Gen.Variant.Barys.120_5bd44d941d

by malwarelabrobot on August 14th, 2015 in Malware Descriptions.

Trojan.Win32.Jorik.Llac.eli (Kaspersky), Gen:Variant.Barys.120 (B) (Emsisoft), Gen:Variant.Barys.120 (AdAware), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, WormRebhip.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, VirTool, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5bd44d941dfd1ba615f752f9969edfea
SHA1: 869e839a68f9b5f83711f3109b71d3b1691c749b
SHA256: 328a6ca1fb2aa9f69952d95f82696e365ab20069aa46a1008b13942ba2528274
SSDeep: 49152:RgHfJt7R5STlTxVTNHousDKe88U/k6Pu8h5KLMFX/CslMZs8oX4PSPFsJDAUNFn7:s
Size: 9616502 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2012-02-22 06:19:45
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

vbc.exe:164
vbc.exe:896
vbc.exe:1952

The Trojan injects its code into the following process(es):

vbc.exe:1876
%original file name%.exe:540
SpyNet 2.7 Final.exe:680

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process vbc.exe:1876 makes changes in the file system.
The Trojan deletes the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\chro.dat (0 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ffox.dat (0 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\iexp.dat (0 bytes)

The process vbc.exe:164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\ffox.dat (2 bytes)

The process vbc.exe:896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\chro.dat (2 bytes)

The process %original file name%.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SpyNet 2.7 Final.exe (15021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WinUpdate.exe (71723 bytes)

The process SpyNet 2.7 Final.exe:680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Language\Default.ini (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sqlite3.dll (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Settings\Settings.ini (1 bytes)

Registry activity

The process vbc.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 2D 11 78 A2 72 A8 E4 A7 5D C0 B9 9D 96 2D 76"

The process vbc.exe:164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 A7 E5 D7 98 B1 54 33 88 63 2D 35 BA E7 EC 8B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process vbc.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C D3 DD CC C3 EE CB 5A 58 03 DA 59 6C 64 7F 92"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process vbc.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 8C B9 87 69 24 F7 C5 F4 B2 86 F3 82 11 42 BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process %original file name%.exe:540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 92 52 F5 36 FA 43 2A CD 96 5E C5 88 12 8B AE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"SpyNet 2.7 Final.exe" = "SpyNet 2.7 Final"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinUpdate" = "%Documents and Settings%\%current user%\Local Settings\Temp\WinUpdate.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process SpyNet 2.7 Final.exe:680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 19 F3 B7 B3 AC 89 77 A1 8A 88 BF 6E D7 3D 50"

Dropped PE files

MD5 File path
f7a8e99f27e8caf794c571de5d47cef6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SpyNet 2.7 Final.exe
744dcc4cbbfbb18fe3878c4e769ec48f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sqlite3.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft
Product Name: 2012 Service
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) Microsoft 2012
Legal Trademarks:
Original Filename: 2012 Service.exe
Internal Name: 2012 Service.exe
File Version: 1.0.0.0
File Description: 2012 Service
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 71564 71680 4.55107 8e9965fc7dcd55fc943139bdf14d8273
.rsrc 81920 138460 138752 2.38714 fad766b0bf7516d07c4fc949e6c7a2fd
.reloc 221184 12 512 0.070639 97a3a5f060715fdd6037b6cfa84448ff

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

vbc.exe_1876:

`.rsrc
'6'Wr%SdLR
WVBA6.DLL
?PASSWORDS_OPRA
VBA6.DLL
PASSWORDS_OPRA
PASSWORDS_CDKEY
C:\xampp\htdocs\recovery\VB6.OLB
ReadKey
PASSWORDS_MESS
PASSWORDS_MAIL
PASSWORDS_DIAL
PASSWORDS_CHRO
PASSWORDS_IEXP
PASSWORDS_FFOX
PASSWORDS_PRODKEY
PASSWORDS_PTSG
PASSWORDS_OFFC
WINDOWS_VERSION_FULL
RegCloseKey
RegOpenKeyA
advapi32.dll
txtPassword
imgLoginPressed
imgLogin
[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`
568568568568\]_
\]_568568568
:- :- :- ;. ;. ;. <.!</!</!=/!=0!=0">0">0">1"?1"?1#?1#@2#@2#@2#A2#A3$A3$B3$B3$B4$C4ÄÄÕÕÕå&E6&E6&F6&F7&F7'G7'G7'G8'H8'H8'H8(I9(I9(I9(J9(J:)J:)K:)K:)K;)L;)L;*L;*M<*M<*M<*N< N= N= O= O> O> P>,P>,P?,Q?,Q?,Q?-R@-R@-R@[email protected]/UB/VC/VC/VC/WC0WD0WD0XD0XE0XE0YE1YE1YF1ZF1ZF1ZF2[G2[G2[G2\G2\H2\H3]H3]H3]I3^I3^I4^I4_J4_J4_J4`K4`K5`K5aK5aL5aL5bL6bL6bM6cM6cM6cM6dN7dN7dN7eN7eO7eO8fO8fO8fP8gP8gP9gP9hQ9hQ9hQ9iR9iR:iR:jR:jS:jS:kS;kS;kT;lT;lT;lT;mU<mU<mU<nU<nV<nV=oV=oV=oW=pW=pW=pW>qX>qX>qX>rY>rY?rY?sY?sZ?sZ?tZ?tZ@t[@u[@u[@u[@v\Av\Av\Aw\Aw]Aw]Ax]Bx]Bx^By^By^By^Cz_Cz_Cz_C{`C{`D{`D|`D|aD|aD}aD}aE}bE~bE~bE~bE
568568568568
568568568568568
5Vm568568568568568568568568568568568impORTORTORTORTORT
568568568
5Vm568568568568568568568568568568impORTORTORTORTORT
568568568568568568568568568568568impORTORTORTORTORT
568568568568|
y56Pi_P\ly|voL_o568|voL_o568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568HKM568568568568568568568568568568impORTORTORTORTORT
568568568\68
56`568568568
5_|568568
5_|\68\{|568568
5_|568\68
79;5685685685685689;>
79<568568568568568
;<@568568568447
;=?;=?;=@78<56856856856856868:
457568568568569
:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=
:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>
;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>
;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?
<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@
=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@
5_|568568568568568
568568\68
56`568568
5_|568568\68
568568568568\68
hKey
CodeKey
.Qs]W6"s
E%6u:
Txxgu^WD
{>P.CP
.YP-_
R.nU5
QudP~
6 (.IS
?Z.su
%0uRP
I5.Jj
4T-'.sB
%xH{p
%2u'O
B.kB36~9
]2,%F{E
_.jqn
K.jSZ
eG.Fu
`.zGS
%xYL}
3w.Jg
'K
.TBPSAU30
%U%Epy%
.blf8
C.wtm
P1"".qz
Z{-t}p
~u&E%CkJ
.EHPg
.yR:$4
)8|.Wi
5#1AG%U
.rsrc
kEYL
)u3SSh#
.Toh\5H
"Account","Login Name
Password
Web Sit
##%%&&))**,,//11224477
z:\Jj
.pdb?P
%""!!!!"
36333222("
"&(((''''&
55553333(
77555555
(3331110*
.@@@????
<assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
msvcrt.dll
ole32.dll
SHELL32.dll
USER32.dll
VERSION.dll
jE-.viCh4
.hp!J"
].Rbl
.text
`.data
]_qÐ
MSVBVM60.DLL
*\AC:\xampp\htdocs\recovery\Project1.vbp
\chro.dat
HKEY_CURRENT_USER\Software\IMVU\username\
HKEY_CURRENT_USER\Software\IMVU\password\
\FileZilla\recentservers.xml
<Pass>
</Pass>
\mess.dat
WScript.shell
\mail.dat
Password
\dial.dat
Action URL
Chrome
\iexp.dat
\ffox.dat
Web Site
FireFox
\opra.dat
Opera
CD-KEY
CDKEY:
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
PRODKEY:
\ptsg.dat
\offc.dat
Product Key
\steam\steam.exe
WScript.Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
WINDOWS VERSION:
00000000
steam.exe
@*\AC:\xampp\htdocs\recovery\Project1.vbp
OperaPassView
OperaPassView.exe
h4ck3rs-41.exe

SpyNet 2.7 Final.exe_680:

`.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
comctl32.dll
USER32.DLL
windows
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnExit\%D
msShiftSelect
OnKeyDownL
OnKeyPress
OnKeyUp$
OnKeyUpx
ArrowKeys
vsReport
acoUpDownKeyDropsList
OnKeyUp
RICHED32.DLL
TComboBoxExEnumerator
ole32.dll
PasswordChar
ssHorizontal
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordh
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
Uh.dH
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
ftpTransfer
ftpReady
ftpAborted
ClientPortMinT
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
PasswordT
0.0.0.1
TIdTCPConnection
TIdTCPConnection\
IdTCPConnection
EIdTCPConnectionError
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\Indy\IdStrings.pas
TIdTCPServer
IdTCPServer
CmdDelimiter
TIdTCPServerConnection
DefaultPort
OnExecute<
EIdTCPServerError
EIdNoExecuteSpecified
LeftPopup
TURLEvent
msnAutoOpenURL
OnURLClick0lK
hXXp://VVV.url.com/
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\graphics32-1-8-3\GR32_Resamplers.pas
Reverse transformation is not implemented in %s.
Forward transformation is not implemented in %s.
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\graphics32-1-8-3\GR32.pas
Unpaired TThreadPersistent.EndUpdate
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\graphics32-1-8-3\GR32_Layers.pas
OnKeyUp\uL
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\graphics32-1-8-3\GR32_Image.pas
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\VclSkin\imgutil.pas
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\VclSkin\Winskinini.pas
%s_%s
Uh.uM
ttntpanel.unicodeclass
ttntsilentpaintpanel.unicodeclass
xcFastReport
TWWKeyCombo=Combobox
TWWTempKeyCombo=combobox
TO32DBFLEXEDIT=Edit
4.94.12.01
BUTTON.RADIO
BUTTON.CHECKBOX
3333333
Progress.Chunk
Tab.Pane
Trackbar.ThumbHorz
Trackbar.ThumbVert
Trackbar.ThumbLeft
Trackbar.ThumbRight
Trackbar.ThumbUp
Trackbar.ThumbDown
UpDown.Horz
UpDown.Vert
user32.dll
DisableProcessWindowsGhosting
ShellExecuteA
shell32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
Portugal
Turkey
URLDownloadToFileA
urlmon.dll
IP.txt
hXXp://VVV.ip-adress.com/
GetWindowsDirectoryA
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFile = objFileSystem.CreateTextFile("
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
1.2.3
Edit1KeyPress
Edit2KeyPress
TFormPortas
UnitPortas
TMsgHandlers
####@####
All Files (*.*)|*.*
tFtpAccess
Edit18KeyPress
Memo1KeyPress
Executables (*.exe) - Icons (*.ico)|*.ico;*.exe
*.ini
createserverpassword
iconemsg
botaomsg
keylogger
keyloggerstrings
keyloggertimer
chromepass
chromepasslink
keylogger0
keylogger1
keylogger2
keyloggerstrings0
keyloggerstrings1
keyloggerstrings2
keyloggerstrings3
keyloggerstrings4
Executables (*.exe)|*.exe
server.exe
UPXfile.exe
(Ex.: 127.0.0.1:81)
mail_test.txt
Google Chrome Passwords
PopupMenuPortas<
PopupMenuPortasPopup
windowsmin
windowsmax
windowsfechar
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listadeportaspronta
finalizarprocessoportas
c:\windows\myservice.exe
windowsfechar|
windowsmax|
windowsmin|
windowsmostrar|
windowsocultar|
windowsmintodas|
windowscaption|
listarportas|
listarportasdns|
finalizarprocessoportas|
FTP User
FTP Password
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
##@@##&&
Text Files (*.txt)|*.txt
MemoInformacionValorKeyPress
renamekey
renamekey|
TFormKeylogger
TFormKeyloggerT
UnitKeylogger
keyloggerdesativar
keyloggerativar
keyloggervazio
keyloggergetlog
\klog.txt
keylogger|
keyloggergetlog|
keyloggereraselog|
keyloggerativar|
keyloggerdesativar|
Image1KeyDown
keyboardkey|
TFormWebcam
UnitWebcam
webcamsettings|
webcam
webcamgetbuffer
Webcam\
webcaminactive|
webcam|
webcamgetbuffer|
Edit4KeyPress
TFormFTPsettings
TFormFTPsettings\
UnitFTPsettings
EnviararquivoFTP1
ComboBox1KeyPress
EnviararquivoFTP1Click
(FTP)
%SYS%
ÞSKTOP%
c:\windows\
c:\windows\system32\
listararquivos|%SYS%|
listararquivos|ÞSKTOP%|
explorer.exe
*.jpg
sendftp|
Savepasstxt1
Savepasstxt1Click
TFormPasswords
UnitPasswords
Keylogger
KeyloggerClick
TFormSearchKeylogger
UnitSearchKeylogger
hXXp://VVV.scenecoderz.cc/
chatmsg|
GeoIP.dat
SistemaOperacional1h
Porta1|
IdTCPServer1
Selecionarportas1
SendFileExecute1
Listarportasativas1
Baixararquivoeexecutar1
Keylogger1
Webcam1$
Palavraskeylogger1D
HTTPProxy1t
IdTCPServer1Disconnect
IdTCPServer1Execute
Selecionarportas1Click
Listarportasativas1Click
Baixararquivoeexecutar1Click
Keylogger1Click
Webcam1Click
Palavraskeylogger1Click
MSNPopUp1URLClick&
IdTCPServer1Exception
127.0.0.1:81
explorer.exe \windows\
hXXp://VVV.google.com
hXXp://VVV.example.com/server.exe
getielogin
getiepass
getieweb
getfirefox
getchrome
portas
SQLITE3
sqlite3file
sqlite3.dll
Settings.ini
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Default.ini
SceneCoderz.cc
%d days, %s
sound.wav
keyloggersearchok
chatmsg
getpassword
getpassworderror
enviarexecnormal
enviarexechidden
listarportas
webcamactive
webcaminactive
enviarexecnormal|
enviarexechidden|
openweb|
downexec|Y|
downexec|N|
getpassword|
updateservidorweb|
keyloggersearch|
HTTP Proxy
Wave File (*.wav)|*.wav
hXXp://VVV.scenecoderz.cc
!!""##$$%%&&''(())**  ,,--..//0123456789:;<=>?
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
.AUi|
LRap
!$'*-147
"$') -02469;=?
"$&( -/1468:
!$&(*-/135
!#&(*,.1
!"#%&'(* ,-/01345689:;=>?@
!"#$&'(* ,-.01245678:;<>?
!"#$&'() ,-.012346789;<=
"#$%'()*,-./12345789:<
!#$%&()* -./02345689:
!#$%&')* ,./01245679
!"$%&'(* ,-/0123567
!"#%&'(* ,-.012346
!"#$&'() ,-./1234
!"#$%'()*,-./023
!"#$%'()* ,./01
"#$%&()* ,-/0
!#$%&')* ,-.
!"$%&'(* ,-
!"#%&'()*,
!"#$&'()*
!"#$%'()
.idata
.edata
P.reloc
P.rsrc
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_open
sqlite3_close
sqlite3_errmsg
sqlite3_errcode
sqlite3_free
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code "
ESQLiteException
TSQLiteDatabase
TSQLiteTable
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error [%d]: %s.
"%s": %s
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Mozilla
Firefox
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
PK11_GetInternalKeySlot
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
##@@## ##@@## ##@@##
\Google\Chrome\User Data\Default\Web Data
SELECT * FROM logins
password_value
origin_url
ClientPortMin<
ClientPortMaxh
Password<
Porth
TIdTCPConnection0
EIdObjectTypeNotSupported
C:\Users\Administrator\Desktop\Indy\IdStrings.pas
CmdDelimiterh
TIdTCPServerConnectionX
TIdTCPServerP
OnExecute
TIdTCPClient
IdTCPClient
BoundPorth
PortU
TOnHTTPDocument
TIdHTTPProxyServer
IdHTTPProxyServer
OnHTTPDocument
HTTP/1.0
Windows Firewall Update
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
GetCPInfo
MsgWaitForMultipleObjects
crypt32.dll
funcoes.dll
GetChromePass
Mozilla3_5Password
StartHttpProxy
9 9$9(9,9094989<9@9
45
9"9&9*9.929?9~9
55J5]6m6
<1<@<\<|<
7}7S7j7
2<3w3
:5;@;`<6?
: :$:(:,:
KWindows
IdTCPStream
 IdTCPServer
SQLiteTable3
SQLite3
DIdHTTPProxyServer
UnitChrome
UnitFireFox3_5
(7),01444
'9=82<.342
6=Operating System
14=Country / Keyboard
19=Waiting for connection on ports
26=Port
27=The Port
28=can not be used. Check for another program using the same port or if it is blocked by a firewall.
29=Select listening ports
30=Please enter a valid port.
31=Active Ports
33=Please select a port to be disabled
34=The selected port must be between 1 and 65535.
39=Keylogger
44=Password
63=Active Keylogger
64=keylogger settings
68=Send logs FTP port
72=Show password
74=Send logs by FTP
75=FTP Settings
76=Cancel the execution of the server in the following cases
86=Please enter a password.
87=Please enter a name for the registry key.
90=Complete all the information necessary for sending the logs by FTP
91=Please, insert a valid port. The default port is 21.
97=DNS and port connection
98=Please enter connection address and port
108=Please insert a valid FTP address.
109=Send logs by FTP test
110=This file was created to test the sending of logs by FTP
112=Unable to send logs by FTP. Check the settings and try again.
113=encrypted password
114=Connection password
123=Please enter the new connection address and port
124=Selected servers will be closed and will reconnect only after another execution or system restart (if server startup is enabled)
139=Windows
142=Active Ports
186=Windows Firewall Service
198=Windows list
199=list of windows created successfully
200=Unable to create list of windows
209=All windows as minimized
224=Local Port
226=Remote Port
227=list of active ports created successfully
228=Active ports list
242=Enter the command to be executed
243=Open web page
245=Download and execute file
259=New Key
260=Type the name of the new key
261=The name of the new key is:
263=Are you sure you want to delete the key
266=Key
272=Key name has been successfully changed
273=Unable to change key name
274=The key or value has been deleted successfully
275=Unable to delete key or value
276=The key was created successfully
277=Could not create key
290=Keyboard
291=Capture webcam
308= Execute with parameter
336=Unable to perform operation. The file may be in use by another process.
353=Passwords
354=Enter a word to be sought in the list of passwords
355=Type of password
358=Password
360=Copy password
362=Save passwords (*. txt)
400=From URL
404=words (keylogger)
424=Shutdown Windows
434=Mouse and keyboard
440=Execute
463=* The items which aren't checked will be executed only the first time program is run.
465=Execution
467=Only executable files can be executed in memory
468=View FTP logs
483=Select the names and always end in "#". Example: server.exe#crack.exe#
493=Do you want upload the selected file using FTP?
494=It was sent using FTP the file
495=FTP Options
496=Could not send using FTP the file
510=Some versions of Windows and MSN Messenger not allow these functions.
513 = Only the names of files and registry keys that start with "SPY_NET_RAT" will be hidden and locked by the rootkit
517=Waiting passwords of selected servers
518=Password received from the server
endereco0=127.0.0.1|81
createserverpassword=abcd1234
inicializacao0={08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}
infiltrarprocessonome=explorer.exe
nomearquivo=server.exe
iconemsg=1
botaomsg=0
keylogger0=1
keylogger1=1
keylogger2=0
keyloggerstrings0=PTF.server.com
keyloggerstrings1=logs
keyloggerstrings2=ftp_user
keyloggerstrings3=gfhtrhehth
keyloggerstrings4=21
keyloggertimer=5
p2pnames=server.exe#crack.exe#
chromepass=0
chromepasslink=hXXp://VVV.server.com/sqlite3.dllMZP
.reloc
%x`v!
Portions Copyright (c) 1999,2003 Avenger by NhT
Ntdll.dll
NtEnumerateValueKey
NtEnumerateKey
GetProcessHeap
ntdll.dll
SHFileOperationA
AVICAP32.dll
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
XxX.xXx
UuU.uUu
keyboardkey
openweb
downexec
sendftp
keyloggereraselog
listarportasdns
webcamsettings
updateservidorweb
keyloggersearch
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
TThreadSearch`%C
FirstExecution
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getpassword|getpasswordlist|
getpassword|getpassworderror|
Windows\CurrentVersion\Uninstall\eDonkey2000
UNWISE.EXE
icon=shell32.dll,4
shellexecute=
autorun.inf
XX--XX--XX.txt
logs.dat
SQLite3.dll
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
WinExec
SetNamedPipeHandleState
CreatePipe
mpr.dll
gdi32.dll
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
wininet.dll
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
wsock32.dll
gdiplus.dll
GdiplusShutdown
AVICAP32.DLL
winmm.dll
powrprof.dll
msacm32.dll
ADVAPI32.DLL
7-727:7?7
4.4 5=5`5|5 6
> >$>(>,>
>'>3><>]>}>
040=0^0~0
2 2/2]2}2
:$:6:^:~:
; ;%;-;5;
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
languagefile=Default.ini
portas=(80) (81) (82)
soundfile=sound.wav
[webcam]
~}}}||{||~}~~~~
}}|{|{{|||~
~}~}||}|
}~~~~}|~
~}|}|{|~
}bCBUdp
,.dR4a
~}}{{{{~
~}~~~|{|
~~}}~}{|
~|}~~}|}
~~~~}|||~
}~}|{{}}||}~
~~}}}~~~}}~}}}
~}}}||}~
}|}||}}~
~~}|{}~}~
~}|{{|{}
}|}||}~~
~}}}|}~~
~}||}}}~
<8%u=
pw76.uz
.gH(44s
.teQyh
I.PXQCi
.EF$qY
%UV$V
.uFP4
V'%%D
up.VY
VN.lx
AURl
LP%CT
.IL"4
bol`.tx
:H.PB`
.KWI<Np
<.ur$
xH%xQ#<u
7,%X\:p
|.pQk
w.yBE,
%s TR
X%C@H*
? !"#$%&'()* ,-./
SQLite forma
CHECKEYCO,R8
3.5.9{
AP_}ED/MSVCRT
<Key/
~d-
DW.Dp,
Sqlite3.dll
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_bind_parameter_count
sqlite3_bind_parameter_name
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_busy_timeout
sqlite3_changes
sqlite3_clear_bindings
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_bytes16
sqlite3_column_decltype16
sqlite3_column_int
sqlite3_column_name16
sqlite3_column_text16
sqlite3_column_value
sqlite3_commit_hook
sqlite3_complete
sqlite3_complete16
sqlite3_context_db_handle
sqlite3_create_collation
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_data_count
sqlite3_db_handle
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_enable_shared_cache
sqlite3_errmsg16
sqlite3_exec
sqlite3_expired
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_free_table
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_get_table
sqlite3_global_recover
sqlite3_interrupt
sqlite3_last_insert_rowid
sqlite3_libversion
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_held
sqlite3_mutex_leave
sqlite3_mutex_notheld
sqlite3_mutex_try
sqlite3_open16
sqlite3_open_v2
sqlite3_overload_function
sqlite3_prepare
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_release_memory
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_sql
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_total_changes
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_version
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf
.rdata
VBoxService.exe
SbieDll.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SICE
\\.\NTICE
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rnaph.dll
RAS Passwords |
uURLHistory
Password:
abe2869f-9b47-4cd9-a358-c22904dba7f7
Password
WindowsLive:name=*
xxxyyyzzz.dat
\Mozilla Firefox\
softokn3.dll
userenv.dll
profiles.ini
\signons3.txt
\signons2.txt
\signons1.txt
\signons.txt
(unnamed password)
?456789:;<=
!"#$%&'()* ,-./0123
SetWindowsHookExA
pstorec.dll
8 8$8(8,808
5_5
0%0S0X0
KuURLHistory
IEpasswords
.rsrc
7%dUQ!
}%UFM
}B%xO
T.vQn
cKñ
Y.LPe
L<k%XA?.
K.PE]
4.kouY
5.HN3
.rM|I
.enM<g
L3%Xo
%x'eS
%Su`Ij
K.Foe;
c7%xr
version="0.0.0.0"
<description>UPX executable packer</description>
msvcrt.dll
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
mUnitPortas
%UnitSearchKeylogger
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Items.Strings
o executados somente na primeira execu
Shell Execute (Normal)
Shell Execute (Hidden)
FormPrincipal.ImageListIcons
Lines.Strings
Constraints.MaxHeight
Constraints.MaxWidth
Constraints.MinHeight
Constraints.MinWidth
Porta
z:\Dir\Install\
&{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}
%HKEY_LOCAL_MACHINE\Software\.....\Run
$HKEY_CURRENT_USER\Software\.....\Run
Deletar-se ao executar
Picture.Data
 17555.-
Ë(U
&$%Uooqkezs
['$$#%&(4
$$$006666
2<===@@=
Keylogger ativo
o do keylogger:
Enviar logs por FTP
FTP user:
FTP password:
Porta de envio:
Cancelar a execu
keyboard
Bitmap.ResamplerClassName
OnKeyDown
Bitmap.Data
%XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Enviar arquivo (FTP)
FormFTPsettings
Pass:
Port:
PTF.client.com
ftpuser
pass1234
Portas ativas
Local Port
Remote Port
PopupMenuPortas
Comando executado com sucesso
Adobe Photoshop CS4 Windows
2010:04:07 17:29:05
urlTEXT
MsgeTEXT
,hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:MetadataDate="2010-04-07T17:29:05 02:00" xmp:ModifyDate="2010-04-07T17:29:05 02:00" xmp:CreateDate="2010-04-07T17:29:05 02:00" xmpMM:InstanceID="xmp.iid:D54C414D5A42DF11A075FECB7DEC849A" xmpMM:DocumentID="xmp.did:D44C414D5A42DF11A075FECB7DEC849A" xmpMM:OriginalDocumentID="xmp.did:D44C414D5A42DF11A075FECB7DEC849A" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;FA4CC09C8E753A10F6D02D96BEFD0BF2" exif:PixelXDimension="390" exif:PixelYDimension="60" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;B5A6F6C3177B1AF5C55C1A74CC09F3EC"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:D44C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:05 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D54C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:05 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
QTT.bEF
l5V.iZXB<
MSGQ
2010:04:07 17:29:28
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:MetadataDate="2010-04-07T17:29:28 02:00" xmp:ModifyDate="2010-04-07T17:29:28 02:00" xmp:CreateDate="2010-04-07T17:29:28 02:00" xmpMM:InstanceID="xmp.iid:D74C414D5A42DF11A075FECB7DEC849A" xmpMM:DocumentID="xmp.did:D64C414D5A42DF11A075FECB7DEC849A" xmpMM:OriginalDocumentID="xmp.did:D64C414D5A42DF11A075FECB7DEC849A" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;6FA7ABDF1435BDCAEDB8C7F77B7C7B7B" exif:PixelXDimension="100" exif:PixelYDimension="60" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;F0649857F7B6BB1804AA550F89BB90C7"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:D64C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:28 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D74C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:28 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
2010:04:07 17:30:08
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2010-04-07T17:29:44 02:00" xmp:MetadataDate="2010-04-07T17:30:08 02:00" xmp:ModifyDate="2010-04-07T17:30:08 02:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:DA4C414D5A42DF11A075FECB7DEC849A" xmpMM:DocumentID="xmp.did:D84C414D5A42DF11A075FECB7DEC849A" xmpMM:OriginalDocumentID="xmp.did:D84C414D5A42DF11A075FECB7DEC849A" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;2169DFA76C328D08F604CB215B1A3623" exif:PixelXDimension="86" exif:PixelYDimension="60" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;B01586E9A746957720CCC815AE58C201" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:D84C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:44 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D94C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:30:08 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="converted" stEvt:parameters="from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="derived" stEvt:parameters="converted from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:DA4C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:30:08 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D94C414D5A42DF11A075FECB7DEC849A" stRef:documentID="xmp.did:D84C414D5A42DF11A075FECB7DEC849A" stRef:originalDocumentID="xmp.did:D84C414D5A42DF11A075FECB7DEC849A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
Adobe Photoshop CS3 Windows
2008:12:16 15:27:46
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:40:08 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" dc:format="image/jpeg" xap:CreatorTool="Adobe Photoshop CS3 Windows" xap:CreateDate="2008-12-16T15:27:46Z" xap:ModifyDate="2008-12-16T15:27:46Z" xap:MetadataDate="2008-12-16T15:27:46Z" xapMM:DocumentID="uuid:7E3DEE1686CBDD119BC6EC4C7EC7BE18" xapMM:InstanceID="uuid:7F3DEE1686CBDD119BC6EC4C7EC7BE18" tiff:Orientation="1" tiff:XResolution="960120/10000" tiff:YResolution="960120/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;88D0F315E3EC4C692131AA327ECD5B36" exif:PixelXDimension="600" exif:PixelYDimension="300" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;44C0A4B92143BBB7980B22AB7B13DDF4" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" photoshop:History=""> <xapMM:DerivedFrom stRef:instanceID="uuid:9896DE9AF9CADD1191F8B997AB237155" stRef:documentID="uuid:A9B04AA8F1CADD1191F8B997AB237155"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
A<.tH
%DQd1T
K.kbu
]MSGUG_
%UUUQE
[email protected]
hXXp://VVV.SceneCoderZ.cc
FormKeylogger
!#6&;>?@@@???'''
,>;><=:5
.UZXEDCB@>=:4
.XQTSQPMJZHHHGYYFXEDCCC@><6$3[
!6&>?@@@?@''
33333333333333
3333337
333333338
3333333333
%XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/
.llll|>!
!"#-.-01&
()* ,-./012"
Desligar windows
FormPasswords
List of passwords
Kind of password
&Password recebido do servidor: XXXXXXX
Copy password
Open website
Save Passwords (*.txt)
FormPortas
Items.Data
Sistema Operacional
127.0.0.1 / 127.0.0.1@
Windows XP Professional SP3
Primeira Execu
es nas portas: 80, 81, 82, 83, 5300
Selecionar portas
SistemaOperacional1
Porta1
Listar portas ativas
Webcam1
Web cam
HTTPProxy1
Palavraskeylogger1
Palavras (keylogger)
Baixar arquivo e executar
SendFileExecute
Greeting.NumericCode
MaxConnectionReply.NumericCode
ReplyUnknownCommand.NumericCode
Icon.Data
IconBitmap.Data
"""$$$"""
...TSUqkvSMXusyxw
555...'''&&&
).-*,,(**%%%
*,,244133,,,!!!
$&&022888444***"""
!3./111644222   
%%ÌcWWWXXXbbbeee___^^^ccceee```MMM@@@
...PPP]]]
HoverFont.Charset
HoverFont.Color
HoverFont.Height
HoverFont.Name
HoverFont.Style
TitleFont.Charset
TitleFont.Color
TitleFont.Height
TitleFont.Name
TitleFont.Style
OnURLClick
MSNPopUp1URLClick
Skin3rd.Strings
H.jx$lM
fTPY
HKEY_CLASSES_ROOT*
HKEY_CURRENT_USER 
HKEY_LOCAL_MACHINE#
HKEY_USERS,
FormSearchKeylogger
Microsoft Windows [vers
o 6.0.6001]
C:\Users\Server>
Text File (*.txt)|*.txt
FormWebcam
SetViewportOrgEx
GetViewportOrgEx
UnhookWindowsHookEx
LoadKeyboardLayoutA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyNameTextA
EnumThreadWindows
ActivateKeyboardLayout
?G 6.0.6001]
[X.OfI)
LMsg
FtpS
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
comdlg32.dll
version.dll
winspool.drv
SQLITE3FILE
TFORMFTPSETTINGS
TFORMKEYLOGGER
TFORMPASSWORDS
TFORMPORTAS
TFORMSEARCHKEYLOGGER
TFORMWEBCAM
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s is not a valid service.
Socket Error # %d
File "%s" not found1Only one TIdAntiFreeze can exist per application.
Object type not supported.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
No command handler found.*Error on call Winsock2 library function %s
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation
The UPX Team hXXp://upx.sf.net
UPX executable packer
3.00 (2007-04-27)
upx.exe
Address type not supported.;Cannot call TerminateAndWaitFor on FreeAndTerminate threads&Cannot change the size of a JPEG image
JPEG error #%d
No command handler found.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
=This control requires version 4.70 or greater of COMCTL32.DLL
No help keyword specified.
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRight
Failed to Save Stream %s is already associated with %sE%d is an invalid PageIndex value. PageIndex must be between 0 and %d
Unable to insert a line Clipboard does not support Icons
Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned"Unable to find a Table of Contents
No help found for %s
Value must be between %d and %d
%s property out of range
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Thread Error: %s (%d)0Tab position incompatible with current tab style0Tab style incompatible with current tab position
Cannot open file "%s". %s
Unable to write to %s
Invalid stream format$''%s'' is not a valid component name
Invalid property element: %s
Invalid property type: %s
Item not found ($0%x) List capacity out of bounds (%d)
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid GUID value

vbc.exe_1876_rwx_00400000_001E7000:

`.rsrc
'6'Wr%SdLR
WVBA6.DLL
?PASSWORDS_OPRA
VBA6.DLL
PASSWORDS_OPRA
PASSWORDS_CDKEY
C:\xampp\htdocs\recovery\VB6.OLB
ReadKey
PASSWORDS_MESS
PASSWORDS_MAIL
PASSWORDS_DIAL
PASSWORDS_CHRO
PASSWORDS_IEXP
PASSWORDS_FFOX
PASSWORDS_PRODKEY
PASSWORDS_PTSG
PASSWORDS_OFFC
WINDOWS_VERSION_FULL
RegCloseKey
RegOpenKeyA
advapi32.dll
txtPassword
imgLoginPressed
imgLogin
[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`[]`
568568568568\]_
\]_568568568
:- :- :- ;. ;. ;. <.!</!</!=/!=0!=0">0">0">1"?1"?1#?1#@2#@2#@2#A2#A3$A3$B3$B3$B4$C4ÄÄÕÕÕå&E6&E6&F6&F7&F7'G7'G7'G8'H8'H8'H8(I9(I9(I9(J9(J:)J:)K:)K:)K;)L;)L;*L;*M<*M<*M<*N< N= N= O= O> O> P>,P>,P?,Q?,Q?,Q?-R@-R@-R@[email protected]/UB/VC/VC/VC/WC0WD0WD0XD0XE0XE0YE1YE1YF1ZF1ZF1ZF2[G2[G2[G2\G2\H2\H3]H3]H3]I3^I3^I4^I4_J4_J4_J4`K4`K5`K5aK5aL5aL5bL6bL6bM6cM6cM6cM6dN7dN7dN7eN7eO7eO8fO8fO8fP8gP8gP9gP9hQ9hQ9hQ9iR9iR:iR:jR:jS:jS:kS;kS;kT;lT;lT;lT;mU<mU<mU<nU<nV<nV=oV=oV=oW=pW=pW=pW>qX>qX>qX>rY>rY?rY?sY?sZ?sZ?tZ?tZ@t[@u[@u[@u[@v\Av\Av\Aw\Aw]Aw]Ax]Bx]Bx^By^By^By^Cz_Cz_Cz_C{`C{`D{`D|`D|aD|aD}aD}aE}bE~bE~bE~bE
568568568568
568568568568568
5Vm568568568568568568568568568568568impORTORTORTORTORT
568568568
5Vm568568568568568568568568568568impORTORTORTORTORT
568568568568568568568568568568568impORTORTORTORTORT
568568568568|
y56Pi_P\ly|voL_o568|voL_o568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568568HKM568568568568568568568568568568impORTORTORTORTORT
568568568\68
56`568568568
5_|568568
5_|\68\{|568568
5_|568\68
79;5685685685685689;>
79<568568568568568
;<@568568568447
;=?;=?;=@78<56856856856856868:
457568568568569
:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=:;=
:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>:;>
;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>;<>
;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?;=?
<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@<=@
=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@=>@
5_|568568568568568
568568\68
56`568568
5_|568568\68
568568568568\68
hKey
CodeKey
.Qs]W6"s
E%6u:
Txxgu^WD
{>P.CP
.YP-_
R.nU5
QudP~
6 (.IS
?Z.su
%0uRP
I5.Jj
4T-'.sB
%xH{p
%2u'O
B.kB36~9
]2,%F{E
_.jqn
K.jSZ
eG.Fu
`.zGS
%xYL}
3w.Jg
'K
.TBPSAU30
%U%Epy%
.blf8
C.wtm
P1"".qz
Z{-t}p
~u&E%CkJ
.EHPg
.yR:$4
)8|.Wi
5#1AG%U
.rsrc
kEYL
)u3SSh#
.Toh\5H
"Account","Login Name
Password
Web Sit
##%%&&))**,,//11224477
z:\Jj
.pdb?P
%""!!!!"
36333222("
"&(((''''&
55553333(
77555555
(3331110*
.@@@????
<assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
msvcrt.dll
ole32.dll
SHELL32.dll
USER32.dll
VERSION.dll
jE-.viCh4
.hp!J"
].Rbl
.text
`.data
]_qÐ
MSVBVM60.DLL
*\AC:\xampp\htdocs\recovery\Project1.vbp
\chro.dat
HKEY_CURRENT_USER\Software\IMVU\username\
HKEY_CURRENT_USER\Software\IMVU\password\
\FileZilla\recentservers.xml
<Pass>
</Pass>
\mess.dat
WScript.shell
\mail.dat
Password
\dial.dat
Action URL
Chrome
\iexp.dat
\ffox.dat
Web Site
FireFox
\opra.dat
Opera
CD-KEY
CDKEY:
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
PRODKEY:
\ptsg.dat
\offc.dat
Product Key
\steam\steam.exe
WScript.Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
WINDOWS VERSION:
00000000
steam.exe
@*\AC:\xampp\htdocs\recovery\Project1.vbp
OperaPassView
OperaPassView.exe
h4ck3rs-41.exe

%original file name%.exe_540_rwx_02B70000_00005000:

{21f5c02d-b05b-4436-bd0f-2d5df96c3eee}

SpyNet 2.7 Final.exe_680_rwx_00401000_005E1000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
comctl32.dll
USER32.DLL
windows
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnExit\%D
msShiftSelect
OnKeyDownL
OnKeyPress
OnKeyUp$
OnKeyUpx
ArrowKeys
vsReport
acoUpDownKeyDropsList
OnKeyUp
RICHED32.DLL
TComboBoxExEnumerator
ole32.dll
PasswordChar
ssHorizontal
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordh
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
Uh.dH
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
ftpTransfer
ftpReady
ftpAborted
ClientPortMinT
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
PasswordT
0.0.0.1
TIdTCPConnection
TIdTCPConnection\
IdTCPConnection
EIdTCPConnectionError
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\Indy\IdStrings.pas
TIdTCPServer
IdTCPServer
CmdDelimiter
TIdTCPServerConnection
DefaultPort
OnExecute<
EIdTCPServerError
EIdNoExecuteSpecified
LeftPopup
TURLEvent
msnAutoOpenURL
OnURLClick0lK
hXXp://VVV.url.com/
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\graphics32-1-8-3\GR32_Resamplers.pas
Reverse transformation is not implemented in %s.
Forward transformation is not implemented in %s.
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\graphics32-1-8-3\GR32.pas
Unpaired TThreadPersistent.EndUpdate
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\graphics32-1-8-3\GR32_Layers.pas
OnKeyUp\uL
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\graphics32-1-8-3\GR32_Image.pas
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\VclSkin\imgutil.pas
%Documents and Settings%\Jack\Desktop\1\Backup Work\1\Cliente\VclSkin\Winskinini.pas
%s_%s
Uh.uM
ttntpanel.unicodeclass
ttntsilentpaintpanel.unicodeclass
xcFastReport
TWWKeyCombo=Combobox
TWWTempKeyCombo=combobox
TO32DBFLEXEDIT=Edit
4.94.12.01
BUTTON.RADIO
BUTTON.CHECKBOX
3333333
Progress.Chunk
Tab.Pane
Trackbar.ThumbHorz
Trackbar.ThumbVert
Trackbar.ThumbLeft
Trackbar.ThumbRight
Trackbar.ThumbUp
Trackbar.ThumbDown
UpDown.Horz
UpDown.Vert
user32.dll
DisableProcessWindowsGhosting
ShellExecuteA
shell32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
Portugal
Turkey
URLDownloadToFileA
urlmon.dll
IP.txt
hXXp://VVV.ip-adress.com/
GetWindowsDirectoryA
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFile = objFileSystem.CreateTextFile("
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
1.2.3
Edit1KeyPress
Edit2KeyPress
TFormPortas
UnitPortas
TMsgHandlers
####@####
All Files (*.*)|*.*
tFtpAccess
Edit18KeyPress
Memo1KeyPress
Executables (*.exe) - Icons (*.ico)|*.ico;*.exe
*.ini
createserverpassword
iconemsg
botaomsg
keylogger
keyloggerstrings
keyloggertimer
chromepass
chromepasslink
keylogger0
keylogger1
keylogger2
keyloggerstrings0
keyloggerstrings1
keyloggerstrings2
keyloggerstrings3
keyloggerstrings4
Executables (*.exe)|*.exe
server.exe
UPXfile.exe
(Ex.: 127.0.0.1:81)
mail_test.txt
Google Chrome Passwords
PopupMenuPortas<
PopupMenuPortasPopup
windowsmin
windowsmax
windowsfechar
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listadeportaspronta
finalizarprocessoportas
c:\windows\myservice.exe
windowsfechar|
windowsmax|
windowsmin|
windowsmostrar|
windowsocultar|
windowsmintodas|
windowscaption|
listarportas|
listarportasdns|
finalizarprocessoportas|
FTP User
FTP Password
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
##@@##&&
Text Files (*.txt)|*.txt
MemoInformacionValorKeyPress
renamekey
renamekey|
TFormKeylogger
TFormKeyloggerT
UnitKeylogger
keyloggerdesativar
keyloggerativar
keyloggervazio
keyloggergetlog
\klog.txt
keylogger|
keyloggergetlog|
keyloggereraselog|
keyloggerativar|
keyloggerdesativar|
Image1KeyDown
keyboardkey|
TFormWebcam
UnitWebcam
webcamsettings|
webcam
webcamgetbuffer
Webcam\
webcaminactive|
webcam|
webcamgetbuffer|
Edit4KeyPress
TFormFTPsettings
TFormFTPsettings\
UnitFTPsettings
EnviararquivoFTP1
ComboBox1KeyPress
EnviararquivoFTP1Click
(FTP)
%SYS%
ÞSKTOP%
c:\windows\
c:\windows\system32\
listararquivos|%SYS%|
listararquivos|ÞSKTOP%|
explorer.exe
*.jpg
sendftp|
Savepasstxt1
Savepasstxt1Click
TFormPasswords
UnitPasswords
Keylogger
KeyloggerClick
TFormSearchKeylogger
UnitSearchKeylogger
hXXp://VVV.scenecoderz.cc/
chatmsg|
GeoIP.dat
SistemaOperacional1h
Porta1|
IdTCPServer1
Selecionarportas1
SendFileExecute1
Listarportasativas1
Baixararquivoeexecutar1
Keylogger1
Webcam1$
Palavraskeylogger1D
HTTPProxy1t
IdTCPServer1Disconnect
IdTCPServer1Execute
Selecionarportas1Click
Listarportasativas1Click
Baixararquivoeexecutar1Click
Keylogger1Click
Webcam1Click
Palavraskeylogger1Click
MSNPopUp1URLClick&
IdTCPServer1Exception
127.0.0.1:81
explorer.exe \windows\
hXXp://VVV.google.com
hXXp://VVV.example.com/server.exe
getielogin
getiepass
getieweb
getfirefox
getchrome
portas
SQLITE3
sqlite3file
sqlite3.dll
Settings.ini
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Default.ini
SceneCoderz.cc
%d days, %s
sound.wav
keyloggersearchok
chatmsg
getpassword
getpassworderror
enviarexecnormal
enviarexechidden
listarportas
webcamactive
webcaminactive
enviarexecnormal|
enviarexechidden|
openweb|
downexec|Y|
downexec|N|
getpassword|
updateservidorweb|
keyloggersearch|
HTTP Proxy
Wave File (*.wav)|*.wav
hXXp://VVV.scenecoderz.cc
!!""##$$%%&&''(())**  ,,--..//0123456789:;<=>?
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
.AUi|
LRap
!$'*-147
"$') -02469;=?
"$&( -/1468:
!$&(*-/135
!#&(*,.1
!"#%&'(* ,-/01345689:;=>?@
!"#$&'(* ,-.01245678:;<>?
!"#$&'() ,-.012346789;<=
"#$%'()*,-./12345789:<
!#$%&()* -./02345689:
!#$%&')* ,./01245679
!"$%&'(* ,-/0123567
!"#%&'(* ,-.012346
!"#$&'() ,-./1234
!"#$%'()*,-./023
!"#$%'()* ,./01
"#$%&()* ,-/0
!#$%&')* ,-.
!"$%&'(* ,-
!"#%&'()*,
!"#$&'()*
!"#$%'()
.idata
.edata
P.reloc
P.rsrc
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_open
sqlite3_close
sqlite3_errmsg
sqlite3_errcode
sqlite3_free
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code "
ESQLiteException
TSQLiteDatabase
TSQLiteTable
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error [%d]: %s.
"%s": %s
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Mozilla
Firefox
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
PK11_GetInternalKeySlot
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
##@@## ##@@## ##@@##
\Google\Chrome\User Data\Default\Web Data
SELECT * FROM logins
password_value
origin_url
ClientPortMin<
ClientPortMaxh
Password<
Porth
TIdTCPConnection0
EIdObjectTypeNotSupported
C:\Users\Administrator\Desktop\Indy\IdStrings.pas
CmdDelimiterh
TIdTCPServerConnectionX
TIdTCPServerP
OnExecute
TIdTCPClient
IdTCPClient
BoundPorth
PortU
TOnHTTPDocument
TIdHTTPProxyServer
IdHTTPProxyServer
OnHTTPDocument
HTTP/1.0
Windows Firewall Update
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
GetCPInfo
MsgWaitForMultipleObjects
crypt32.dll
funcoes.dll
GetChromePass
Mozilla3_5Password
StartHttpProxy
9 9$9(9,9094989<9@9
45
9"9&9*9.929?9~9
55J5]6m6
<1<@<\<|<
7}7S7j7
2<3w3
:5;@;`<6?
: :$:(:,:
KWindows
IdTCPStream
 IdTCPServer
SQLiteTable3
SQLite3
DIdHTTPProxyServer
UnitChrome
UnitFireFox3_5
(7),01444
'9=82<.342
6=Operating System
14=Country / Keyboard
19=Waiting for connection on ports
26=Port
27=The Port
28=can not be used. Check for another program using the same port or if it is blocked by a firewall.
29=Select listening ports
30=Please enter a valid port.
31=Active Ports
33=Please select a port to be disabled
34=The selected port must be between 1 and 65535.
39=Keylogger
44=Password
63=Active Keylogger
64=keylogger settings
68=Send logs FTP port
72=Show password
74=Send logs by FTP
75=FTP Settings
76=Cancel the execution of the server in the following cases
86=Please enter a password.
87=Please enter a name for the registry key.
90=Complete all the information necessary for sending the logs by FTP
91=Please, insert a valid port. The default port is 21.
97=DNS and port connection
98=Please enter connection address and port
108=Please insert a valid FTP address.
109=Send logs by FTP test
110=This file was created to test the sending of logs by FTP
112=Unable to send logs by FTP. Check the settings and try again.
113=encrypted password
114=Connection password
123=Please enter the new connection address and port
124=Selected servers will be closed and will reconnect only after another execution or system restart (if server startup is enabled)
139=Windows
142=Active Ports
186=Windows Firewall Service
198=Windows list
199=list of windows created successfully
200=Unable to create list of windows
209=All windows as minimized
224=Local Port
226=Remote Port
227=list of active ports created successfully
228=Active ports list
242=Enter the command to be executed
243=Open web page
245=Download and execute file
259=New Key
260=Type the name of the new key
261=The name of the new key is:
263=Are you sure you want to delete the key
266=Key
272=Key name has been successfully changed
273=Unable to change key name
274=The key or value has been deleted successfully
275=Unable to delete key or value
276=The key was created successfully
277=Could not create key
290=Keyboard
291=Capture webcam
308= Execute with parameter
336=Unable to perform operation. The file may be in use by another process.
353=Passwords
354=Enter a word to be sought in the list of passwords
355=Type of password
358=Password
360=Copy password
362=Save passwords (*. txt)
400=From URL
404=words (keylogger)
424=Shutdown Windows
434=Mouse and keyboard
440=Execute
463=* The items which aren't checked will be executed only the first time program is run.
465=Execution
467=Only executable files can be executed in memory
468=View FTP logs
483=Select the names and always end in "#". Example: server.exe#crack.exe#
493=Do you want upload the selected file using FTP?
494=It was sent using FTP the file
495=FTP Options
496=Could not send using FTP the file
510=Some versions of Windows and MSN Messenger not allow these functions.
513 = Only the names of files and registry keys that start with "SPY_NET_RAT" will be hidden and locked by the rootkit
517=Waiting passwords of selected servers
518=Password received from the server
endereco0=127.0.0.1|81
createserverpassword=abcd1234
inicializacao0={08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}
infiltrarprocessonome=explorer.exe
nomearquivo=server.exe
iconemsg=1
botaomsg=0
keylogger0=1
keylogger1=1
keylogger2=0
keyloggerstrings0=PTF.server.com
keyloggerstrings1=logs
keyloggerstrings2=ftp_user
keyloggerstrings3=gfhtrhehth
keyloggerstrings4=21
keyloggertimer=5
p2pnames=server.exe#crack.exe#
chromepass=0
chromepasslink=hXXp://VVV.server.com/sqlite3.dllMZP
.reloc
%x`v!
Portions Copyright (c) 1999,2003 Avenger by NhT
Ntdll.dll
NtEnumerateValueKey
NtEnumerateKey
GetProcessHeap
ntdll.dll
SHFileOperationA
AVICAP32.dll
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
XxX.xXx
UuU.uUu
keyboardkey
openweb
downexec
sendftp
keyloggereraselog
listarportasdns
webcamsettings
updateservidorweb
keyloggersearch
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
TThreadSearch`%C
FirstExecution
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getpassword|getpasswordlist|
getpassword|getpassworderror|
Windows\CurrentVersion\Uninstall\eDonkey2000
UNWISE.EXE
icon=shell32.dll,4
shellexecute=
autorun.inf
XX--XX--XX.txt
logs.dat
SQLite3.dll
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
WinExec
SetNamedPipeHandleState
CreatePipe
mpr.dll
gdi32.dll
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
wininet.dll
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
wsock32.dll
gdiplus.dll
GdiplusShutdown
AVICAP32.DLL
winmm.dll
powrprof.dll
msacm32.dll
ADVAPI32.DLL
7-727:7?7
4.4 5=5`5|5 6
> >$>(>,>
>'>3><>]>}>
040=0^0~0
2 2/2]2}2
:$:6:^:~:
; ;%;-;5;
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
languagefile=Default.ini
portas=(80) (81) (82)
soundfile=sound.wav
[webcam]
~}}}||{||~}~~~~
}}|{|{{|||~
~}~}||}|
}~~~~}|~
~}|}|{|~
}bCBUdp
,.dR4a
~}}{{{{~
~}~~~|{|
~~}}~}{|
~|}~~}|}
~~~~}|||~
}~}|{{}}||}~
~~}}}~~~}}~}}}
~}}}||}~
}|}||}}~
~~}|{}~}~
~}|{{|{}
}|}||}~~
~}}}|}~~
~}||}}}~
<8%u=
pw76.uz
.gH(44s
.teQyh
I.PXQCi
.EF$qY
%UV$V
.uFP4
V'%%D
up.VY
VN.lx
AURl
LP%CT
.IL"4
bol`.tx
:H.PB`
.KWI<Np
<.ur$
xH%xQ#<u
7,%X\:p
|.pQk
w.yBE,
%s TR
X%C@H*
? !"#$%&'()* ,-./
SQLite forma
CHECKEYCO,R8
3.5.9{
AP_}ED/MSVCRT
<Key/
~d-
DW.Dp,
Sqlite3.dll
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_bind_parameter_count
sqlite3_bind_parameter_name
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_busy_timeout
sqlite3_changes
sqlite3_clear_bindings
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_bytes16
sqlite3_column_decltype16
sqlite3_column_int
sqlite3_column_name16
sqlite3_column_text16
sqlite3_column_value
sqlite3_commit_hook
sqlite3_complete
sqlite3_complete16
sqlite3_context_db_handle
sqlite3_create_collation
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_data_count
sqlite3_db_handle
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_enable_shared_cache
sqlite3_errmsg16
sqlite3_exec
sqlite3_expired
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_free_table
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_get_table
sqlite3_global_recover
sqlite3_interrupt
sqlite3_last_insert_rowid
sqlite3_libversion
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_held
sqlite3_mutex_leave
sqlite3_mutex_notheld
sqlite3_mutex_try
sqlite3_open16
sqlite3_open_v2
sqlite3_overload_function
sqlite3_prepare
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_release_memory
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_sql
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_total_changes
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_version
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf
.rdata
VBoxService.exe
SbieDll.dll
dbghelp.dll
Software\Microsoft\Windows\CurrentVersion
55274-640-2673064-23950
76487-644-3177037-23510
76487-337-8429955-22614
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SICE
\\.\NTICE
Microsoft\Network\Connections\pbk\rasphone.pbk
rasapi32.dll
rnaph.dll
RAS Passwords |
uURLHistory
Password:
abe2869f-9b47-4cd9-a358-c22904dba7f7
Password
WindowsLive:name=*
xxxyyyzzz.dat
\Mozilla Firefox\
softokn3.dll
userenv.dll
profiles.ini
\signons3.txt
\signons2.txt
\signons1.txt
\signons.txt
(unnamed password)
?456789:;<=
!"#$%&'()* ,-./0123
SetWindowsHookExA
pstorec.dll
8 8$8(8,808
5_5
0%0S0X0
KuURLHistory
IEpasswords
.rsrc
7%dUQ!
}%UFM
}B%xO
T.vQn
cKñ
Y.LPe
L<k%XA?.
K.PE]
4.kouY
5.HN3
.rM|I
.enM<g
L3%Xo
%x'eS
%Su`Ij
K.Foe;
c7%xr
version="0.0.0.0"
<description>UPX executable packer</description>
msvcrt.dll
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
mUnitPortas
%UnitSearchKeylogger
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Items.Strings
o executados somente na primeira execu
Shell Execute (Normal)
Shell Execute (Hidden)
FormPrincipal.ImageListIcons
Lines.Strings
Constraints.MaxHeight
Constraints.MaxWidth
Constraints.MinHeight
Constraints.MinWidth
Porta
z:\Dir\Install\
&{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}
%HKEY_LOCAL_MACHINE\Software\.....\Run
$HKEY_CURRENT_USER\Software\.....\Run
Deletar-se ao executar
Picture.Data
 17555.-
Ë(U
&$%Uooqkezs
['$$#%&(4
$$$006666
2<===@@=
Keylogger ativo
o do keylogger:
Enviar logs por FTP
FTP user:
FTP password:
Porta de envio:
Cancelar a execu
keyboard
Bitmap.ResamplerClassName
OnKeyDown
Bitmap.Data
%XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Enviar arquivo (FTP)
FormFTPsettings
Pass:
Port:
PTF.client.com
ftpuser
pass1234
Portas ativas
Local Port
Remote Port
PopupMenuPortas
Comando executado com sucesso
Adobe Photoshop CS4 Windows
2010:04:07 17:29:05
urlTEXT
MsgeTEXT
,hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:MetadataDate="2010-04-07T17:29:05 02:00" xmp:ModifyDate="2010-04-07T17:29:05 02:00" xmp:CreateDate="2010-04-07T17:29:05 02:00" xmpMM:InstanceID="xmp.iid:D54C414D5A42DF11A075FECB7DEC849A" xmpMM:DocumentID="xmp.did:D44C414D5A42DF11A075FECB7DEC849A" xmpMM:OriginalDocumentID="xmp.did:D44C414D5A42DF11A075FECB7DEC849A" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;FA4CC09C8E753A10F6D02D96BEFD0BF2" exif:PixelXDimension="390" exif:PixelYDimension="60" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;B5A6F6C3177B1AF5C55C1A74CC09F3EC"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:D44C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:05 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D54C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:05 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
QTT.bEF
l5V.iZXB<
MSGQ
2010:04:07 17:29:28
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:MetadataDate="2010-04-07T17:29:28 02:00" xmp:ModifyDate="2010-04-07T17:29:28 02:00" xmp:CreateDate="2010-04-07T17:29:28 02:00" xmpMM:InstanceID="xmp.iid:D74C414D5A42DF11A075FECB7DEC849A" xmpMM:DocumentID="xmp.did:D64C414D5A42DF11A075FECB7DEC849A" xmpMM:OriginalDocumentID="xmp.did:D64C414D5A42DF11A075FECB7DEC849A" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;6FA7ABDF1435BDCAEDB8C7F77B7C7B7B" exif:PixelXDimension="100" exif:PixelYDimension="60" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;F0649857F7B6BB1804AA550F89BB90C7"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:D64C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:28 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D74C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:28 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
2010:04:07 17:30:08
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2010-04-07T17:29:44 02:00" xmp:MetadataDate="2010-04-07T17:30:08 02:00" xmp:ModifyDate="2010-04-07T17:30:08 02:00" dc:format="image/jpeg" xmpMM:InstanceID="xmp.iid:DA4C414D5A42DF11A075FECB7DEC849A" xmpMM:DocumentID="xmp.did:D84C414D5A42DF11A075FECB7DEC849A" xmpMM:OriginalDocumentID="xmp.did:D84C414D5A42DF11A075FECB7DEC849A" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;2169DFA76C328D08F604CB215B1A3623" exif:PixelXDimension="86" exif:PixelYDimension="60" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;B01586E9A746957720CCC815AE58C201" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:D84C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:29:44 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D94C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:30:08 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> <rdf:li stEvt:action="converted" stEvt:parameters="from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="derived" stEvt:parameters="converted from application/vnd.adobe.photoshop to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:DA4C414D5A42DF11A075FECB7DEC849A" stEvt:when="2010-04-07T17:30:08 02:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D94C414D5A42DF11A075FECB7DEC849A" stRef:documentID="xmp.did:D84C414D5A42DF11A075FECB7DEC849A" stRef:originalDocumentID="xmp.did:D84C414D5A42DF11A075FECB7DEC849A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
Adobe Photoshop CS3 Windows
2008:12:16 15:27:46
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:40:08 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" dc:format="image/jpeg" xap:CreatorTool="Adobe Photoshop CS3 Windows" xap:CreateDate="2008-12-16T15:27:46Z" xap:ModifyDate="2008-12-16T15:27:46Z" xap:MetadataDate="2008-12-16T15:27:46Z" xapMM:DocumentID="uuid:7E3DEE1686CBDD119BC6EC4C7EC7BE18" xapMM:InstanceID="uuid:7F3DEE1686CBDD119BC6EC4C7EC7BE18" tiff:Orientation="1" tiff:XResolution="960120/10000" tiff:YResolution="960120/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;88D0F315E3EC4C692131AA327ECD5B36" exif:PixelXDimension="600" exif:PixelYDimension="300" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;44C0A4B92143BBB7980B22AB7B13DDF4" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" photoshop:History=""> <xapMM:DerivedFrom stRef:instanceID="uuid:9896DE9AF9CADD1191F8B997AB237155" stRef:documentID="uuid:A9B04AA8F1CADD1191F8B997AB237155"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
A<.tH
%DQd1T
K.kbu
]MSGUG_
%UUUQE
[email protected]
hXXp://VVV.SceneCoderZ.cc
FormKeylogger
!#6&;>?@@@???'''
,>;><=:5
.UZXEDCB@>=:4
.XQTSQPMJZHHHGYYFXEDCCC@><6$3[
!6&>?@@@?@''
33333333333333
3333337
333333338
3333333333
%XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/
.llll|>!
!"#-.-01&
()* ,-./012"
Desligar windows
FormPasswords
List of passwords
Kind of password
&Password recebido do servidor: XXXXXXX
Copy password
Open website
Save Passwords (*.txt)
FormPortas
Items.Data
Sistema Operacional
127.0.0.1 / 127.0.0.1@
Windows XP Professional SP3
Primeira Execu
es nas portas: 80, 81, 82, 83, 5300
Selecionar portas
SistemaOperacional1
Porta1
Listar portas ativas
Webcam1
Web cam
HTTPProxy1
Palavraskeylogger1
Palavras (keylogger)
Baixar arquivo e executar
SendFileExecute
Greeting.NumericCode
MaxConnectionReply.NumericCode
ReplyUnknownCommand.NumericCode
Icon.Data
IconBitmap.Data
"""$$$"""
...TSUqkvSMXusyxw
555...'''&&&
).-*,,(**%%%
*,,244133,,,!!!
$&&022888444***"""
!3./111644222   
%%ÌcWWWXXXbbbeee___^^^ccceee```MMM@@@
...PPP]]]
HoverFont.Charset
HoverFont.Color
HoverFont.Height
HoverFont.Name
HoverFont.Style
TitleFont.Charset
TitleFont.Color
TitleFont.Height
TitleFont.Name
TitleFont.Style
OnURLClick
MSNPopUp1URLClick
Skin3rd.Strings
H.jx$lM
fTPY
HKEY_CLASSES_ROOT*
HKEY_CURRENT_USER 
HKEY_LOCAL_MACHINE#
HKEY_USERS,
FormSearchKeylogger
Microsoft Windows [vers
o 6.0.6001]
C:\Users\Server>
Text File (*.txt)|*.txt
FormWebcam
SetViewportOrgEx
GetViewportOrgEx
UnhookWindowsHookEx
LoadKeyboardLayoutA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyNameTextA
EnumThreadWindows
ActivateKeyboardLayout
?G 6.0.6001]
[X.OfI)
LMsg
SQLITE3FILE
TFORMFTPSETTINGS
TFORMKEYLOGGER
TFORMPASSWORDS
TFORMPORTAS
TFORMSEARCHKEYLOGGER
TFORMWEBCAM
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s is not a valid service.
Socket Error # %d
File "%s" not found1Only one TIdAntiFreeze can exist per application.
Object type not supported.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
No command handler found.*Error on call Winsock2 library function %s
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation
The UPX Team hXXp://upx.sf.net
UPX executable packer
3.00 (2007-04-27)
upx.exe
Address type not supported.;Cannot call TerminateAndWaitFor on FreeAndTerminate threads&Cannot change the size of a JPEG image
JPEG error #%d
No command handler found.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
=This control requires version 4.70 or greater of COMCTL32.DLL
No help keyword specified.
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRight
Failed to Save Stream %s is already associated with %sE%d is an invalid PageIndex value. PageIndex must be between 0 and %d
Unable to insert a line Clipboard does not support Icons
Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned"Unable to find a Table of Contents
No help found for %s
Value must be between %d and %d
%s property out of range
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Thread Error: %s (%d)0Tab position incompatible with current tab style0Tab style incompatible with current tab position
Cannot open file "%s". %s
Unable to write to %s
Invalid stream format$''%s'' is not a valid component name
Invalid property element: %s
Invalid property type: %s
Item not found ($0%x) List capacity out of bounds (%d)
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
'%s' is not a valid GUID value


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    vbc.exe:164
    vbc.exe:896
    vbc.exe:1952

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ffox.dat (2 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\chro.dat (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SpyNet 2.7 Final.exe (15021 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WinUpdate.exe (71723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Language\Default.ini (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sqlite3.dll (175 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Settings\Settings.ini (1 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinUpdate" = "%Documents and Settings%\%current user%\Local Settings\Temp\WinUpdate.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now