MD5: d38e0d7d42d8d909ce968c8dc2c07d0e
SHA1: 723724f78a88b58385fa58011d7a2c0a4cdff5f9
SHA256: d18270e64878ee38d67a61220d9b45ba32bea5a720871ec3c00415ec63cb78fb
SSDeep: 196608:lwlHVXklOzEYAB6kyntdBmKMwq ygSOjLKmP4y/ua80:lwlH5gOzA61dzq y0mmN/t
Size: 6326279 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Xacti, LLC
Created at: 2007-03-31 18:09:36
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

DRIVER~1.EXE:3784
%original file name%.exe:4008
Sentry.exe:2340
DriverVideodialog1.exe:2072

The Trojan injects its code into the following process(es):

DRIVER~1.EXE:3980
Sentry_MBA.exe:2012

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process DRIVER~1.EXE:3980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\python27.dll (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\_ctypes.pyd (90 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\Crypto.Cipher._AES.pyd (32 bytes)

The process DRIVER~1.EXE:3784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\_ctypes.pyd (118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\Microsoft.VC90.CRT.manifest (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\DriverVideodialog.exe.manifest (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\Crypto.Cipher._AES.pyd (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\msvcm90.dll (589 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\unicodedata.pyd (748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\_hashlib.pyd (1060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\msvcp90.dll (1061 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\msvcr90.dll (1375 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\python27.dll (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\bz2.pyd (1137 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\select.pyd (392 bytes)

The process %original file name%.exe:4008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sentry.exe (49756 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sentry_MBA.exe (104786 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd2D09.tmp (0 bytes)

The process Sentry.exe:2340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DriverVideodialog1.exe (104964 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DirectWindows.exe (1625 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn4CA9.tmp (0 bytes)

The process DriverVideodialog1.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DIRECT~1.EXE (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE (55104 bytes)

Registry activity

The process %original file name%.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Sentry.exe:2340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process DriverVideodialog1.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://checkip.dyndns.com/
hxxp://checkip.dyndns.org/	216.146.38.70

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response

Traffic

GET / HTTP/1.0

Accept: */*

Pragma: no-cache

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Host: checkip.dyndns.org

HTTP/1.1 200 OK

Content-Type: text/html

Server: DynDNS-CheckIP/1.0

Connection: close

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 106
<html><head><title>Current IP Check</title><
;/head><body>Current IP Address: 194.242.96.226</body>&
lt;/html>....

The Trojan connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

EInvalidGraphicOperation

comctl32.dll

USER32.DLL

windows

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

OnProgressH

Uh*%D

MAPI32.DLL

OnKeyDown

OnKeyPress

OnKeyUpH

OnKeyUp

ArrowKeys

vsReport

RICHED32.DLL

TComboBoxExEnumerator

ole32.dll

PasswordCharX

ssHorizontal

OnKeyUpL

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeysx

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewl

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclResources.pas $

JclBase$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclBase.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/windows/JclWin32.pas $

JCL\source\windows

imagehlp.dll

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclLogic.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclStringConversions.pas $

windows-1256

windows-1257

windows-1250

windows-1251

windows-1253

windows-1255

csShiftJIS

csWindows31J

windows-874

windows-1254

ISO_646.irv:1991

windows-1258

Windows-1252

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclCharsets.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/Jcl8087.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclIniFiles.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclSysInfo.pas $

ccIDSBinaryOperator

ccIDSTrinaryOperator

ccJoinControl

Mathematical Operators

Supplemental Mathematical Operators

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclUnicode.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclWideStrings.pas $

TRootKey

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/windows/JclRegistry.pas $

EJclMutexError

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclSynch.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclMath.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclStreams.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclAnsiStrings.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclStrings.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/windows/JclShell.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/windows/JclSecurity.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclDateTime.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclFileUtils.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/windows/JclConsole.pas $

TUnitVersioning$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclUnitVersioning.pas $

TJclIntfCriticalSection$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclSysUtils.pas $

shell32.dll

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclRTTI.pas $

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/common/JclMime.pas $

HelpKeyword,

%Documents and Settings%\XPMUser\Desktop\JVCL3-2011-03-05\run\JvOutlookBar.pas

Uh.uK

Uh.zK

SSLEAY32.DLL

SSL_get_peer_certificate

SSL_get_peer_cert_chain

SSL_CTX_use_certificate_chain_file

SSL_CTX_use_certificate_file

SSL_CTX_set_default_passwd_cb

SSL_CTX_set_default_passwd_cb_userdata

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_PrivateKey

SSL_CTX_get_cert_store

SSL_CTX_set_client_cert_cb

SSL_CTX_get_client_cert_cb

LIBEAY32.DLL

Unsupported OpenSSL version (0x

Supported versions are 0x

d2i_PrivateKey_bio

i2d_PrivateKey_bio

X509_STORE_add_cert

X509_STORE_CTX_get_current_cert

X509_verify_cert

X509_verify_cert_error_string

X509_check_private_key

EVP_PKEY_new

EVP_PKEY_free

EVP_PKEY_assign

EVP_PKEY_size

EVP_PKEY_bits

RSA_generate_key

EC_KEY_print

PEM_write_bio_PrivateKey

PEM_read_bio_PrivateKey

X509_set_pubkey

X509_PKEY_free

i2d_PrivateKey

d2i_PrivateKey

X509_get_pubkey

X509_PUBKEY_free

PKCS7_add_certificate

windows-1252

gb2312 csgb2312 gbk cp936 ms936 windows-936

shift_jis ms_kanji csshiftjis

us-ascii ascii us ansi_x3.4-1968 iso-ir-6 ansi_x3.4-1986 iso_646.irv:1991 iso646-us ibm367 cp367 csascii

IcsNtlmMsgs (c) 2004-2010 F. Piette V6.01

TNTLM_Msg2_Info

EHttpContentCodingException

THttpContentCoding

THttpCCodIdentity

THttpCCodStar

THttpContCodItem

THttpContCodHandler

Uh%SL

%s;q=%s

%s, %s;q=%s

%s, %s

TIcsURL (c) 1997-2010 F. Piette V6.04

http:

TIcsMsgMap

%Documents and Settings%\XPMUser\Desktop\Sentry\Overbyte\OverbyteIcsWndControl.pas

MsgLow not defined

Msg value out of bound

Msg not registered

TIcsBufferHandler.Remove: Invalid Len

TIcsBufferHandler.Remove: nothing to remove

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

3333333

TMonochromeLookup

InternetQueryOption failed! (%d)

InternetSetOption failed! (%d)

%Documents and Settings%\XPMUser\Desktop\Sentry\Source\uBigIntsV3.pas

IDCT output block size ? not supported

Unsupported JPEG data precision ?

Buffer passed to JPEG library is too small

Unsupported color conversion request

Empty JPEG image (DNL not supported)

Maximum supported image dimension is ? pixels

Backing store not supported

Unsupported JPEG process: SOF type ?

Unsupported marker type ?

Smoothing not supported with nonstandard sampling ratios

t H,%s

1.2.3

Invalid ZStream operation!

TWAIN_32.DLL

gdiplus.dll

GdiplusShutdown

GdipSetPenLineJoin

OnTextKeyDown|

1.2.14

.hM u

.he,u

Rh.Ou

MONOCHROME1

1.2.840.10008.1.2

1.2.840.10008.1.2.1

1.2.840.10008.1.2.2

1.2.840.10008.1.2.4.50

1.2.840.10008.1.2.4.91

1.2.840.10008.1.2.4.70

1.2.840.10008.1.2.4.57

1.2.840.10008.1.2.4.100

1.2.840.10008.1.2.5

Unsupported pixel format

%%Creator: ImageEn by HiComponents

%%CreationDate:

%%DocumentData: Clean7Bit

Keywords

Format unsupported

MsgLanguage

_CopyBitmaptoDIBEx: not supported pixel format, converting to 24bit and recurse

.jpeg

.tiff

.targa

.wbmp

Windows Bitmap

Windows Icon

Windows Cursor

Portable Network Graphics

Windows Metafile

Enhanced Windows Metafile

Portable Pixmap, GrayMap, BitMap

wininet.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

FtpOpenFileA

Mozilla/4.*

HTTP/1.1

TIESpecialKeyEvent

TIEVirtualKeyEvent

VirtualKey

KeyData

KeyDown

OnSpecialKey

OnVirtualKey

MSIMG32.DLL

Video for Windows

Pos.Orizz. (inch)

Pos.Vert. (inch)

An Seite anpassen

r Windows

Windows

Passend in pagina

Toepassen

Proportion

Video pro Windows

Dikey Pozisyon (in

Dikey

Windows

Windows Vide

ie32f pixel format not allowed when Location=ieTBitmap Please set TImageEnView.LegacyBitmap=false.

ieCMYK pixel format not allowed when Location=ieTBitmap. Please set TImageEnView.LegacyBitmap=false.

ieCIELab pixel format not allowed when Location=ieTBitmap Please set TImageEnView.LegacyBitmap=false.

ieRGB48 pixel format not allowed when Location=ieTBitmap Please set TImageEnView.LegacyBitmap=false.

Kernel32.dll

mscms.dll

sRGB Color Space Profile.icm

hXXp://ns.adobe.com/xap/1.0/

Cannot create file "%s". %s

Cannot open file "%s". %s

hXXp://

hXXps://

PTF://

3.1.2

TMsgLanguage

msGerman

msPortuguese

msGreek

%Documents and Settings%\XPMUser\Desktop\Sentry\Source\FastStrings.pas

wsoTcpNoDelay

TSslWSocket (c) 2003-2010 Francois Piette V1.00.5e

SslVerifyMode_PEER"SslVerifyMode_FAIL_IF_NO_PEER_CERT

sslOpt_NETSCAPE_CHALLENGE_BUG'sslOpt_NETSCAPE_REUSE_CIPHER_CHANGE_BUG"sslOpt_SSLREF2_REUSE_CERT_TYPE_BUG!sslOpt_MICROSOFT_BIG_SSLV3_BUFFER

SslCertFile

SslPassPhrase

SslPrivKeyFile

Cert

PeerCert

TSslCliCertRequest

Port

LocalPort

SocksPort

SocksPassword

OnSslCliCertRequest<0r

wsock32.dll

Unable to load wsock32.dll -

Winsock startup error wsock32.dll -

ws2_32.dll

Unable to load ws2_32.dll -

0.0.0.0

Cannot change Port if not closed

Cannot change LocalPort if not closed

255.255.255.255

Winsock Resolve Port: Invalid Port.

Winsock Resolve Port: Invalid Proto.

Winsock Resolve Port: Cannot convert port '

GetPeerPort

%Documents and Settings%\XPMUser\Desktop\Sentry\Overbyte\OverbyteIcsWSocket.pas

setsockopt(IPPROTO_TCP, TCP_NODELAY)

Connect: No Port Specified

Connect (Invalid operation in OnChangeState)

listen: port not assigned

TCustomWSocket.Shutdown

Operation would block

Operation now in progress

Operation already in progress

Socket operation on non-socket

Protocol not supported

Socket type not supported

Operation not supported on socket

Protocol family not supported

Address family not supported by protocol family

WinSock DLL cannot support this application

Uhf%d

Can't change socks port if not closed

Listening is not supported thru socks server

TCP is the only protocol supported thru socks server

0.0.0.1

command not supported

address type not supported

Error reading info file "%s"

Can't read certificate file "

Can't load private key file "

UhCmd

Error reading certificate from BIO

Certificate and private key do not match

Error reading private key from BIO

Private key not assigned

Error writing private key to BIO

Error writing certificate to BIO

%s BIO_ctrl_pending(%s) = %d [%d]

%s BIO_read(%s, 0x%x, %d) = %d [%d]

%s BIO_read(%s, 0x%x, %d) = %d [%d] Data:%s

%s BIO_ctrl(%s, %s, %s, 0x%x) = %d [%d]

%s BIO_ctrl_get_write_guarantee(%s) = %d [%d]

%s BIO_ctrl_get_read_request(%s) = %d [%d]

%s BIO_write(%s, 0x%x, %d) = %d [%d]

%s BIO_write(%s, 0x%x, %d) = %d [%d] Data:%s

%s %d [%d] %s

%s Winsock recv( %d, 0x%x, %d, %d) = %d [%d]

%s my_RealSend (0x%x, %d, %d) = %d [%d]

%s BIO_should_retry(%s) = %d [%d]

TCustomSslWSocket.Do_FD_CLOSE error #

TCustomSslWSocket.Do_FD_READ

SslBio write operation pending:

TCustomSslWSocket.Do_FD_WRITE

TCustomSslWSocket.DoRecv

TCustomSslWSocket.ShutDown

%s TriggerSslShutDownComplete(%d) %d

ICB> Renegotiaton not supported or not allowed. Connection closed delayed

%s PutDataInSslBuffer %s len %d [%d]

%s PutDataInSslBuffer %s [%d] Data:%s

%s SslHandshakeDone(%d) %d. Secure connection with %s, cipher %s, %d secret bits (%d total), session reused=%s

%s PutDataInSendBuffer %s len %d [%d]

%s PutDataInSendBuffer %s [%d] Data:%s

THttpCli (c) 1997-2010 F. Piette V7.08

EHttpException

THttpRequest

httpABORT

httpGET

httpPOST

httpPUT

httpHEAD

httpCLOSE

OverByteIcsHttpProt

THttpAuthType

httpAuthNone

httpAuthBasic

httpAuthNtlm

httpAuthDigest

THttpBeforeAuthEvent

THttpRequestDone

THttpCliOption

httpoNoBasicAuth

httpoNoNTLMAuth

httpoBandwidthControl

httpoEnableContentCoding

httpoUseQuality

httpoNoDigestAuth

THttpCliOptions

THttpCli

THttpCliX

OverByteIcsHttpProtD

ProxyPort

Password

ProxyPassword

TSslHttpCli (c) 2008 Francois Piette V1.00.0

TSslHttpCli

TSslHttpCli`

OnSslCliCertRequest

%2.2d %s %4.4d %2.2d:%2.2d:%2.2d

application/x-www-form-urlencoded

Mozilla/4.0 (compatible; ICS)

State = httpReady

State = httpNotConnected

State = httpConnected

State = httpDnsLookup

State = httpDnsLookupDone

State = httpWaitingHeader

State = httpWaitingBody

State = httpBodyReceived

State = httpWaitingProxyConnect

State = httpClosing

State = httpAborting

PrepareNTLMAuth end, FStatusCode = %d FProxyAuthNTLMState=%d FAuthNTLMState=%d

Login

https

.ht0e

HTTP/

httpChunkDone, end of document

HTTP/1.0

HTTP component

HTTP component has nothing to post or put

document.htm

HTTP/1.0 200

HTTP/1.1 200

HTTP/1.0 200

HTTP/1.1 200

HTTP/1.1 200 OK

HTTP/1.0 200 OK

Insupported HTTP version

1.1.4

PngImage%d

afDisplayNameOnKeySize

TSymetricKey

hXXp://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf|section 6.1

native.ECB

Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29

hXXp://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf|section 6.2

native.CBC

native.PCBC

Block_cipher_modes_of_operation#Propagating_cipher-block_chaining_.28PCBC.29

hXXp://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf|section 6.3

native.CFB

Block_cipher_modes_of_operation#Cipher_feedback_.28CFB.29

native.CFB-8bit

hXXp://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf|section 6.4

native.OFB

Block_cipher_modes_of_operation#Output_feedback_.28OFB.29

hXXp://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf|section 6.5

native.CTR

Block_cipher_modes_of_operation#Counter_.28CTR.29

native.hash.SHA-1

hXXp://VVV.itl.nist.gov/fipspubs/fip180-1.htm

hXXp://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf

native.hash.SHA-224

native.hash.SHA-256

native.hash.SHA-384

native.hash.SHA-512

native.hash.SHA-512/224

native.hash.SHA-512/256

hXXp://tools.ietf.org/html/rfc1321

native.hash.MD5

native.StreamToBlock

TDummyKey

hXXp://tools.ietf.org/html/rfc4648

native.base64

TAESKey

Invalid key size for AES.

hXXp://VVV.csrc.nist.gov/publications/fips/fips197/fips-197.pdf

AES-%d

native.AES-%d

TSimpleHash.Begin_Hash - without undefined hash algorithm.

TSimpleHash.UpdateMemory - hashing not started.

TAsymtricKeyPart

TAsymetricKeyPair

Uh.Eg

3.4.1

3.0.0

3.4.0

TRSAKeyPartPzg

TRSA_PublicKeyPart

TRSA_PrivateKeyPart8{g

TRSAKeyPair

hXXp://VVV.ietf.org/rfc/rfc3447.txt

TRSA_Gen_Key_HelperU

native.RSA

TXXTEA_LE_Key

hXXp://VVV.movable-type.co.uk/scripts/xxtea.pdf

native.XXTEA.Large.Littleend

TDESKey

%UUUU1

hXXp://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

native.DES

T3DESKey

T3DESKey_KO1

hXXp://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdf

3DES (Keying option 2)

3DES (Keying option 1)

5468652071756663

TBlowfishKey

hXXp://VVV.schneier.com/paper-blowfish-fse.html

native.Blowfish

12345678

TTwofishKey

hXXp://VVV.schneier.com/paper-twofish-paper.pdf

native.Twofish

TOnGenerateKeyFunc

TSymetricKey,af

OnCustomCipherGenerateKey

TESSDLL.DLL

TVTHttpCli

TVTHttpCli<

uVTHttpWrapper

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

CONNECT method not supported or forbidden for this server

TCP Connection Timeout

HTTP/1.0 200 OK

HTTP/1.1 200 OK

uKeywordBot

uKeywordBotH=h

TKeywordBot

TKeywordBotH=h

Calling main URL

Calling intermediate action URL

Calling form redirect URL

Calling additional redirect URL #

<ACTION> <FORM ACTION> <HTTP VERSION>

<HTTP VERSION>

Content-Type: application/x-www-form-urlencoded

X-Requested-With: XMLHttpRequest

@gmail.com

success key match(es),

TJclPeImportLibItem

TJclPeImportList

$URL: hXXps://jcl.svn.sourceforge.net:443/svnroot/jcl/trunk/jcl/source/windows/JclPeImage.pas $

comdlg32.dll

Fav.ini

TSQLTimeStampVariantType

TSQLTimeStampData

SqlTimSt

SQLTimeStamp

JvExExtCtrls

cmdUseData

txtPass

cmdUseDataClick

hXXp://checkip.dyndns.org

1.2.5

NTDLL.DLL

security.dll

secur32.dll

Couldn't find package info for NTLM, error 0x%x

TSslWSocket (c) 2003 Francois Piette V1.00.3

Welcome to OverByte ICS TcpSrv

THttpServer (c) 1999-2010 F. Piette V7.29

THttpGetFlag

OverbyteIcsHttpSrv

THttpGetEvent

THttpGetConnEvent

THttpConnectEvent

THttpPostedDataEvent

THttpRequestDoneEvent

THttpBeforeProcessEvent

THttpFilterDirEntry

THttpDirEntry

THttpGetRowDataEvent

THttpBeforeAnswerEvent

THttpAfterAnswerEvent

THttpContentEncodeEvent

THttpContEncodedEvent

THttpUnknownRequestMethodEvent

THttpOption

THttpOptions

OverbyteIcsHttpSrvh

TAuthGetPasswordEvent

THttpRange

THttpRangeList

THttpPartStreamD

THttpRangeStream

TBaseHttpConnection

THttpConnection

THttpConnection,

OnHttpRequestDone|

AuthPassword

THttpServer

OverbyteIcsHttpSrv*

OnHttpRequestDone

OnHttpContentEncode

OnHttpContEncoded

OnAuthGetPassword

THttpDirEntryD

THttpDirEntry

THttpSrvRowDataGetterUserData

TSslHttpSrv (c) 2003-2010 Francois Piette V1.00.0

index.html

c:\wwwroot

c:\wwwroot\templates

HTTP/1.0 503 Service Unavailable

<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>404 Not Found</H1>The requested URL

<HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD><BODY><H1>403 Forbidden</H1>The requested URL

<HTML><HEAD><TITLE>401 Access Denied</TITLE></HEAD><BODY><H1>401 Access Denied</H1>The requested URL

text/vnd.wap.wml

image/vnd.wap.wbmp

application/vnd.wap.wmlc

text/vnd.wap.wmlscript

application/vnd.wap.wmlscriptc

Unexpected ProtoNumber in CreateHttpHeader

%s %2.2d, %4.4d

.dirline { font-family: arial; color: black; font-style: normal; }

%d..2d

Unsupported TVarRec.VType = vtPointer

Unsupported TVarRec.VType = vtObject

Unsupported TVarRec.VType = vtClass

Unsupported TVarRec.VType = vtWideChar

Unsupported TVarRec.VType = vtPWideChar

Unsupported TVarRec.VType = vtCurrency

Unsupported TVarRec.VType = vtVariant

Unsupported TVarRec.VType = vtWideString

Unsupported TVarRec.VType = vtInterface

Unknown TVarRec.VType = "

HTTP/1.1 401 Authorization Required

/index.html

HTTP Code from the Judge

hXXp://VVV.formyip.com/ipcountry_popup.php

History.ini

HistoryUpdate.ini

cmdStart

cmdAbort

cmdRemoveSiteP

cmdReloadListT

cmdRemoveMainSite

cmdOpenSiteClick

cmdStartClick

cmdAbortClick

cmdRemoveSiteClick

cmdReloadListClick

cmdRemoveMainSiteClick

Settings.ini

WordlistsLoaded.ini

Sites.ini

WP0.ini

WP1.ini

mnuKeywords

OpenListofKeyPhrases1

SaveListofKeyPhrases1

cmdUpdate

OpenListofKeyPhrases1Click!

SaveListofKeyPhrases1Click

lstHeaderFailureKeyDown

cmdUpdateClick

MoveKey

TfrmSettingsKeywords

uFrameSettingsKeywords

GlobalKeys.ini

An error occured while loading the global keys. Any change to global keys will not be saved!

LastSettingsKeywordsURL

Add a Key Phrase

Edit a Key Phrase

chkHTTPFollowx

LastSettingsFakeSettingsURL

HTTPFollow

lstCProgression,

CopyURLToClipboard1@

cmdOpenMemoh

cmdOpenDebugl

cmdReloadSettingsp

CopyRedirectURLtoClipboard1

SendProxytoHTTPDebugger1

cmdClear

lstCProgressionData

CopyURLToClipboard1Click

lstCProgressionMouseMove

cmdOpenDebugClick

cmdOpenMemoClick

cmdReloadSettingsClick

CopyRedirectURLtoClipboard1Click$

SendProxytoHTTPDebugger1Click

cmdClearDebugClick

Firefox

Opera

Uh.ek

History_Backup.ini

.html

Debug.txt

Source.html

Headers.txt

-> http

-> https

Blacklist.ini

uFrameToolsHTTPDebugger

uFrameToolsHTTPDebuggerl

cmdAbort(

cmdStart,

cmdRetrievep

txtPassword|

cboLogin

udProxy

cmdRetrieveClick

udProxyClick

TfrmToolsHTTPDebugger

TfrmToolsHTTPDebuggerl

MyList.ini

DebugSites.ini

HTTPHeader

Wrong sintax for the site URL.

DebuggerSnapShot.ini

SiteURL

LoginPostData

LoginMethod

chkFirefox<

txtFirefoxPathH

cmdOpenFirefoxL

txtFirefoxPrefT

cmdOpenPrefX

chkOperal

txtOperaPatht

cmdOperaOpenx

cmdOperaHelp|

cmdIEOpen

cmdFirefoxHelp

cmdIEHelp

cmdOpenFirefoxClick

cmdOpenPrefClick

cmdOperaOpenClick

cmdIEOpenClick

chkFirefoxClick

chkOperaClick

cmdOperaHelpClick

cmdFirefoxHelpClick

cmdIEHelpClick

Exe File (*.exe)|*.exe

Text Files (*.txt)|*.txt|Any File (*.*)|*.*

JS File (*.js)|*.js

FirefoxPath

FirefoxPref

OperaPath

To use Opera with Sentry, you cannot use profiles.

To disable them, open [Opera Installation Directory]\OperaPrefs.ini and make sure:

If you do not do this, Proxy Integration with Opera will not work.

The preference file may be called user.js or prefs.js. If you have both, use prefs.js.

Locating prefs.js on XP/2000:

%Documents and Settings%\[User Name]\Application Data\Mozilla\Firefox\Profiles\xxx.default\

Locating prefs.js on Vista/Seven:

C:\Users\[User Name]\AppData\Roaming\Mozilla\Firefox\Profiles\xxx.default\

LastSettingsProxySettingsURL

cmdClear,

cmdLoad0

cmdSave4

cmdLoadClick

cmdClearClick

cmdSaveClick"

lstCBlacklistKeyDown

cmdOpen8

cmdSave<

cmdPaste@

lstCProxyD

cmdStartP

cmdAbortT

cmdCleand

mnucmdCleanh

cmdOptions

mnucmdStart

SendToHTTPDebugger1

mnucmdSelect,

cmdSelect`

cmdDeleted

mnucmdDeleteh

mnucmdOpent

mnucmdSavex

mnucmdPaste|

ImportProxiesfromTextFile1

lstCProxyColumnClick

lstCProxyData

lstCProxyKeyDown

cmdOpenClick

cmdSaveClick

cmdCleanClick

cmdPasteClick

cmdOptionsClick

cmdCallStartClick

cmdAbortClick(

SendToHTTPDebugger1Click

cmdSelectClick

cmdDeleteClick

SpecificURL

SpecificKey

HTTPS

HTTPSSite2

ProxyJudges.ini

ProxyJudgesProfiles.ini

Socks.ini

Proxy.ini

PADebug.txt

MyListAnalyzer.ini

Port 80 already in use

cmdOpenSpecSite

cmdOpenPJ

chkHTTPS

txtHTTPS

cmdExternalIP

cmdOK@

txtJudgeKeys

cmdAddJudgeKey

cmdDeleteJudgeKey

cmdAddProfile

cmdEditProfile

cmdDeleteProfile

cmdAddJudge

cmdEditJudge

cmdDeleteJudge

cmdApplyProfileChanges

cmdDiscardProfileChanges

cmdBuildParsingGateway

cmdBuildParsingLevel

cmdDeleteGatewayParsingCode

cmdDeleteLevelParsingCode

cmdAddSite

cmdEditSite

cmdRemoveSite

lstSiteKeys

cmdExternalIPClick

cmdOpenPJClick

cmdOpenSpecSiteClick

chkHTTPSClick

cmdUseClick

cmdAddJudgeClick

cmdEditJudgeClick

cmdDeleteJudgeClick

cmdAddProfileClick"

cmdApplyProfileChangesClick

cmdEditProfileClick$

cmdDiscardProfileChangesClick

cmdDeleteProfileClick

cmdAddJudgeKeyClick

cmdDeleteJudgeKeyClick

cmdBuildParsingClick

cmdDeleteParsingCodeClick

cmdAddSiteClick

cmdEditSiteClick

MoveKeyClick

SpecificSites.ini

Wrong sintax for the external proxy judge URL

Wrong sintax for the specific site URL

At least one key has to be defined for specific site analysis

Enter the Proxy Judge URL

Wrong sintax for the Proxy Judge URL

You must define at least Proxy Judge Keywords for the selected profile

Enter a ProxyJudge Keyword

Add a Key

Enter the Site URL

Wrong sintax for the Site URL

cmdSaveHelp,

cmdAddFilter

cmdRemoveFilter

cmdSaveHelpClick

cmdAddFilterClick

cmdRemoveFilterClick

Keys Captured = <KEYS>

Pass Captured = <PASS>

Filters1_6.ini

<KEYS>

<PROTO><COMBO>@<SITE>\nCaptured Keys:\n<------------>\n<KEYS>\n<------------>\nCookies Received:\n<COOKIE>\n

cmdAbort0

SortUsingLogin1T

SortByPassword1X

cmdSort

cmdPaste

cmdClean

cmdSave

cmdOpen

cmdSearch

EditURL1

)CopySelectedURLsToClipboardinForumFormat1

cmdSelect,

cmdClearX

ImportSitesfromTextFile1p

-CopySelectedURLsToClipboardwithHistoryFilter14

cmdSaveFilterClick

cmdSortClick

SortUsingLogin1Click

SortByPassword1Click

*CopySelectedURLsToClipboardFormatted1Click

lstCHistoryKeyDown

cmdSearchClick

txtSearchKeyDown

EditURL1Click

cmdGenerateList

cmdSaveDupeClick

Imported

HTTP Proxy

<PASS>

chkPass

cmdSaveAll

cmdSaveList

cmdNoSave

cmdClick

cmdExit

txtIPassD

txtPassl

PassIndex

URL Syntax of the Site to attack is wrong

PasswordEnd

PasswordStart

PasswordInvalidChars

PasswordAllowedChars

PasswordLetters

PasswordDigits

PasswordAlpha

PasswordEmail

PasswordLowerUpper

PasswordLetterDigit

PasswordSpeciaChar

LoginHeader

IPass

AjaxURL

FormRedirectUrl

RedKeys

RedURL

URLMode

ImageURLID

OCRKey

BorderLeftPre

VerticalRejoin

UserAgents.ini

Error: Unable to abort since some BOT have been unable to report back to the Bruteforcer!

<FIELD:HTTP>||401

EnableGlobalKeys

cmdWizard\

cmdWizardClick

TfrmSettingsHTTPHeader

uFrameSettingsHTTPHeader

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11

Mozilla/5.0 (Windows; U; Windows NT 5.1; en) AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3

Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00

LastSettingsHTTPHeaderURL

Could not detect the current Site in your HTTP Header. Would you like to rebuild it?

Wrong Sintax for the URL of the site to scan

HTTP/1.0

txtPassword

txtAjaxUrl

txtRedirectUrl0

chkKeysCaptureP

cmdAnalyze\

cmdUse`

txtLoginStatus

cmdOCR

cmdAddFormPCode

cmdAddAjaxPCode

cmdAddCapturePCode

cmdHelp1

cmdHelp2

cmdHelp3

cmdHelp4

cmdHelp5

cmdDelete1

cmdDelete2

cmdDelete3

cmdVariables

txtOCRKey,

txtIPass@

txtLoginPostData

chkLoginAjaxHeader

cmdAddRedURL

cmdDelRedURL

cmdOCRClick

cmdAnalyzeClick

KeysCaptureClick

cmdAddFormPCodeClick

cmdAddAjaxPCodeClick

cmdAddCapturePCodeClick

cmdHelp1Click

cmdHelp2Click

cmdHelp3Click

cmdHelp4Click

cmdHelp5Click

cmdHelp6Click

cmdVariablesClick

cmdAddAjaxURLClick

cmdDeleteAjaxURLClick

LastPostWizardURL

The Syntax of the Action URL defined in the POST stage is wrong

The Syntax of the Parsing Code defined in the Login Page stage is wrong

The Syntax of the Referer URL defined in the Login Page Stage is wrong

The Syntax of the Cookie defined in the Login Page stage is wrong

The Syntax of first Intermediate Action URL is wrong

The Syntax of the Form Redirect URL defined in the Form Redirect stage is wrong

At least one redirect key has to be defined in the Form Redirect stage.

The Syntax of the Parsing Code defined in the Keywords Capture stage is wrong

In this stage the form engine will get the login page to perform various tasks, like:

- Retrieve the URL of the Captcha Image that will be processed by the OCR stage

However for you convenience the activation state of this stage will be reported in the Status box below.

In this stage the form engine will call the Intermediate Action URL with HEAD, POST or GET method.

This stage is needed by some Ajax sites that require script initialization before posting the actual login information in the POST stage.

Moreover you can process the Body answer from this URL with user defined Parsing Code,

This is the main stage, where the form engine will send to the POST action the actual login information.

If this stage is enabled, the form engine will call the Redirect URL if the Redirect Keyword is found on the Body Answer of the Post Action.

This stage is useful for some hosting sites that, on a successful login, redirect by Javascript to the real account page.

In this case the Redirect Key can be for example the Javascript code used to redirect the browser,

while the Redirect URL would be the URL of the account page. In this stage all keywords defined in the Keywords frame will be processed.

In this stage, the form engine will parse with user defined Parsing Code the HTML Source where a success keyword is found.

If you configure correctly this stage, you will be able to capture selected keys from a success response page,

Add an Intermediate Action URL

Wrong URL syntax.

ufrmKEYWizard

cmdUse

txtKey2<

txtKey1@

txtKeyD

cmdKey1HelpH

cmdKey2HelpL

MenuRetryKeyd

MenuBadKeyl

MenuGlobalKeyt

MenuBanKey

MenuStageKey

Key1HelpClick

Key2HelpClick

TfrmKEYWizard

Keyword 1 field cannot be empty

<USER> and <PASS> will be replaced with the current user and password of the combo being tested.Moreover you can match tab and new line special characters with \t and \n respectively.

- "$" cannot be the first keyword char.

- "*" cannot be the first and last keyword char.

If a second key is defined, then a keyword match is true if both first and second keywords matches are true.

cmdAddVar$

cmdDelVar(

MenuOperatorX

cmdDelChanges\

cmdApplyChanges`

cmdAssignx

cmdInput2Build

cmdInput1Build

cmdEditVar

cmdUp

cmdDown

cmdHelp6

cmdHelp7

cmdAddVarClick

cmdEditVarClick

cmdDelChangesClick

cmdApplyChangesClick

cmdDelVarClick

cmdUpClick

cmdDownClick

cmdAssignClick

cmdBuildClick

cmdAddRedURLClick

cmdDelRedURLClick

cmdHelp7Click

Add. Redirect URL #

Error: Operators cannot be used together with void procedures.

Add a Redirect URL

Variable = Function1(Input1) Operator Function2(Input2).

A void function is a function that executes some code but does not return any result.

1) Void variables: variables that contain at least 1 void function. They execute some code but do not return any result.

2) No void variables: variables that do not contain any void function. They execute some code and are assigned to the value defined by the code execution. They can be reused by other variables to further process the result.

A variable can be computed either in the login page stage or in the OCR stage or in the intermediate action stage or in the post action stage or in the form redirect stage or in the additional redirect stage.

The value computed can be used to modify all MBA stages, except of course the login page stage.

In each stage the variables are computed until execution is completed (i.e. all the stage variables have been computed) or a parsing error has been issued.

After a jump index has been stored, a jump event, that can be triggered by the void procedure 'Jump', will cause the variables execution to be restored from the jump index. It is also possible to nest multiple loops.

If the stage for the variable is set to login page, the variable is computed just after the login page URL has been called.

If the stage for the variable is set to intermediate action, the variable is computed just after the intermediate action URL has been called.

If the stage for the variable is set to post action, the variable is computed just after the post action URL has been called.

If the stage for the variable is set to redirect URL page, the variable is computed just after the redirect URL has been called.

The only variables that would need the redirect URL stage, are the ones used to configure by variables the additional redirect URLs.

For example, if the stage for a variable is set to login page, then the variable will use,

if needed, the HTML Source of the login page and the value of Cookie set by the login page, if any.

Parameters indexes for multi-input functions always start from zero. SetParameterIndex and SetParameterValue have to be used always in pair and in this order.

<- TriggerKeyMatch(Input) -> Void procedure ->

Triggers a key match by the following schema:

<- ConfigureIAURL(Input, URLData, PostData, CookieData, HeaderData, HTTPMethod) -> Void procedure ->

Set URL parameters for the Intermediate Action URL pointed by Input. Only IA URLs whose index is greater than 1 can be configured in this way.

The Intermediate Action URL will be built with the parameters set by URLData, PostData, CookieData, HeaderData.

HTTPMethod defines how the URL will be called: 0 -> Head, 1 -> GET, 2 -> POST, 3 -> MultiForm POST, 4 -> JSON POST.

<- AddRedirectURL(Input, URLData, PostData, CookieData, HeaderData, HTTPMethod) -> Void procedure ->

Adds to the already defined chain of additional redirect URLs an additional redirect URL of value Input.

The additional redirect URL will be built with the parameters set by URLData, PostData, CookieData, HeaderData.

These parameters act exactly as the additional redirect URL parameters that can be assigned by the Post Element Menu.

<- AddCapturedKeys(Input, KeyName) -> Void procedure ->

Add Input to the list of captured keys. KeyName is the name assigned to the captured keys and has to be defined with the functions pair SetParameterIndex and SetParameterValue.

<- HMac(Input, Key, HashSelect, TrimBytes) -> Hexadecimal string ->

Crypts Input with Key (must be hexadecimal) by HMAC algorithm. Inner hash function is selected by HashSelect. Output is trimmed by TrimBytes (>0 -> trim from left, <0 -> trim from right).

Key, HashSelect and TrimBytes have to be assigned with the functions pair SetParameterIndex and SetParameterValue.

<- RSAPKCS15(Input, KeyMod, KeyExp) -> Hexadecimal string ->

Crypts Input with public Key KeyMod(modulus):KeyExp(exponent) (have to be hexadecimal) by RSA PKCS 1.5.

KeyMod and KeyExp have to be assigned with the functions pair SetParameterIndex and SetParameterValue.

Joins Input by N times.

<- URLEncode(Input) -> ANSI string ->

Get the Index-th element of vector Input, i.e. Input[Index]. Indexes of vectors are zero based.

Executes the mathematical operations underlined in Input, i.e. Compute('(2*5) 2') = 12.

<- Compare(Input, CompareTarget, Operator) -> Boolean string ->

Compares Input against CompareTarget and returns the result of the operation as a boolean string, i.e. '0' (False) or '1' (True), by executing the comparison outlined by Operator.

Operator = 0 -> '<', 1 -> '<=', 2 -> '==', 3 -> '>=', 4 -> '>', 5 -> '<>'.

CompareTarget and Operator have to be assigned with the functions pair SetParameterIndex and SetParameterValue.

- Pass: is the Password of the Combo being tested.

- " ,-,/,*": these are the basic mathematical operators - Inputs have to be numbers or an empty string will be returned.

- &: this is the join string operator - If the Input strings are both string vectors, they have to be of the same size or an empty string will be returned.

- AND, OR, XOR, NAND, NOR, NXOR: these are the basic boolean operators. Inputs have to be boolean strings ('0' for False and '1' for True) or an empty string will be returned.

- Action URL (let's call URL the value of this parameter before it is changed by variables).

Bruteforcer=MBA&coder=astaris, MBA.html, session = MBA_OCR and UserAgent = MBA, you will get the following behaviour:

- If the variable is assigned to Action URL, the final Action URL parameter will be computed as "URLMBA.html".

In this section you can configure MBA additional redirect URLs.

An additional redirect URL is called after a success key match, either upon post or after the form redirect stage.

- Post -> success key match -> call additional redirect URLs.

- Post -> redirect key match -> get form redirect URL -> success key match -> call additional redirect URLs.

You can define how many additional URLs you want and MBA will capture keys from each body received.

However if after the call to all defined additional redirect URLs no keys have been captured, the combo will be moved to the "To Check" tab.

Otherwise the combo will be marked as a Hit and the keys captured saved.

Moreover you can link each additional redirect URL to MBA variables.

In particular you can assign the URL and the POST data parameters.

If you assign the POST data parameter to a variable, the additional redirect URL will be called with POST method.

By linking the additional redirect URLs to MBA variables, you'll get a conditional redirect URL.

This means that the additional redirect URL will be called only if the variables assigned to it have been successfully computed.

This is a feature that you must use when you don't know how many additional redirect URLs have to be called in order to get

CSV File (*.csv)|*.csv

cmdOpen`

cmdSaved

cmdClearh

cmdPastel

mnucmdClean

mnucmdPaste

mnucmdOpen

cmdSelect

mnucmdSelect

mnucmdClear

mnucmdSave0

lstCMyListKeyDown

cmdPasteClick&

cmdLoadWordlist$

cmdWordlistClear(

cmdLoadUsers@

cmdUsersClearD

lstCPassesH

cmdLoadPassesP

cmdPassesClearT

cmdCleanWordlist`

cmdSaveWordlistd

cmdSaveUsersh

cmdCleanUsersl

cmdSavePassesp

cmdCleanPassest

cmdScan

cmdBrowse

cmdLoadWordlistClick

cmdWordlistClearClick

lstCPasswordsData

cmdLoadUsersClick

cmdLoadPasswordsClick

cmdUsersClearClick

cmdPassesClearClick

cmdSaveWordlistClick

cmdBrowseClick

cmdScanClick

Password List saved

Some changes to the password list have not been saved, are you sure?

ImageData.dat

Error: Unable to read the file ImageData.dat

Error: Unable to write to the file ImageData.dat

cmdClose

cmdCloseClick

cmdLoadSnapShotD

cmdSaveSnapShotP

cmdUpdateImagesDatabaseh

cmdHelpp

cmdHelp2t

cmdOpenSound

cmdLoadSnapShotClick

cmdSaveSnapShotClick#

cmdUpdateImagesDatabaseClick/

(cmdUpdateImagesDatabaseFromDatabaseClick

cmdHelpClick

cmdOpenSoundClick

LastSettingsGeneralURL

Images Database Files (*.dat)|*.dat

INI Files (*.ini)|*.ini|Any File (*.*)|*.*

The syntax of the URL set in Sentry site text box is wrong.

Take note that each image has to be named like the captcha string associated to the image, i.e. "Horse.gif".

Annoying Sound (*.wav)|*.wav

%Documents and Settings%\XPMUser\Desktop\Sentry\uListViewHistorylist.pas

No keys found upon 200 - OK -> Check answer - Source Length:

and no Header Failure Keys found with wrong combo

No Header Keys found upon relocation -> Check redirect URL ->

- Key match with wrong combo -> Check Keywords

Writing Debug.txt...

notepad.exe

IPFilter.Dat

password

=<PASS>

GetImagesURL

lstImageURLs8

txtImageURLID@

cmdTestP

cmdStartT

cmdAbortX

cmdUse\

cmdProcessx

cmdBuild

cmdAnalyzeP

cmdHelp

cmdDelete

udProxy4

cmdAdd

txtImageURL

cmdProcessFiles

cmdBuild2,

txtVerticalRejoinT

lstImageURLsClick

cmdTestClick

cmdProcessClick

cmdAddClick

txtImageURLIDChange

cmdProcessFilesClick

URL assigned to ->

Image files|*.jpg;*.jpeg;*.bmp;*.png;*.gif

Error: The Syntax of URL for Image

Image not supported

Unable to load Tess.dll - Check that Tess.dll is in MBA root AND that you have Microsoft C   2008 Runtime on your system

Double click on the Image URL that points to the Captcha Image to generate Image Extraction String.

If the Captcha Image URL doesn't appear in this list, you have to select Parsing Code Mode.

Redirect Condition Triggered -> Calling Redirect URL

- No keys to capture found on the HTML sources received from the Additional Redirect URLs

Error - Got 200 and no source failure keys found with wrong combo - Original Source Length:

No source keys found on the HTML source

No Header Keys found upon relocation

- Key match with wrong combo -> After Redirect succeeded ->

- Key match with wrong combo -> After Fingerprint succeeded

- Key match with wrong combo -> After Ban succeeded

Passwords

savepassword

sbuser=<USER>; sbpasswd=<PASS>; savepassword=1

sbuser=<USER>; sbpasswd=; savepassword=0

Success Keyword Match Triggered by Variables

Ban Keyword Match Triggered by Variables

Bad Keyword Match Triggered by Variables

Retry Keyword Match Triggered by Variables

bad ocr key match(es),

cmdUpdateH

cmdTestParsingL

cmdUseP

CmdFindT

cmdRemove`

cmdAdd|

cmdTestParsingClick

CmdFindClick

CmdRemoveClick

<ImageURL>

Redirect URL

Additional Redirect URL

tessdata\*.inttemp

Found Not Match Key [

Found Not Key [

Found Match Key [

Found Key [

Keyword Match ->

Operator

.inttemp

.pffmtable

.normproto

.unicharset

.word-dawg

.freq-dawg

.DangAmbigs

.user-words

%Documents and Settings%\XPMUser\Desktop\Sentry\uFunctions.pas

Portable map images

Portable pixel map images

Portable gray map images

Portable bitmap images

Portable network graphic images

DebugMBA.txt

Database.log

httponly

CheckURL

Keywords Settings not set

"network.proxy.http"

"network.proxy.http_port"

profile\opera6.ini

HTTP Server

"network.proxy.ssl"

"network.proxy.ssl_port"

"network.proxy.type"

user_pref("network.proxy.http", "

user_pref("network.proxy.ssl", "

user_pref("network.proxy.ssl_port",

user_pref("network.proxy.http_port",

user_pref("network.proxy.type", 1);

OperaDef6.ini

HTTPS Server

Use HTTP

Use HTTPS

AddURL

Login Page

Image URL

Image URL Cookie

Image URL Header

Intermediate Action URL

POST Action URL

Form Redirect URL

No Cookie Received in the Login Stage

Parsing Error in the Login Stage

TriggerKeyMatch

ConfigureIAURL

AddRedirectURL

AddCapturedKeys

URLEncode

AddRedURLNumber

<4,$?7/'

(3-!0,1'8"5.*2$

?456789:;<=

!"#$%&'()* ,-./0123

1.1.2

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

1.0.6 or earlier

iTXt chunk not supported.

libpng version 1.2.14 - November 27, 2006

libpng version 1.2.14 - November 27, 2006 (header)

unsupported image type

ignoring invalid mode %s

ignoring invalid progression order %s

ignoring bad rate specifier %s

warning: invalid intermediate layer rates specifier ignored (%s)

warning: ignoring invalid option %s

invalid code block width %d

invalid code block height %d

Creator: JasPer Version %s

error: too few guard bits (need at least %d)

start=%d end=%d type=%d term=%d lyrno=%d firstchar=x size=%ld pos=%ld

pass0

lyrno = d

lyrno=d cmptno=d rlvlno=d bandno=d prcno=d cblkno=d passno=d

min rdslope = %f max rdslope = %f

maxlen=ld actuallen=ld thresh=%f

success %d goodthresh %f

tcmpt ] ] ] ]

rlvl ] ] ] ]

band ] ] ] ]

prc ] ] ] ] (] ])

cblk ] ] ] ]

RESOLUTION LEVEL %d

xs =%d, ys = %d, xe = %d, ye = %d, w = %d, h = %d

BAND %d

CODE BLOCK GROUP %d

CODE BLOCK %d

seg->numpasses >= seg->maxpasses || dopartial

coding pass failed passtype=%d segtype=%d

cblk->passes

pass->term == 1

pass->type == JPC_SEG_RAW

pass->type == JPC_SEG_MQ

pass->lyrno == lyrno

jpc_firstone(datalen) < cblk->numlenbits   jpc_floorlog2(passcount)

pass->lyrno < 0 || pass->lyrno > lyrno

jas_stream_tell(cblk->stream) == startpass->start

packet offset=ld prg=%d cmptno=d rlvlno=d prcno=d lyrno=d

bands[1].locend == end

box type %s

error: unsupported compression type

ICC Profile CS x

no of components is %d

CTX = %d,

IND %d, MPS %d, QEVAL %x

AREG = x, CREG = x, CTREG = %d

IND = d, MPS = %d, QEVAL = x

type=%c%s%c (0xx); length=%d

method=%d; pri=%d; approx=%d

csid=%d

channo=%d; type=%d; assoc=%d

numchans = %d

cmptno=%d; map=%d; pcol=%d

numents=%d; numchans=%d

LUT[%d][%d]=%d

prec=%d sgnd=%d

type = 0xx (%s);

len = %d;

tileno = %d; len = %d; partno = %d; numparts = %d

caps = 0xx;

width = %d; height = %d; xoff = %d; yoff = %d;

tilewidth = %d; tileheight = %d; tilexoff = %d; tileyoff = %d;

prec[%d] = %d; sgnd[%d] = %d; hsamp[%d] = %d; vsamp[%d] = %d

cod->numlyrs > 0 && cod->compparms.numdlvls <= 32

cod->compparms.numdlvls == cod->compparms.numrlvls - 1

csty = 0xx;

numdlvls = %d; qmfbid = %d; mctrans = %d

prg = %d; numlyrs = %d;

cblkwidthval = %d; cblkheightval = %d; cblksty = 0xx;

prcwidth[%d] = %d, prcheight[%d] = %d

coc->compparms.numdlvls <= 32

compno = %d; csty = 0xx; numdlvls = %d;

cblkwidthval = %d; cblkheightval = %d; cblksty = 0xx; qmfbid = %d;

compno = %d; roisty = %d; roishift = %d

qntsty = %d; numguard = %d; numstepsizes = %d

expn[%d] = 0xx; mant[%d] = 0xx;

compno = %d; qntsty = %d; numguard = %d; numstepsizes = %d

seqno = %d;

ind=%d; len = %d;

po[%d] = %d;

cs[%d] = %d; ce[%d] = %d;

rs[%d] = %d; re[%d] = %d;

le[%d] = %d

hoff[%d] = %d; voff[%d] = %d

regid = %d;

%d %d

x:

1.600.0

node %p, parent %p, value %d, lower %d, known %d

x:

Only compression windows <= 32k supported by PNG

Only compression windows >= 256 supported by PNG

Only compression method 8 is supported by PNG

Empty keyword in iCCP chunk

Empty keyword in sPLT chunk

zero length keyword

Out of memory while procesing keyword

invalid character in keyword

trailing spaces removed from keyword

leading spaces removed from keyword

extra interior spaces removed from keyword

Zero length keyword

keyword length must be 1 - 79 characters

Empty keyword in tEXt chunk

Empty keyword in zTXt chunk

W8.pXq

F*F6GüFkGw

.nvnG

.EA}o

FET%XeP

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

v9.uj -ujb

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

GetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

GetAsyncKeyState

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

winspool.drv

ShellExecuteA

winmm.dll

avifil32.dll

MsVfW32.dll

CryptDeriveKey

< < <8<=<

8!8%8)8-8

9 9$9(9,9094989<9\9|9

9/:6:$<:<

<5=%>7>|>

="=&=*=.=2=6=:=

9’9F9X9b9

2#202?2]2

1&1.161>1

8<8 999@9`9

3-353M3U3q3y3}3

6#6'6:6[6

>)?-?1?8?

1(2,24282

6074787<7

4 4$4(4,4044484<4

8-91959<9

4-5155595@5

6 6$6(6,6064686<6

3 3$3(3,3

9#:3:`:}:

11X1g1r1

5%6X6s6

8<9\9*;=;

5@<#=?=]=

; ;$;(;,;0;

<$<0<$=1=

3#3'3 3/33373;3?3,4

8…8C8M8Y8i8w8

5"5&5*5.525

7%8u8

2"3,363;3

>#>'> >/>

5!5%5)5-515

01

:":&:*:.:2:6:]:|:

=5=:=)?.?

9!9%9)9-9

4#4'4 4/43474

9"9&9*9.92979

1.282}253

;;;&<_<|<

4 4$4(4,40444

: :$:(:,:0:4:8:<:

2!2%2)2-2125292=2

4"5,5@5[5

90:4:8:<:~:

:&;*;.;2;8;~;

8#8'8 8/838

>!>&> >6><>

3%3)3`3}6

;3<7<;<@<]<

1@1[1;2}2

8ˆ8c8

2!2-292U2a2}2

8 8$8(8,8084888<8

= =$=(=^=~=

4 4$4(4,4

6 6$6(6,6064686

2-262S2}2

5m6O6f6q6

7-8C8Y8}8

2060:0@0

0 1$1(1|1

3!3%3)303

34484<4@4

2#2'2 2/23272;2?2\2

6!6%6)6-6

7 7[7`7{7

8 8;8@8[8`8{8

0$0/060>0

0 0$0(0,0004080>0

3 4%4S4X4

1#2-272_2{2

93:8:=:#<(<-<

1 1$1(1,10141}1

3!3%3)3-3

2 2$2(2,202

<;<[<#===>>

1 1(10181

2,?0?4?8?<?

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

[0%SwJ:

KWindows

UrlMon

%uTPLb_HashDsc

auKeywordBot

&OverbyteIcsUrl

0OverByteIcsHttpProt

OverbyteIcsHttpContCod

'OverbyteIcsNtlmMsgs

.JvProgressUtils

^uFrameSettingsKeywords

:ufrmKEYWizard

.tiffilt

.ietgafil

.iej2000

.histogrambox

rSqlTimSt

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

3.0.3

Glyph.Data

Items.Strings

16777216

3.1.1

Filter (*.flt)|*.flt

PreviewFont.Charset

PreviewFont.Color

PreviewFont.Height

PreviewFont.Name

PreviewFont.Style

Picture.Data

%CvU38

a@%P%FHY

%s=}2

du%UI

!Ah%d

ÖP$K

%fR)j

.xsGo

.Ic=M

R2

 %C du]

J%x'8

* .uwJf(

(BI&ú@

mK.Cd

zA9.gp

cMK%C

HorzScrollBar.Color

HorzScrollBar.ParentColor

VertScrollBar.Color

VertScrollBar.ParentColor

Pass Index:

Assigned pass:

txtIPass

txtPass

Add captured passwords

Constraints.MinHeight

Constraints.MinWidth

333333333

3333338

PngImage.Data

Keys

Passes

frmSentry.ilListViews

SortUsingLogin1

SortByPassword1

Sort By Password

frmSentry.ilMenus

Edit URL

TMenuItem-CopySelectedURLsToClipboardwithHistoryFilter1

TMenuItem)CopySelectedURLsToClipboardinForumFormat1

ImportSitesfromTextFile1

Import Sites from Text File

cmdSaveHelp

3\nCaptured Keys\n<KEYS>\nCookies Received\n<COOKIE>

eX}%f

f/%fYl

A%s$|t

frmKEYWizard

Keyword Wizard

Build Keywords

Final Keyword

Retry Key Type:

Bad Key Type:

Global Key Type:

Ban Key Type:

txtKey

First Keyword

Keyword 1 Options

cmdKey1Help

If this option is checked, then a keyword will return a match if it is not present in the string it is being compared against.

If both Not and Equal options are checked, then a keyword will return a match if is not equal to the string it is being compared against.

txtKey1

If this option is checked, then a keyword will return a match if it is equal to the string it is being compared against.

If this option is checked, then the the keyword will be checked only against the header field set in the popup menu.

This option applies only to Header Keys.

%Search in the following header field:

Second Keyword

cmdKey2Help

Keyword 2 Options

txtKey2

MenuRetryKey

MenuBadKey

MenuGlobalKey

]If this option is checked, a header key will match only if the received HTML source is empty.

Login Page Ban

cmdLoad

Ëstu

v%ci#r

c%uYy

JeXeI

.YA$1

:.fF&V

N:\uP1

jQd -gV.VW

,4.DfH 

d(c.TqE

F:\XP

mt9.es

ByG,k$.cuW/

DS.Cl

B} %F

f h.Cb

Cz.gF>[

Send To HTTP Debugger

mnucmdSave

cmdLoadWordlist

cmdWordlistClear

cmdLoadUsers

cmdUsersClear

Passwords

cmdLoadPasses

Open a Password List

cmdPassesClear

Clear current Password List

cmdCleanWordlist

cmdSaveWordlist

cmdSaveUsers

cmdCleanUsers

cmdSavePasses

Save Passwords List

cmdCleanPasses

%Remove duplicates from Passwords List

lstCPasses

'Two Lists (User1:Pass1, User1:Pass2...)

'Two Lists (User1:Pass1, User2:Pass1...)

Image URLS extracted

Image URL:

cmdBuild

Image URL Extraction Mode:

cmdBuild2

VRejoin:

Rejoin Settings

vURl

cmdTest

txtImageURLID

lstImageURLs

cmdProcess

cmdAnalyze

This option will enable a second extraction pass. Since this processing feature modify the original image,

If this option is checked, MBA will try to execute the mathematical operations underlined in the captcha.

URL is static

txtVerticalRejoin

TCP Debug

TCP Vars Debug

Left string supports '*' jolly char.

Right string too supports jolly char.

cmdTestParsing

CmdFind

cmdRemove

Action URL:

Pass:

Login Page Stage

Redirect URL:

Redirect Keys:

Keywords Capture Stage

Keys Names:

JConfigure data to capture from the login page with the Parsing Code Wizard

cmdVariables

Delete Additional Redirect URLs

This Cookie that will be sent to the login page.

If this option is enabled, the form engine will get the login page on each attempt,

This option is exclusive with the option "Enable Custom Parsing Code" present in the Login Page stage settings.

If this option is enabled, the form engine will get the login page on each attempt (first stage will be enabled),

If the session cookie text box contains a cookie with the same name of the cookie sent by the login page,

If this option is enabled, the form engine will get the login page on each attempt

txtRedirectUrl

Analyze Login Page

chkKeysCapture

mIf this option is selected, Sentry will add XMLHttpRequest header

uIf this option is selected, Sentry will add XMLHttpRequest header

when the OCR key is matched succesfully against the login page source.

Activation Key:

txtOCRKey

rIf this option is selected, MBA will download the captcha image after the Intermediate Action URL has been called.

If the update index is zero, MBA will automatically select the login form,

If the update index is greater than zero, MBA will select the login form whose index is equal to the set update index.

nIf this option is selected, Sentry will add XMLHttpRequest header

to the headers sent to the Redirect URL.

Enter here the redirect keys.

A redirect key match will trigger the form redirect stage.

A redirect key match has higher priority than any conventional key match (be it success, ban, failure or retry).

Add Additional Redirect URL

Add URL

Form TCP Debug

Form TCP Vars Debug

Add Header Key

Add Source Key

lstCProgression

HotTrackFont.Charset

HotTrackFont.Color

HotTrackFont.Height

HotTrackFont.Name

HotTrackFont.Style

cmdOpenMemo

cmdOpenDebug

Write Debug and Open Debug.txt

cmdReloadSettings

2K?.'.Kekz

Clear Debug and Delete Debug.txt

Constraints.MaxWidth

Other HTTP codes

Use your arrow keys to customize

CopyURLToClipboard1

Copy URL To Clipboard

CopyURLToClipboard1Click

Copy Redirect URL to Clipboard

CopyRedirectURLtoClipboard1Click

Send Proxy to HTTP Debugger

IP:PORT

>Sentry MBA 1.5.0 - by Microsoft Windows [VVV.crackingcore.com]

cmdReloadList

HTTP Header

DownFont.Charset

DownFont.Color

DownFont.Height

DownFont.Name

DownFont.Style

HTTP Debugger

 Text Files (*.txt)|*.txt|Any File (*.*)|*.*

pngHTTPHeader

Icon.Data

Fake Pass Protection

Keywords Settings

%Enables success keyword match retries

Redirect on HTTP level

NOT keywords HTML check

%Enables bad OCR keyword match retries

HTTP Settings

Checks the length of the source returned to match a certain length.

If the length of the returned source is less than what is specified and no keyords are found,

\This option forces MBA to follow redirect HTTP codes to the location set in the 3xx headers.

no keys are matched and the integrated close tags check fails.

Some sites upon bad login send the response over a 401 or 403 or 404(Not Found) or 413 HTTP code.

Set a length equal to the one received upon bad login.

A key with NOT option enabled can generate a false positive against incomplete HTML sources.

Some sites with buggy action script send a bad ocr code response on successful login.

dSome sites, upon bad login, send a fake success response.

chkHTTPFollow

if the Header Keys do not match against the relocation Headers.

\If this option is checked, all HTTP error responses will be processed by the Keyword Engine.

cmdUpdateImagesDatabase

%Update Images Database from Directory

cmdUpdateImagesDatabaseClick

cmdSaveSnapShot

cmdSaveSnapShotClick

cmdLoadSnapShot

$Load Settings from Snap Shot (*.ini)

<USER>:<PASS> filter:

&Apply same rules for <USER> and <PASS>

Rules for <PASS>

&Annoying sound must be in .wav format.

frmSettingsHTTPHeader

cmdWizard

eGœx

Mozilla Firefox

cmdOpenFirefox

Path to prefs.js:

cmdOpenPref

#%smy

cmdOperaOpen

cmdOperaHelp

Use Firefox

Use Opera

chkFirefox

txtFirefoxPath

txtFirefoxPref

chkOpera

txtOperaPath

%sW3j

frmSettingsKeywords

Header Key Phrases

Source Key Phrases

Global Key Phrases

Use Failure Keys

Use Success Keys

Use Ban Keys

Use Retry Keys

Use Global Keys

NGlobal Key Phrases apply to all sites, but their activation is snapshot based.

Update Bruteforcer Keys

Open List of Key Phrases

OpenListofKeyPhrases1Click

Save List of Key Phrases

Site URL

Password:

IÞR

5%.wQ

.uK?r

XMsGTy

rVo"%u

.sV0o

ge%fm

-erZM}

k9'%dvSvWF

G.pGn

f8f.rz{WU

cq.Rl

.SqKC

FTp2u

#.iPk

.yJJ5]

frmToolsHTTPDebugger

cmdRetrieve

lstCProxy

mnucmdDelete

Import Proxies from Text File

HTTPS Analysis

HTTP Analysis

ProxyJudge Keywords:

Delete Judge Keyword.

cmdBuildParsingClick

Site Keys:

cmdExternalIP

cmdOK

Enter a HTTPS URL

Web Server will start and close automatically on port 80.

You cannot change the port for security reasons.

Port 80 must not be blocked.

qIf this option is checked, proxy connect support will be checked

*Check Connect support (Chain, HTTPS, SSL):

MJudge response will be judged valid if all keys set here will be found on it.

Add Key

cmdAddProfileClick

cmdEditProfileClick

?Enter here keywords that have to be found on the site response.

"Configure Additional Redirect URLs

Redirect URLs:

cmdAddVar

cmdDelVar

MenuOperator

cmdDelChanges

cmdApplyChanges

cmdAssign

"Save variable list in .csv format.

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

TFRMKEYWIZARD

TFRMSETTINGSHTTPHEADER

TFRMSETTINGSKEYWORDS

TFRMTOOLSHTTPDEBUGGER

Invalid SQL date/time values

Invalid key.BTSimpleCodec.EncryptFile - plaintext filename parameter was empty.CTSimpleCodec.EncryptFile - ciphertext filename parameter was empty. RSA public key encryption system

Confirmation3Are you sure to delete "%s" from favorite folders ?

%s is not a valid BCD value$Could not parse SQL TimeStamp string

CTSimpleCodec.Init - Asymetric codecs are not initialized by string.

(not implemented yet!)6TCryptographicLibrarys cannot chain more than %d deep.6Circular TCryptographicLibrary chaining is prohibited.*THugeCardinal.CreateAsSizedClone overflow.

THugeCardinal.Add overflow.RCannot assign THugeCardinal because source is too big and resizing is not allowed.!THugeCardinal.Increment overflow.

THugeCardinal.Divide overflow.

MulSmall overflow. THugeCardinal.Subtract overflow.!THugeCardinal.StreamOut overflow. THugeCardinal.StreamIn overflow.gEratosthenesSieveSize value (%d) too small for required number of pre-computed small primes (%d primes)

oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header. TSimpleCodec.Init - No password.CTSimpleCodec.Init - Asymetric codecs are not initialized by string. TSimpleCodec.Init - Hash failed..TSimpleCodec.Init - Reset when not intialized..TSimpleCodec.Begin_EncryptMemory - Wrong mode.6TSimpleCodec.Begin_EncryptMemory - Algorithms not set..TSimpleCodec.Begin_DecryptMemory - Wrong mode.6TSimpleCodec.Begin_DecryptMemory - Algorithms not set.(TSimpleCodec.EncryptMemory - Wrong mode.(TSimpleCodec.DecryptMemory - Wrong mode.,TSimpleCodec.End_DecryptMemory - Wrong mode.,TSimpleCodec.End_EncryptMemory - Wrong mode.QTSimpleCodec.AsymetricKeySizeInBits - Cannot set parameter whilst enc/decrypting.<TSimpleCodec.Init - Cannot set Cipher whilst enc/decrypting.

UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.

Description: BThe "Portable Network Graphics" image contains an invalid palette.

The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.

This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.

There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.

The "Portable Network Graphics" image can not be resize by changing width and height properties. Try assigning the image from a bitmap.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.

ConvertToBWThreshold %d

Rotate %f

Crop %d, %d, %d, %d

High Pass 1

High Pass 2

High Pass 3

Low Pass 1

Low Pass 2jThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted

Fill (%d, %d, %d)

RemoveIsolatedPixels %d, %d

Blur %f-AdjustBrightnessContrastSaturation %d, %d, %d

Resample %d, %d

ConvertTo %d

'Object type not supported for operation

Unsupported PixelFormat

Invalid stream operation

Unsupported GIF version

Invalid extension introducerúiled to allocate memory for GIF DIB

Invalid Image trailerAInternal error: Extension Instance does not match Extension Label,Unsupported Application Extension block size

ESample count per pixel does not correspond to the given color scheme.5Subsampling value is invalid. Allowed are 1, 2 and 4.CVertical subsampling value must be <= horizontal subsampling value.

Bogus JPEG tables field.%Fractional JPEG scanline unsupported.

Portable network graphic images9Cannot load image. Invalid or unexpected %s image format. Invalid color format in %s file.

Stream read error in %s file.1Cannot load image. %s not supported for %s files..Cannot load image. CRC error found in %s file.6Cannot load image. Compression error found in %s file.:Cannot load image. Extra compressed data found in %s file.1Cannot load image. Palette in %s file is invalid.>Cannot load PNG image. Unexpected but critical chunk detected.

The compression scheme isJConversion between indexed and non-indexed pixel formats is not supported.8Color conversion failed. Could not find a proper method.AColor depth is invalid. Bits per sample must be 1, 2, 4, 8 or 16.

Attempt to register %s twice.

Windows bitmaps"Run length encoded Windows bitmaps"Device independant Windows bitmaps

Windows icons

Windows metafiles

Windows enhanced meta files

JPEG error #%d

Socket type not supported."Operation not supported on socket.

Protocol family not supported.0Address family not supported by protocol family.

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

Socket Error # %d

Operation would block.

Operation now in progress.

Operation already in progress.

Socket operation on non-socket.

Protocol not supported.

Thai (Windows)

Turkish (Windows)

Vietnamese (Windows)

Western European (Windows)"GetCoding must be overridden in %s

Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)

%s is not a valid service.

Cyrillic (Windows)

Greek (Windows)

Hebrew (Windows)

Win32 error: %s (%u)%s%s

Library not found: %s

Function not found: %s.%s

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters&Cannot change the size of a JPEG image

Arabic (Windows)

Baltic (Windows)

Central European (Windows)

128-Byte PrefetchingeCPUID leaf 2 does not report cache descriptor information, use CPUID leaf 4 to query cache parameters

Invalid MMF name "%s"*The MMF named "%s" cannot be created empty

Your code tried to destroy the TJvPanel.ArrangeSettings objects leaving the panel in a broken state. Please fix your code by adding

Cannot open file "%s"

No help keyword specified.

Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRight

Failed to Save Stream %s is already associated with %sE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Value must be between %d and %d

Invalid clipboard format Clipboard does not support Icons

Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form

Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned"Unable to find a Table of Contents

$Parent given is not a parent of '%s'

%s property out of range

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Thread creation error: %s

Thread Error: %s (%d)0Tab position incompatible with current tab style0Tab style incompatible with current tab position

#A component named %s already exists%String list does not allow duplicates

'%s' is an invalid mask at (%d)$''%s'' is not a valid component name

Invalid property element: %s

Invalid property type: %s

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)

System Error. Code: %d.

*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

VVV.crackingcore.com

1.5.0

Modified by an unpaid evaluation copy of Resource Tuner 2 (VVV.heaventools.com)

DriverVideodialog1.exe_2072:

.text

`.data

.idata

@.rsrc

@.reloc

Invalid parameter passed to C runtime function.

advapi32.dll

setupx.dll

setupapi.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

ADMQCMD

USRQCMD

FINISHMSG

IXPd.TMP

msdownld.tmp

TMP4351$.TMP

wextract.pdb

PSSSSSSh

SSSh<

PSSShp

PSShp

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

Command.com /c %s

rundll32.exe %s,InstallHinfSection %s 128 %s

Software\Microsoft\Windows\CurrentVersion\RunOnce

%s /D:%s

PendingFileRenameOperations

SHELL32.DLL

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\

@Kv.AKv

RegCreateKeyExA

RegOpenKeyExA

RegQueryInfoKeyA

RegCloseKey

ADVAPI32.dll

GetWindowsDirectoryA

KERNEL32.dll

GDI32.dll

ExitWindowsEx

MsgWaitForMultipleObjects

USER32.dll

_amsg_exit

_acmdln

msvcrt.dll

COMCTL32.dll

Cabinet.dll

VERSION.dll

)%u]Q

Bp.Dx

gA`0)%UJ

DIRECT~1.EXE

DRIVER~1.EXE

|C0.pC

g%CkJ

WqB%f-

Z:.Zc}4

]`D.gf

u%C(z6

DU%CYT

.DWTsC

3p.mI&

.bs(%

HQ.cY

0.bLv

'z.DW6

#.jTJNn

gN47%D"

f.wvl~qqA

48%FG

w`M=%s

#.Day

>8.MF

3%.Yg

P].CC

5{'n.Cq

.mfM/

~k%FV

lI%SF

mŸJQQ

61.vX

[w.lq

Xr.HlQ}

.PP3r

zR-R}

e5o

[.qM;9

%x:Y_

x.lRW

X.CG,

.Igr}

.Sd6$

9=.vU

n.BVo

%U&U$/& =

2 0 2 1#3

eDeE%D%E

 0n2cp%X

X%F^7R

&O %cm

vQ.Ld

.bbu-'>G

.AzH^

,X.QPK

"%S(}6

Sj.TL

.vL~`

E.Hre

|.HQl.

UL%dn 

FtpC

qXÆ

I)l;.sd~:

rG.UZD

!T1%d

N%S)T*

.LQc_[

)%xZxB`

.lX7Ey

^$%0s

OW.GB

nn?

\l\

.SsM?

\x.is

'Dv%fI

d0.JB

z.GT4

%x i!1EpEvv$KDe

-X}%,1^

~.huW

q.YKF

X%UUH

btb_

.Ag%[O/6

-V#.pb7

I).vh

y.awg

/h.up

Bo.phS

*.ir 

#%S@Nk

VqL%D

bsQl

@.Exi1&

N{0.Hl

px.oSf

(%3X#

Hi.rnU

[04 `@.-

G!%xYd

.wZGl

%U4EC

dx.GQ-/

q.xQ,

cp.os

K%U;pl

^.ukv

dhQ=>%X

d0(CY-Kq}

&-I}n

>ro=%C

>{>{?;>??

6G.InHNJnGNI

%c$_%

ECn.cgq

.QN*&3

na.asb

Nh.jKjNf

ZY%2%U

Z&%D(

$:,:*:9:5

,.Av [

3L.xm

]%Cqd

.SJ}$

,S%SivA&

S=SYS%SUS-

h%flDt

Ux%fp

f..KO

Y.dN|

.xjpd

X.Yp&

U%U)Tr

QCRt

O5F.yp

V.LLK =

U.dU3*f

x.LLPs

vz’uM

5.dcM

6cP%S

s".mF'!

.pC%}MF

V%U%U

jn.Ox

cge%Xz

.Vz;Kx

]Lm"%Us

?/(.Gy)

'_.Xc

%EË

v?,-w}=

X3%D#

.IrzT

.cq!C\

R~(3.OJ

.tQN`

V%D=h

"%xcL

%uy-4l.

s@.cb

O$.vd

y_.rksb?K

84;77=/'; 

%C&M<#

.UG"@

.tx<v

-qE}.

(7t%c_6m

.GL:s

.MKM2

hu}%s

OU5%s

w.ax-I[

w?%fl

Y.OjC

^'.dq

FS%1S

bd.NmI:

-o%CHl

H%D>oK

f;.nk

5.Gqj

.UGd%

.IrDc

~J\.CA

"%X-zq

T@.cY

Z.yzTQ

W.suJ

e>4-.yY

h4.tb-

NeXE

e`i.Ko

`%sUU

%dN@1

S!.xa

.ynI*

wrfSFTp

z)S%u

(%CYg

8.Ij'

?Eg:%X

z%S=Ze

.kIT*H

;.zRt,{

}.dTS3

B.QyFbr

tÐk

.HD\s

bp.XF

(.Gq"n

^%uY`

&O?.cK

.dUFe

'y.zvC

u}8@%x

6{L.DN

hLqbrnen.sBU09B.SQ

<assemblyIdentity version="5.1.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

Kernel32.dll

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.Ên not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.bImpossibile ottenere informazioni relative allo spazio su disco da: %s.

Messaggio di sistema: %s.5Impossibile individuare una delle risorse necessarie.

LImpossibile recuperare le informazioni sulla versione del sistema operativo.1Richiesta di allocazione di memoria non riuscita.

Tabella dei file piena.2Impossibile passare alla cartella di destinazione.

con %s KB di spazio su disco disponibile in cui installare il programma. Liberare spazio su disco e scegliere Riprova oppure Annulla per uscire dal programma di installazione.UCartella non valida. Verificare che la cartella esista e che non sia di sola lettura.MSpecificare una cartella il cui percorso sia valido oppure scegliere Annulla.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

=Impossibile aggiornare la casella di modifica della cartella.SImpossibile caricare le funzioni necessarie per la finestra di dialogo del browser.[Impossibile caricare il file Shell32.dll necessario per la finestra di dialogo del browser.

9Errore durante la creazione del processo <%s>. Motivo: %s=La dimensione del cluster in questo sistema non

supportata. Una risorsa necessaria risulta danneggiata._Per questa installazione

necessario Windows 95 o Windows NT 4.0 Beta 2 o versioni successive.#Errore durante il caricamento di %s}Errore di GetProcAddress() sulla funzione "%s". Motivo possibile: si sta utilizzando un versione non corretta di advpack.dll.8Per l'installazione

necessario Windows 95 o Windows NT#Impossibile creare la cartella "%s"

Per installare il programma, sono necessari %s KB di spazio su disco nell'unit

%s. Prima di continuare,

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

3Errore durante la ricerca della cartella di Windows

(Chiusura di NT: errore OpenProcessToken.-Chiusura di NT: errore AdjustTokenPrivileges.%Chiusura di NT: errore ExitWindowsEx.

(%s).

Messaggio di sistema: %s.|Impossibile trovare un'unit

con %s KB di spazio disponibile per installare il programma. Liberare dello spazio e riprovare.cIl programma di installazione sembra essere danneggiato. Contattare il fornitore dell'applicazione.

/C:<Cmd> -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

/C:<Cmd> -- Annulla il comando di installazione definito dall'autore.

]Una copia del pacchetto "%s"

in esecuzione nel sistema in uso. Eseguire un'altra copia? Impossibile trovare il file: %s.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

%La cartella "%s" non esiste. Crearla?tUna copia del pacchetto "%s"

possibile eseguire una sola copia alla volta.MIl pacchetto "%s" non

compatibile con la versione di Windows in esecuzione.UIl pacchetto "%s" non

compatibile con la versione del file %s presente nel sistema.

11.00.9600.16428 (winblue_gdr.131013-1700)

WEXTRACT.EXE .MUI

11.00.9600.16428

DirectWindows.exe_2276:

.text

`.rdata

@.data

.rsrc

@.reloc

C:\data\brennergit\dev\DoNothing\Release\DoNothing.pdb

__crtGetShowWindowMode

_amsg_exit

_wcmdln

_crt_debugger_hook

__crtUnhandledException

__crtTerminateProcess

__crtSetUnhandledExceptionFilter

MSVCR110.dll

_calloc_crt

KERNEL32.dll

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

DRIVER~1.EXE_3784:

.text

P`.data

.rdata

p@.bss

.idata

.rsrc

.zipf

#\$4;\$0

1.2.8

Error %d from inflate: %s

Error %d from inflateInit: %s

Error decompressing %s

%s could not be extracted!

Failed to write all bytes for %s

%s%s%s%s%s%s%s

%s%s%s.pkg

%s%s%s.exe

%s%s%s

Archive not found: %s

Error opening archive %s

%s%s%s%s%s

Error coping %s

Error extracting %s

Failed to unmarshal code object for %s

Failed to execute script %s

pyi-windows-manifest-filename

_MEIPASS2

Cannot open self %s or archive %s

Failed to get executable path.

GetModuleFileNameW: %s

Failed to convert executable path to UTF-8.

PyImport_AddModule

Cannot GetProcAddress for PyImport_AddModule

PyImport_ExecCodeModule

Cannot GetProcAddress for PyImport_ExecCodeModule

PyImport_ImportModule

Cannot GetProcAddress for PyImport_ImportModule

Failed to convert Wflag %s using mbstowcs (invalid multibyte string)

Error loading Python DLL: %s (error code %d)

pythond.dll

Failed to encode _MEIPASS as ANSI.

Failed to get _MEIPASS as PyObject.

_MEIPASS

mod is NULL - %s

Failed to convert %s to ShortFileName

%s?%d

%U?%d

Installing PYZ: Could not get sys.path

Failed to append to sys.path

WARNING: file already exists but should not: %s

Failed to get ANSI buffer size(WideCharToMultiByte: %s)

Failed to encode filename as ANSI(WideCharToMultiByte: %s)

Failed to get UTF-8 buffer size (WideCharToMultiByte: %s)

Failed to encode wchar_t as UTF-8 (WideCharToMultiByte: %s)

inflate 1.2.8 Copyright 1995-2013 Mark Adler

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

GCC: (x86_64-posix-sjlj-rev0, Built by MinGW-W64 project) 4.8.3

GCC: (x86_64-posix-sjlj-rev0, Built by MinGW-W64 project) 4.9.2

_amsg_exit

_wcmdln

KERNEL32.dll

msvcrt.dll

USER32.dll

WS2_32.dll

!""''''(

"""''**$

""''0**#

""''**  

"''*** 2

57.Eool

g .ig

K{P%d

_MEI%d

DRIVER~1.EXE_3980:

.text

P`.data

.rdata

p@.bss

.idata

.rsrc

.zipf

#\$4;\$0

1.2.8

Error %d from inflate: %s

Error %d from inflateInit: %s

Error decompressing %s

%s could not be extracted!

Failed to write all bytes for %s

%s%s%s%s%s%s%s

%s%s%s.pkg

%s%s%s.exe

%s%s%s

Archive not found: %s

Error opening archive %s

%s%s%s%s%s

Error coping %s

Error extracting %s

Failed to unmarshal code object for %s

Failed to execute script %s

pyi-windows-manifest-filename

_MEIPASS2

Cannot open self %s or archive %s

Failed to get executable path.

GetModuleFileNameW: %s

Failed to convert executable path to UTF-8.

PyImport_AddModule

Cannot GetProcAddress for PyImport_AddModule

PyImport_ExecCodeModule

Cannot GetProcAddress for PyImport_ExecCodeModule

PyImport_ImportModule

Cannot GetProcAddress for PyImport_ImportModule

Failed to convert Wflag %s using mbstowcs (invalid multibyte string)

Error loading Python DLL: %s (error code %d)

pythond.dll

Failed to encode _MEIPASS as ANSI.

Failed to get _MEIPASS as PyObject.

_MEIPASS

mod is NULL - %s

Failed to convert %s to ShortFileName

%s?%d

%U?%d

Installing PYZ: Could not get sys.path

Failed to append to sys.path

WARNING: file already exists but should not: %s

Failed to get ANSI buffer size(WideCharToMultiByte: %s)

Failed to encode filename as ANSI(WideCharToMultiByte: %s)

Failed to get UTF-8 buffer size (WideCharToMultiByte: %s)

Failed to encode wchar_t as UTF-8 (WideCharToMultiByte: %s)

inflate 1.2.8 Copyright 1995-2013 Mark Adler

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

GCC: (x86_64-posix-sjlj-rev0, Built by MinGW-W64 project) 4.8.3

GCC: (x86_64-posix-sjlj-rev0, Built by MinGW-W64 project) 4.9.2

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37~1

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE

_amsg_exit

_wcmdln

KERNEL32.dll

msvcrt.dll

USER32.dll

WS2_32.dll

!""''''(

"""''**$

""''0**#

""''**  

"''*** 2

57.Eool

g .ig

K{P%d

_MEI%d

DRIVER~1.EXE_3980_rwx_00330000_00001000:

darkcode.duckdns.org

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   DRIVER~1.EXE:3784
   %original file name%.exe:4008
   Sentry.exe:2340
   DriverVideodialog1.exe:2072
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\python27.dll (146 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\_ctypes.pyd (90 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\Crypto.Cipher._AES.pyd (32 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\Microsoft.VC90.CRT.manifest (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\DriverVideodialog.exe.manifest (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\msvcm90.dll (589 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\unicodedata.pyd (748 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\_hashlib.pyd (1060 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\msvcp90.dll (1061 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\msvcr90.dll (1375 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\bz2.pyd (1137 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_MEI37842\select.pyd (392 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sentry.exe (49756 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sentry_MBA.exe (104786 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DriverVideodialog1.exe (104964 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DirectWindows.exe (1625 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DIRECT~1.EXE (1568 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE (55104 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.