3f4xKfjIQRKXppQ/FWkzAq2N 0q5znq Qh2SSaR6EWzenGHc4VOuTLYL62KY7SB9Os/75dvPpB1elDo0Bv3ERaToBDNjgqceE/ UmOnt7kHrlzV2eA7P4qWPRqAM2Ji1YhyyESaOsMsX3AkH8/mBq3B64oXzG9ZmboYki5lYXgSu1tng1RoF0FuwLQdvi5CKObH pgzsUigKiJzmfibsBUXEpXdvdRFXeUKn2HRLuU /foIcm/IiEabR3WV/ntUkO6LwN/XDPLhCoUKFV4Q241E0aqisEW/NU2KcOkUtHe4ClktUNCmWN5Ab333ui7h5iDOKhVoGKqV6sZjQfi4XKTjSPGB5Yk0Dje2Loyou5W4/GaKQL VRSH9E2cNaeTyr5ru/ f8QF2UL1tsjH34PmhSHL52WF7n 70CERW svv8cnmcl5cs5wBdjlecvjcRh92W60oHO9VsBA aTk6WvfMK5u/FtUk9J1BacCeLjPXew16HfBsbKNJJRK3wMvU7n8AcWgBiNAtlIpLdb28vlmaSh/hR1k W7H6B36eSxrP3d2iKPJwiXekSz9GLwCKOquhY7vMUzVaV6HJaRjoidZ5IItzmjsOfNN/8JwhPFhuPBbEC2nJwFQ3Cpj4 xLWfjwadNPNVK9VKOotVwtM7kq nJ285QW6/cXbO0hlfEGbOcc XFRP7e0ZVVSjaG9LfrT1LmSNFoUO0oerrzv/ AJ6iip60C24hDtHzPqvxd0MhImFjNQqlxQ34elXrZG g7Ff/AuqDom56qCVAHSm3k7LZVEUoLIFsMqj7XaItVOIHC5w3Iuz/p0KOpi2mTQ y4UPRYtwpopKF8EyrdgX7YuWc4ruYcCh3C5SwloEPkHYy3IQLUPNzJ08DOdObZqNbuoz6qUYvzzMq5VLPa2Fmy5OYeYjn6vZl6r6QlBaLek8acPusXWBbwjWcmsieSKHPoO8kW4TDmpwFgJD52Smq DrCWspOSgKzeJwYUC1Zbnsm3bot3voj7nBxVmfdg9mDBNAWo/604f0Z3kxuFfZSER6RBXqFVMznQKQJ2Hh dOHj5hxx

klg_{0}.dat

err_{0}.dat

{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}

{0}{1}{0}{2}

notepad.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Keyboard Hook Dispose

Automatic Key Log

Requested Key Log

SysShadow

explorer.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

Software\Policies\Microsoft\Windows\Explorer

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel

{031E4825-7B94-4dc3-B131-E946B44C8DD5}

Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}

Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace

{645FF040-5081-101B-9F08-00AA002F954E}

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

NoWinKeys

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\PCHealth\ErrorReporting

DoReport

IncludeWindowsApps

DisablePagingExecutive

SOFTWARE\Policies\Microsoft\Windows\Psched

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter

God-Mode.{ED7BA470-8E54-465E-825C-99712043E01C}

SOFTWARE\Policies\Microsoft\Windows\Personalization

SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize

SOFTWARE\Policies\Microsoft\Windows\Explorer

SOFTWARE\Microsoft\Windows NT\CurrentVersion\MCI32

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

[{0} {1}]: {2}

\\.\root\default

desktop.ini

..\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Supplied file must be a .LNK file

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run

System.dll

System.Core.dll

using System.Diagnostics;

using System.Runtime.InteropServices;

[DllImport("ntdll.dll", SetLastError = true)]

Process.EnterDebugMode();

NtSetInformationProcess(Process.GetCurrentProcess().Handle, BreakOnTermination, ref isCritical, sizeof(int));

Environment.Exit(0);

wallpaper.bmp

shutdown.exe

The graphics mode is not supported (BADMOVE)

cmd.exe

00000000

Software\Microsoft\Windows\CurrentVersion\Policies\System

Safe mode without network support

Safe mode with network support

^[0-9](\.[0-9]{1,3})?

hXXps://api.ipify.org/

(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})

$1:$2:$3:$4:$5:$6

00:00:00:00:00:00

Pipelined Burst SRAM

AdminPasswordStatus

System.Windows.Forms.dll

System.Xml.dll

System.Xml.Linq.dll

Orcus.CodeExecution

Provided pixel format "{0}" is not supported

regedit.exe

RemoteDesktopUdpHolePunching

stun.l.google.com

origin_url

password_value

host_key

httponly

Software\Microsoft\Windows NT\CurrentVersion

Microsoft.Win32.SafeHandles.SafeRegistryHandle

The platform or operating system must be Windows 2000 or later.

{0}||{1}

SQLite format 3

Not a valid SQLite 3 Database File

Auto-vacuum capable database is not supported

Yandex\YandexBrowser\User Data\Default\Login Data

Password

PublicKeyFile

PortNumber

[PRIVATE KEY LOCATION: "{0}"]

Product Key

.purple\accounts.xml

Opera Software\Opera Stable\Cookies

Opera Software\Opera Stable\Login Data

JDownloader v2.0\cfg\org.jdownloader.settings.AccountSettings.accounts.ejs

"(?<hoster>(. ?))" : \[\ \{. ?"password" : "(?<password>(.*?))".*?"user" : "(?<userName>(.*?))".*?"statusString" : "(?<status>(.*?))"

FileZilla\recentservers.xml

<Pass encoding="base64">

<Host>(?<host>(.*?))</Host>\s*<Port>(?<port>([0-9]{1,4}?))</Port>.*?<User>(?<login>(.*?))</User>.*?<Pass encoding="base64">(?<password>(.*?))</Pass>

login

<Host>(?<host>(.*?))</Host>\s*<Port>(?<port>([0-9]{1,4}?))</Port>.*?<User>(?<login>(.*?))</User>

CoreFtp/sites.idx

HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\{0}

CoreFTP

Google\Chrome\User Data\Default\Cookies

Google Chrome

Google\Chrome\User Data\Default\Login Data

key3.db

password-check

Mozilla\Firefox\Profiles

cookies.sqlite

Mozilla Firefox

logins.json

signons.sqlite

moz_logins

00061561

00000002

Mozilla Thunderbird

.tar.gz

.tar.bz2

.tar.lzw

7E9FB0D3-919F-4307-AB2E-9B1860310C93

System.IsPinnedToNameSpaceTree

music.library-ms

videos.library-ms

documents.library-ms

pictures.library-ms

imageres.dll

DownloadFileFromUrl

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36

72C24DD5-D70A-438B-8A42-98424B88AFB8

{0}, {1}

Hotkey

Occurred while executing command "{0}" (Command ID: {1})

*.nfo

rundll32.exe

URL.DLL,FileProtocolHandler "{0}"

microsoft.win32.taskscheduler

orcus.plugins

orcus.shared

orcus.shared.utilities

orcus.staticcommands

RegAsm.exe_2904_rwx_00850000_00010000:

%sihFvi

RegAsm.exe_2904_rwx_03EA0000_00003000:

.KgZY

Q.KgZY

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

csc.exe:2916
cvtres.exe:1004
RSBot Cracked.exe:1776
%original file name%.exe:1908
Delete the original Worm file.
Delete or disinfect the following files created/modified by the Worm:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.dll (5062 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC86FA.tmp (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.out (396 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES86FB.tmp (3762 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.0.cs (28756 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB83A.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB838.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (344 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB839.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wm0en9no.cmdline (343 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB837.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsHost\WindowsHostService.exe (22336 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RSBot Cracked.exe (55178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\OSBot 2.4.121.jar (179028 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Corporation" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsHost\WindowsHostService.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.