MD5: 8f41fe050982a89a721ec1502b6706aa
SHA1: a7af75e3cb31e6379b69d8081819a4b1ea63d17b
SHA256: e9a0df0a8e336a194451e6d065fcaaf0c4b965643b2ba81ca84d1457358f919b
SSDeep: 24576:ZOQ6aZgFFUj1Su7E 6mz6KeZPlxv0epyC9qNkcH7r/:ZOBaZgrUvA lzB8PL8wyC9cHX/
Size: 862720 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, BorlandDelphi30, ACProtect141
Company: no certificate found
Created at: 2016-10-13 13:41:40
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1944

The Trojan injects its code into the following process(es):

Client.exe:2780

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\SubDir\Client.exe (7705 bytes)

Registry activity

The process Client.exe:2780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Client_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Client_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Client_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Client_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Client_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Client_RASAPI32]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Client_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Client_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Client_RASMANCS]
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam Client Bootstrapper" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\SubDir\Client.exe"

The process %original file name%.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\8f41fe050982a89a721ec1502b6706aa_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\8f41fe050982a89a721ec1502b6706aa_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8f41fe050982a89a721ec1502b6706aa_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8f41fe050982a89a721ec1502b6706aa_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\8f41fe050982a89a721ec1502b6706aa_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\8f41fe050982a89a721ec1502b6706aa_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam Client Bootstrapper" = "c:\%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Valve Corporation
Product Name: Steam Client Bootstrapper
Product Version: 1.2.3.4
Legal Copyright:
Legal Trademarks:
Original Filename: Steam.exe
Internal Name: Steam.exe
File Version: 5.6.7.8
File Description: Steam Client Bootstrapper
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://telize.com/geoip	163.172.140.38
hxxp://freegeoip.net/xml/	158.69.243.235
hxxp://www.telize.com/geoip	163.172.140.38
thatgamerblue.ddns.net	86.142.55.60
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /geoip HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: telize.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: nginx/1.10.1

Date: Thu, 20 Oct 2016 10:33:18 GMT

Content-Type: text/html

Content-Length: 185

Connection: keep-alive

Location: hXXp://VVV.telize.com/geoip
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.10.1</center>..</body>..</html>..HTTP/
1.1 301 Moved Permanently..Server: nginx/1.10.1..Date: Thu, 20 Oct 201
6 10:33:18 GMT..Content-Type: text/html..Content-Length: 185..Connecti
on: keep-alive..Location: hXXp://VVV.telize.com/geoip..<html>..&
lt;head><title>301 Moved Permanently</title></head&g
t;..<body bgcolor="white">..<center><h1>301 Moved Pe
rmanently</h1></center>..<hr><center>nginx/1.1
0.1</center>..</body>..</html>....

GET /xml/ HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: freegeoip.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/xml

Vary: Origin

X-Database-Date: Tue, 04 Oct 2016 19:04:28 GMT

X-Ratelimit-Limit: 10000

X-Ratelimit-Remaining: 9998

X-Ratelimit-Reset: 3599

Date: Thu, 20 Oct 2016 10:34:00 GMT

Content-Length: 363
<Response>..<IP>194.242.96.218</IP>..<CountryCode
>UA</CountryCode>..<CountryName>Ukraine</CountryName
>..<RegionCode>63</RegionCode>..<RegionName>Khark
ivs'ka Oblast'</RegionName>..<City>Kharkiv</Cit
y>..<ZipCode></ZipCode>..<TimeZone>Europe/Kiev<
;/TimeZone>..<Latitude>49.9808</Latitude>..<Longitud
e>36.2527</Longitude>..<MetroCode>0</MetroCode>.&
lt;/Response>.HTTP/1.1 200 OK..Content-Type: application/xml..Vary:
 Origin..X-Database-Date: Tue, 04 Oct 2016 19:04:28 GMT..X-Ratelimit-L
imit: 10000..X-Ratelimit-Remaining: 9998..X-Ratelimit-Reset: 3599..Dat
e: Thu, 20 Oct 2016 10:34:00 GMT..Content-Length: 363..<Response>
;..<IP>194.242.96.218</IP>..<CountryCode>UA</Coun
tryCode>..<CountryName>Ukraine</CountryName>..<Regio
nCode>63</RegionCode>..<RegionName>Kharkivs'ka Obla
st'</RegionName>..<City>Kharkiv</City>..<ZipC
ode></ZipCode>..<TimeZone>Europe/Kiev</TimeZone>.
.<Latitude>49.9808</Latitude>..<Longitude>36.2527<
;/Longitude>..<MetroCode>0</MetroCode>.</Response>
;...

GET /geoip HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: telize.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: nginx/1.10.1

Date: Thu, 20 Oct 2016 10:33:19 GMT

Content-Type: text/html

Content-Length: 185

Connection: keep-alive

Location: hXXp://VVV.telize.com/geoip
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.10.1</center>..</body>..</html>..HTTP/
1.1 301 Moved Permanently..Server: nginx/1.10.1..Date: Thu, 20 Oct 201
6 10:33:19 GMT..Content-Type: text/html..Content-Length: 185..Connecti
on: keep-alive..Location: hXXp://VVV.telize.com/geoip..<html>..&
lt;head><title>301 Moved Permanently</title></head&g
t;..<body bgcolor="white">..<center><h1>301 Moved Pe
rmanently</h1></center>..<hr><center>nginx/1.1
0.1</center>..</body>..</html>....

GET /xml/ HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: freegeoip.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/xml

Vary: Origin

X-Database-Date: Tue, 04 Oct 2016 19:04:28 GMT

X-Ratelimit-Limit: 10000

X-Ratelimit-Remaining: 9999

X-Ratelimit-Reset: 3600

Date: Thu, 20 Oct 2016 10:33:59 GMT

Content-Length: 363
<Response>..<IP>194.242.96.218</IP>..<CountryCode
>UA</CountryCode>..<CountryName>Ukraine</CountryName
>..<RegionCode>63</RegionCode>..<RegionName>Khark
ivs'ka Oblast'</RegionName>..<City>Kharkiv</Cit
y>..<ZipCode></ZipCode>..<TimeZone>Europe/Kiev<
;/TimeZone>..<Latitude>49.9808</Latitude>..<Longitud
e>36.2527</Longitude>..<MetroCode>0</MetroCode>.&
lt;/Response>.HTTP/1.1 200 OK..Content-Type: application/xml..Vary:
 Origin..X-Database-Date: Tue, 04 Oct 2016 19:04:28 GMT..X-Ratelimit-L
imit: 10000..X-Ratelimit-Remaining: 9999..X-Ratelimit-Reset: 3600..Dat
e: Thu, 20 Oct 2016 10:33:59 GMT..Content-Length: 363..<Response>
;..<IP>194.242.96.218</IP>..<CountryCode>UA</Coun
tryCode>..<CountryName>Ukraine</CountryName>..<Regio
nCode>63</RegionCode>..<RegionName>Kharkivs'ka Obla
st'</RegionName>..<City>Kharkiv</City>..<ZipC
ode></ZipCode>..<TimeZone>Europe/Kiev</TimeZone>.
.<Latitude>49.9808</Latitude>..<Longitude>36.2527<
;/Longitude>..<MetroCode>0</MetroCode>.</Response>
;...

GET /geoip HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: VVV.telize.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Server: nginx/1.10.1

Date: Thu, 20 Oct 2016 10:33:18 GMT

Content-Type: text/html

Content-Length: 169

Connection: close
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.10
.1</center>..</body>..</html>....

GET /geoip HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: VVV.telize.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Server: nginx/1.10.1

Date: Thu, 20 Oct 2016 10:33:19 GMT

Content-Type: text/html

Content-Length: 169

Connection: close
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.10
.1</center>..</body>..</html>....

The Trojan connects to the servers at the folowing location(s):

.Mfi3

^%Sij

Client.exe_2780_rwx_012A2000_00043000:

lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADi

QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

System.Drawing.Bitmap

v4.0.30319

*.*O*

Client.exe

System.Windows.Forms

System.Drawing

System.Core

System.Runtime.Serialization

System.Management

System.Xml

System.Security

Microsoft.VisualBasic

kernel32.dll

user32.dll

gdi32.dll

msvcrt.dll

advapi32.dll

shlwapi.dll

Kernel32.dll

shell32.dll

xClient.Properties.Resources.resources

System.Runtime.CompilerServices

.ctor

get_ExecutablePath

.cctor

System.Threading

WindowsIdentity

System.Security.Principal

WindowsPrincipal

WindowsBuiltInRole

System.Diagnostics

System.Text

System.IO

System.Text.RegularExpressions

System.Collections.Generic

System.Linq

System.Collections

System.Runtime.InteropServices

keyDown

OperatingSystem

get_Is64BitOperatingSystem

RegistryKey

Microsoft.Win32

OpenBaseKey

OpenSubKey

System.Drawing.Imaging

System.Net.NetworkInformation

get_OperationalStatus

OperationalStatus

System.Net

System.Net.Sockets

set_WindowStyle

ProcessWindowStyle

set_UseShellExecute

xClient.Core.NetSerializer

System.Reflection

System.Reflection.Emit

KeyValuePair`2

ContainsKey

NotSupportedException

get_Key

InvalidOperationException

<.ctor>b__0

<.ctor>b__1

<.ctor>b__2

xClient.Core.NetSerializer.TypeSerializers

System.Collections.Generic.IEnumerable<System.Type>.GetEnumerator

System.Collections.IEnumerable.GetEnumerator

System.Collections.Generic.IEnumerator<System.Type>.get_Current

System.Collections.IEnumerator.Reset

System.IDisposable.Dispose

System.Collections.IEnumerator.get_Current

System.Collections.Generic.IEnumerator<System.Type>.Current

System.Collections.IEnumerator.Current

GetSupportedTypes

port

HttpWebRequest

HttpWebResponse

WebRequest

WebResponse

formattedKeyValue

WebClient

IWebProxy

System.Security.Cryptography

set_Key

keyName

OpenReadonlySubKeySafe

OpenWritableSubKeySafe

GetFormattedKeyValues

<GetFormattedKeyValues>b__1

keyVal

<GetFormattedKeyValues>d__5

<>3__key

System.Collections.Generic.IEnumerable<System.String>.GetEnumerator

System.Collections.Generic.IEnumerator<System.String>.get_Current

System.Collections.Generic.IEnumerator<System.String>.Current

GetPasswordsResponse

xClient.Core.Packets.ClientPackets

<Passwords>k__BackingField

get_Passwords

set_Passwords

Passwords

DoKeyboardEvent

xClient.Core.Packets.ServerPackets

<Key>k__BackingField

<KeyDown>k__BackingField

get_KeyDown

set_KeyDown

KeyDown

GetPasswords

GetSubKeyNames

keyf

get_Port

set_Port

Port

keybd_event

xClient.Core.Utilities

xClient.Core.Compression

Keys

hotkeys

hotKeyDelegate

anyKeyInTheExclusiveOrSet

orKeySet

KeyEventArgs

get_KeyCode

HotKeys

HotKeysActivated

add_KeyDown

KeyEventHandler

remove_KeyDown

add_KeyPress

KeyPressEventHandler

remove_KeyPress

add_KeyUp

remove_KeyUp

IKeyboardMouseEvents

xClient.Core.MouseKeyHook

xClient.Core.MouseKeyHook.Implementation

m_KeyListenerCache

GetKeyListener

CreateKeyListener

KeyPress

KeyUp

KeyListener

InvokeKeyDown

KeyPressEventArgs

InvokeKeyPress

InvokeKeyUp

keyboardStateNative

keys

keyData

isKeyDown

isKeyUp

get_IsKeyDown

set_IsKeyDown

get_IsKeyUp

set_IsKeyUp

vKey

IsKeyDown

IsKeyUp

keyChar

<wasKeyDown>5__4

<isKeyReleased>5__5

<virtualKeyCode>5__6

System.Collections.Generic.IEnumerable<xClient.Core.MouseKeyHook.KeyPressEventArgsExt>.GetEnumerator

System.Collections.Generic.IEnumerator<xClient.Core.MouseKeyHook.KeyPressEventArgsExt>.get_Current

System.Collections.Generic.IEnumerator<xClient.Core.MouseKeyHook.KeyPressEventArgsExt>.Current

<keyboardHookStruct>5__12

<virtualKeyCode>5__13

IsModifierKeysSet

pressedKeys

IsModifierKey

ContainsKeyChar

IsExcludedKey

isMouseKeyDown

isMouseKeyUp

get_IsMouseKeyDown

set_IsMouseKeyDown

get_IsMouseKeyUp

set_IsMouseKeyUp

IsMouseKeyDown

IsMouseKeyUp

System.ComponentModel

SetWindowsHookEx

UnhookWindowsHookEx

Microsoft.Win32.SafeHandles

<.cctor>b__0

xClient.Core.MouseKeyHook.WinApi

virtualKeyCode

uVirtKey

lpbKeyState

lpwTransKey

wVirtKey

lpKeyState

pbKeyState

GetKeyboardState

GetKeyState

MapVirtualKeyEx

GetKeyboardLayout

GetKeyloggerLogsResponse

DoShellExecuteResponse

GetKeyloggerLogs

DoShellExecute

<DownloadURL>k__BackingField

get_DownloadURL

set_DownloadURL

downloadurl

DownloadURL

DoUploadAndExecute

DoVisitWebsite

<URL>k__BackingField

get_URL

set_URL

System.Globalization

firefoxProfilePath

firefoxPath

loadCerts

get_httpRealm

set_httpRealm

get_formSubmitURL

set_formSubmitURL

get_passwordField

set_passwordField

get_encryptedPassword

set_encryptedPassword

get_timePasswordChanged

set_timePasswordChanged

httpRealm

formSubmitURL

passwordField

encryptedPassword

timePasswordChanged

get_logins

set_logins

logins

get_Password

set_Password

Password

get_HttpOnly

set_HttpOnly

HttpOnly

get_HostKey

set_HostKey

HostKey

System.Runtime.Serialization.Json

Microsoft.VisualBasic.CompilerServices

urlHash

wstrURL

hKey

ExplorerUrlHistory

xClient.Core.Recovery.Browsers

urlHistory

_urlHistoryList

pocsUrl

QueryUrl

STATURLEnumerator

_staturl

GetUrlHistory

pszUrl

UrlCanonicalize

System.Runtime.InteropServices.ComTypes

System.Collections.IComparer.Compare

UrlString

AddUrl

DeleteUrl

lpSTATURL

get_EnumUrls

EnumUrls

IUrlHistoryStg2

AddUrlAndNotify

xClient.Core.ReverseProxy.Packets

<Port>k__BackingField

<LocalPort>k__BackingField

get_LocalPort

set_LocalPort

localPort

LocalPort

<OperatingSystem>k__BackingField

get_OperatingSystem

set_OperatingSystem

operatingsystem

DoDownloadAndExecute

Keylogger

System.Timers

_pressedKeys

_pressedKeyChars

_ignoreSpecialKeys

OnKeyDown

get_KeyChar

OnKeyPress

OnKeyUp

HighlightSpecialKeys

System.Resources

System.CodeDom.Compiler

System.Configuration

TKey

System.Runtime.Versioning

$3C374A42-BAE4-11CF-BF7D-00AA006946EE

$3C374A41-BAE4-11CF-BF7D-00AA006946EE

$AFA0DC11-C313-11D0-831A-00C04FD5AE38

$3C374A40-BAE4-11CF-BF7D-00AA006946EE

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

12.0.0.0

Client.Tests

1.2.0.0

).NETFramework,Version=v4.0,Profile=Client

.NET Framework 4 Client Profile

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

_CorExeMain

mscoree.dll

$1%`%X&>&

"!$#&%)( *,*-*.*/*0*2131415161718191>=?=MLQPUTWVkjljnmsrtr|{

:Zone.Identifier

(.{2})(.{2})(.{2})(.{2})(.{2})(.{2})

$1:$2:$3:$4:$5:$6

00:00:00:00:00:00

Mono.Runtime

SELECT Caption FROM Win32_OperatingSystem

^.*(?=Windows)

SELECT * FROM Win32_OperatingSystem WHERE Primary='true'

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Multi-dim arrays not supported: {0}

Cannot serialize {0}: ISerializable not supported

No executable file

hXXp://

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A

Visited Website

{0}{4}{1}{4}{2}{4}{3}

{0} [{1}, {2}]

{0} ({1}) [{2}, {3}]

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

Only on 64-bit systems supported

URL=file:///

desktop.ini

{0}||{1}

C# version only supports level 1 and 3

Key can not be empty.

{0}\FileZilla\recentservers.xml

{0}\FileZilla\sitemanager.xml

PublicKeyFile

PortNumber

[PRIVATE KEY LOCATION: "{0}"]

ControlKey

Google\Chrome\User Data\Default\Login Data

Chrome

Google\Chrome\User Data\Default\Cookies

Firefox is not installed, or the install path could not be located

Firefox does not have any profiles, has it ever been launched?

logins.json

Firefox does not have any logins.json file

cookies.sqlite

Firefox does not have any cookie file

Firefox

\firefox.exe

35.0.0

\msvcr100.dll

\msvcp100.dll

\msvcr120.dll

\msvcp120.dll

\mozglue.dll

\nss3.dll

\Mozilla\Firefox\Profiles

Firefox Application Data folder does not exist!

No Firefox profiles could be found

No Firefox logins.json was found

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

No installs of firefox recorded in its key.

PK11_GetInternalKeySlot

User: {0}{3}Pass: {1}{3}Host: {2}

Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}

origin_url

password_value

host_key

httponly

SQLite format 3

Not a valid SQLite 3 Database File

Auto-vacuum capable database is not supported

Opera Software\Opera Stable\Login Data

Opera

Opera Software\Opera Stable\Cookies

Yandex\YandexBrowser\User Data\Default\Login Data

ad.png

ae.png

af.png

ag.png

ai.png

al.png

am.png

an.png

ao.png

ar.png

as.png

at.png

au.png

aw.png

ax.png

az.png

ba.png

bb.png

bd.png

be.png

bf.png

bg.png

bh.png

bi.png

bj.png

bm.png

bn.png

bo.png

br.png

bs.png

bt.png

bv.png

bw.png

by.png

bz.png

ca.png

catalonia.png

cc.png

cd.png

cf.png

cg.png

ch.png

ci.png

ck.png

cl.png

cm.png

cn.png

co.png

cr.png

cs.png

cu.png

cv.png

cx.png

cy.png

cz.png

de.png

dj.png

dk.png

dm.png

do.png

dz.png

ec.png

ee.png

eg.png

eh.png

england.png

er.png

es.png

et.png

europeanunion.png

fam.png

fi.png

fj.png

fk.png

fm.png

fo.png

fr.png

ga.png

gb.png

gd.png

ge.png

gf.png

gh.png

gi.png

gl.png

gm.png

gn.png

gp.png

gq.png

gr.png

gs.png

gt.png

gu.png

gw.png

gy.png

hk.png

hm.png

hn.png

hr.png

ht.png

hu.png

id.png

ie.png

il.png

in.png

io.png

iq.png

ir.png

is.png

it.png

jm.png

jo.png

jp.png

ke.png

kg.png

kh.png

ki.png

km.png

kn.png

kp.png

kr.png

kw.png

ky.png

kz.png

la.png

lb.png

lc.png

li.png

lk.png

lr.png

ls.png

lt.png

lu.png

lv.png

ly.png

ma.png

mc.png

md.png

me.png

mg.png

mh.png

mk.png

ml.png

mm.png

mn.png

mo.png

mp.png

mq.png

mr.png

ms.png

mt.png

mu.png

mv.png

mw.png

mx.png

my.png

mz.png

na.png

nc.png

ne.png

nf.png

ng.png

ni.png

nl.png

no.png

np.png

nr.png

nu.png

nz.png

om.png

pa.png

pe.png

pf.png

pg.png

ph.png

pk.png

pl.png

pm.png

pn.png

pr.png

ps.png

pt.png

pw.png

py.png

qa.png

re.png

ro.png

rs.png

ru.png

rw.png

sa.png

sb.png

sc.png

scotland.png

sd.png

se.png

sg.png

sh.png

si.png

sj.png

sk.png

sl.png

sm.png

sn.png

so.png

sr.png

st.png

sv.png

sy.png

sz.png

tc.png

td.png

tf.png

tg.png

th.png

tj.png

tk.png

tl.png

tm.png

tn.png

to.png

tr.png

tt.png

tv.png

tw.png

tz.png

ua.png

ug.png

um.png

us.png

uy.png

uz.png

va.png

vc.png

ve.png

vg.png

vi.png

vn.png

vu.png

wales.png

wf.png

ws.png

ye.png

yt.png

za.png

zm.png

zw.png

hXXp://telize.com/geoip

Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

hXXp://freegeoip.net/xml/

hXXp://api.ipify.org/

<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on

dd.MM.yyyy HH:mm

xClient.Properties.Resources

Client.exe_2780_rwx_012EC000_0040F000:

.idata

.edata

P.reloc

P.rsrc

.reloc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

W:\3rdparty\ScreamSec\SecUtils.pas

TCipher.CreateIntf: Algorithm mismatch

TBlockCipher.CreateIntf: Wrong VectorSize

Cipher mode not supported

The vector for %s is %d blocks. Cannot initialize with a %d block vector.

The block size for %s is %d bytes and the key is %d bytes. Cannot initialize with a %d block vector.

The minimum key and IV size for %s is %d bytes.

Not supported

TRijndael_PipedPCFB

Rijndael: Invalid key size - %d

2.16.840.1.101.3.4.1.1

2.16.840.1.101.3.4.1.21

2.16.840.1.101.3.4.1.41

1.3.6.1.4.1.13085.1.22

1.3.6.1.4.1.13085.1.23

1.3.6.1.4.1.13085.1.24

2.16.840.1.101.3.4.1.4

2.16.840.1.101.3.4.1.24

2.16.840.1.101.3.4.1.44

1.3.6.1.4.1.13085.1.7

1.3.6.1.4.1.13085.1.8

1.3.6.1.4.1.13085.1.9

1.3.6.1.4.1.13085.1.4

1.3.6.1.4.1.13085.1.5

1.3.6.1.4.1.13085.1.6

1.3.6.1.4.1.13085.1.10

1.3.6.1.4.1.13085.1.11

1.3.6.1.4.1.13085.1.12

1.3.6.1.4.1.13085.1.1

1.3.6.1.4.1.13085.1.2

1.3.6.1.4.1.13085.1.3

1.3.6.1.4.1.13085.1.16

1.3.6.1.4.1.13085.1.17

1.3.6.1.4.1.13085.1.18

2.16.840.1.101.3.4.1.2

2.16.840.1.101.3.4.1.22

2.16.840.1.101.3.4.1.42

1.3.6.1.4.1.13085.1.19

1.3.6.1.4.1.13085.1.20

1.3.6.1.4.1.13085.1.21

2.16.840.1.101.3.4.1.3

2.16.840.1.101.3.4.1.23

2.16.840.1.101.3.4.1.43

2.16.840.1.101.3.4.1.5

2.16.840.1.101.3.4.1.25

2.16.840.1.101.3.4.1.45

/* Dr Brian Gladman ([email protected]) 14th January 1999 */

TGenerator.Create: Cipher mode must be cmCTR.

TMPPool.CheckThreadID: Called from the wrong thread.

TMPPool.Cache: Invalid pointer

TMPPool.Obtain: Out of memory

TMPPool.InternalCheck: Invalid pointer

Portugal

Turkey

TKeyVerifyParams

12345678-

Windows 95

WIN_VER_WINDOWS95

Windows 95 OSR2

WIN_VER_WINDOWS95OSR2

Windows 98

WIN_VER_WINDOWS98

Windows 98 SE

WIN_VER_WINDOWS98SE

Windows ME

WIN_VER_WINDOWSME

Windows 2000

WIN_VER_WINDOWS2000

Windows 2000 Professional

WIN_VER_WINDOWS2000PROF

Windows 2000 Data Server

WIN_VER_WINDOWS2000DATASERVER

Windows 2000 Advanced Server

WIN_VER_WINDOWS2000ADVSERVER

Windows 2000 Server

WIN_VER_WINDOWS2000SERVER

Windows XP

WIN_VER_WINDOWSXP

Windows XP Home

WIN_VER_WINDOWSXPHOME

Windows XP Professional

WIN_VER_WINDOWSXPPROF

Windows XP Professional x64

WIN_VER_WINDOWSXPPROFx64

Windows XP Professional Datacenter x64

WIN_VER_WINDOWSXPPROFDATACENTERx64

Windows XP Professional Enterprise x64

WIN_VER_WINDOWSXPPROFENERPRICEx64

Windows XP Professional Standart x64

WIN_VER_WINDOWSXPPROFSTANDARTx64

Windows 2003

Windows 2003 Server

WIN_VER_WINDOWS2003SERVER

Windows 2003 Server R2

WIN_VER_WINDOWS2003SERVERR2

Windows 2003 Storage Server

WIN_VER_WINDOWS2003STORAGESERVER

Windows 2003 Datacenter Itanium

WIN_VER_WINDOWS2003DATACENTERITANIUM

Windows 2003 Enterprise Itanium

WIN_VER_WINDOWS2003ENTERPRICEITANIUM

Windows 2003 Datacenter x64

WIN_VER_WINDOWS2003DATACENTERx64

Windows 2003 Enterprise x64

WIN_VER_WINDOWS2003ENERPRICEx64

Windows 2003 Standart x64

WIN_VER_WINDOWS2003STANDARTx64

Windows 2003 Compute

WIN_VER_WINDOWS2003COMPUTE

Windows 2003 Datacenter

WIN_VER_WINDOWS2003DATACENTER

Windows 2003 Enterprise

WIN_VER_WINDOWS2003ENTERPRICE

Windows 2003 Web

WIN_VER_WINDOWS2003WEB

Windows 2003 Standart

WIN_VER_WINDOWS2003STANDART

Windows Vista

WIN_VER_WINDOWSVISTA

Windows Vista Business

WIN_VER_WINDOWSVISTA_BUSINESS

Windows Vista Cluster Server

WIN_VER_WINDOWSVISTA_CLUSTER_SERVER

Windows Vista Datacenter Server

WIN_VER_WINDOWSVISTA_DATACENTER_SERVER

Windows Vista Datacenter Server Core

WIN_VER_WINDOWSVISTA_DATACENTER_SERVER_CORE

Windows Vista Datacenter Server Core V

WIN_VER_WINDOWSVISTA_DATACENTER_SERVER_CORE_V

Windows Vista Datacenter Server V

WIN_VER_WINDOWSVISTA_DATACENTER_SERVER_V

Windows Vista Enterprise

WIN_VER_WINDOWSVISTA_ENTERPRICE

Windows Vista Enterprise Server

WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER

Windows Vista Enterprise Server Core

WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER_CORE

Windows Vista Enterprise Server V

WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER_V

Windows Vista Enterprise Server Core V

WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER_CORE_V

Windows Vista Enterprise Server IA64

WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER_IA64

Windows Vista Home Basic

WIN_VER_WINDOWSVISTA_HOME_BASIC

Windows Vista Home Premium

WIN_VER_WINDOWSVISTA_HOME_PREMIUM

Windows Vista Home Server

WIN_VER_WINDOWSVISTA_HOME_SERVER

Windows Vista Server For Small Business

WIN_VER_WINDOWSVISTA_SERVER_FOR_SMALLBUSINESS

Windows Vista Small Business Server

WIN_VER_WINDOWSVISTA_SMALLBUSINESS_SERVER

Windows Vista Small Business Server Premium

WIN_VER_WINDOWSVISTA_SMALLBUSINESS_SERVER_PREMIUM

Windows Vista Medium Business Server Management

WIN_VER_WINDOWSVISTA_MEDIUMBUSINESS_SERVER_MANAGEMENT

Windows Vista Medium Business Server Messaging

WIN_VER_WINDOWSVISTA_MEDIUMBUSINESS_SERVER_MESSAGING

Windows Vista Medium Business Server Security

WIN_VER_WINDOWSVISTA_MEDIUMBUSINESS_SERVER_SECURITY

Windows Vista Standard Server

WIN_VER_WINDOWSVISTA_STANDARD_SERVER

Windows Vista Standard Server V

WIN_VER_WINDOWSVISTA_STANDARD_SERVER_V

Windows Vista Standard Server Core

WIN_VER_WINDOWSVISTA_STANDARD_SERVER_CORE

Windows Vista Standard Server Core V

WIN_VER_WINDOWSVISTA_STANDARD_SERVER_CORE_V

Windows Vista Starter

WIN_VER_WINDOWSVISTA_STARTER

Windows Vista Storage Enterprise Server

WIN_VER_WINDOWSVISTA_STORAGE_ENTERPRISE_SERVER

Windows Vista Storage Express Server

WIN_VER_WINDOWSVISTA_STORAGE_EXPRESS_SERVER

Windows Vista Storage Standard Server

WIN_VER_WINDOWSVISTA_STORAGE_STANDARD_SERVER

Windows Vista Storage Workgroup Server

WIN_VER_WINDOWSVISTA_STORAGE_WORKGROUP_SERVER

Windows Vista Undefined

WIN_VER_WINDOWSVISTA_UNDEFINED

Windows Vista Ultimate

WIN_VER_WINDOWSVISTA_ULTIMATE

Windows Vista Web Server

WIN_VER_WINDOWSVISTA_WEB_SERVER

Windows Vista Web Server Core

WIN_VER_WINDOWSVISTA_WEB_SERVER_CORE

Windows Vista Unlicensed

WIN_VER_WINDOWSVISTA_UNLICENSED

Windows 2008

WIN_VER_WINDOWS2008

Windows 2008 Business

WIN_VER_WINDOWS2008_BUSINESS

Windows 2008 Cluster Server

WIN_VER_WINDOWS2008_CLUSTER_SERVER

Windows 2008 Datacenter Server

WIN_VER_WINDOWS2008_DATACENTER_SERVER

Windows 2008 Datacenter Server Core

WIN_VER_WINDOWS2008_DATACENTER_SERVER_CORE

Windows 2008 Datacenter Server Core V

WIN_VER_WINDOWS2008_DATACENTER_SERVER_CORE_V

Windows 2008 Datacenter Server V

WIN_VER_WINDOWS2008_DATACENTER_SERVER_V

Windows 2008 Enterprise

WIN_VER_WINDOWS2008_ENTERPRICE

Windows 2008 Enterprise Server

WIN_VER_WINDOWS2008_ENTERPRISE_SERVER

Windows 2008 Enterprise Server Core

WIN_VER_WINDOWS2008_ENTERPRISE_SERVER_CORE

Windows 2008 Enterprise Server V

WIN_VER_WINDOWS2008_ENTERPRISE_SERVER_V

Windows 2008 Enterprise Server Core V

WIN_VER_WINDOWS2008_ENTERPRISE_SERVER_CORE_V

Windows 2008 Enterprise Server IA64

WIN_VER_WINDOWS2008_ENTERPRISE_SERVER_IA64

Windows 2008 Home Basic

WIN_VER_WINDOWS2008_HOME_BASIC

Windows 2008 Home Premium

WIN_VER_WINDOWS2008_HOME_PREMIUM

Windows 2008 Home Server

WIN_VER_WINDOWS2008_HOME_SERVER

Windows 2008 Server For Small Business

WIN_VER_WINDOWS2008_SERVER_FOR_SMALLBUSINESS

Windows 2008 Small Business Server

WIN_VER_WINDOWS2008_SMALLBUSINESS_SERVER

Windows 2008 Small Business Server Premium

WIN_VER_WINDOWS2008_SMALLBUSINESS_SERVER_PREMIUM

Windows 2008 Medium Business Server Management

WIN_VER_WINDOWS2008_MEDIUMBUSINESS_SERVER_MANAGEMENT

Windows 2008 Medium Business Server Messaging

WIN_VER_WINDOWS2008_MEDIUMBUSINESS_SERVER_MESSAGING

Windows 2008 Medium Business Server Security

WIN_VER_WINDOWS2008_MEDIUMBUSINESS_SERVER_SECURITY

Windows 2008 Standard Server

WIN_VER_WINDOWS2008_STANDARD_SERVER

Windows 2008 Standard Server V

WIN_VER_WINDOWS2008_STANDARD_SERVER_V

Windows 2008 Standard Server Core

WIN_VER_WINDOWS2008_STANDARD_SERVER_CORE

Windows 2008 Standard Server Core V

WIN_VER_WINDOWS2008_STANDARD_SERVER_CORE_V

Windows 2008 Starter

WIN_VER_WINDOWS2008_STARTER

Windows 2008 Storage Enterprise Server

WIN_VER_WINDOWS2008_STORAGE_ENTERPRISE_SERVER

Windows 2008 Storage Express Server

WIN_VER_WINDOWS2008_STORAGE_EXPRESS_SERVER

Windows 2008 Storage Standard Server

WIN_VER_WINDOWS2008_STORAGE_STANDARD_SERVER

Windows 2008 Storage Workgroup Server

WIN_VER_WINDOWS2008_STORAGE_WORKGROUP_SERVER

Windows 2008 Undefined

WIN_VER_WINDOWS2008_UNDEFINED

Windows 2008 Ultimate

WIN_VER_WINDOWS2008_ULTIMATE

Windows 2008 Web Server

WIN_VER_WINDOWS2008_WEB_SERVER

Windows 2008 Web Server Core

WIN_VER_WINDOWS2008_WEB_SERVER_CORE

Windows 2008 Unlicensed

WIN_VER_WINDOWS2008_UNLICENSED

Windows 2008 R2

WIN_VER_WINDOWS2008R2

Windows 2008 R2 Business

WIN_VER_WINDOWS2008R2_BUSINESS

Windows 2008 R2 Cluster Server

WIN_VER_WINDOWS2008R2_CLUSTER_SERVER

Windows 2008 R2 Datacenter Server

WIN_VER_WINDOWS2008R2_DATACENTER_SERVER

Windows 2008 R2 Datacenter Server Core

WIN_VER_WINDOWS2008R2_DATACENTER_SERVER_CORE

Windows 2008 R2 Datacenter Server Core V

WIN_VER_WINDOWS2008R2_DATACENTER_SERVER_CORE_V

Windows 2008 R2 Datacenter Server V

WIN_VER_WINDOWS2008R2_DATACENTER_SERVER_V

Windows 2008 R2 Enterprise

WIN_VER_WINDOWS2008R2_ENTERPRICE

Windows 2008 R2 Enterprise Server

WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER

Windows 2008 R2 Enterprise Server Core

WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER_CORE

Windows 2008 R2 Enterprise Server V

WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER_V

Windows 2008 R2 Enterprise Server Core V

WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER_CORE_V

Windows 2008 R2 Enterprise Server IA64

WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER_IA64

Windows 2008 R2 Home Basic

WIN_VER_WINDOWS2008R2_HOME_BASIC

Windows 2008 R2 Home Premium

WIN_VER_WINDOWS2008R2_HOME_PREMIUM

Windows 2008 R2 Home Server

WIN_VER_WINDOWS2008R2_HOME_SERVER

Windows 2008 R2 Server For Small Business

WIN_VER_WINDOWS2008R2_SERVER_FOR_SMALLBUSINESS

Windows 2008 R2 Small Business Server

WIN_VER_WINDOWS2008R2_SMALLBUSINESS_SERVER

Windows 2008 R2 Small Business Server Premium

WIN_VER_WINDOWS2008R2_SMALLBUSINESS_SERVER_PREMIUM

Windows 2008 R2 Medium Business Server Management

WIN_VER_WINDOWS2008R2_MEDIUMBUSINESS_SERVER_MANAGEMENT

Windows 2008 R2 Medium Business Server Messaging

WIN_VER_WINDOWS2008R2_MEDIUMBUSINESS_SERVER_MESSAGING

Windows 2008 R2 Medium Business Server Security

WIN_VER_WINDOWS2008R2_MEDIUMBUSINESS_SERVER_SECURITY

Windows 2008 R2 Standard Server

WIN_VER_WINDOWS2008R2_STANDARD_SERVER

Windows 2008 R2 Standard Server V

WIN_VER_WINDOWS2008R2_STANDARD_SERVER_V

Windows 2008 R2 Standard Server Core

WIN_VER_WINDOWS2008R2_STANDARD_SERVER_CORE

Windows 2008 R2 Standard Server Core V

WIN_VER_WINDOWS2008R2_STANDARD_SERVER_CORE_V

Windows 2008 R2 Starter

WIN_VER_WINDOWS2008R2_STARTER

Windows 2008 R2 Storage Enterprise Server

WIN_VER_WINDOWS2008R2_STORAGE_ENTERPRISE_SERVER

Windows 2008 R2 Storage Express Server

WIN_VER_WINDOWS2008R2_STORAGE_EXPRESS_SERVER

Windows 2008 R2 Storage Standard Server

WIN_VER_WINDOWS2008R2_STORAGE_STANDARD_SERVER

Windows 2008 R2 Storage Workgroup Server

WIN_VER_WINDOWS2008R2_STORAGE_WORKGROUP_SERVER

Windows 2008 R2 Undefined

WIN_VER_WINDOWS2008R2_UNDEFINED

Windows 2008 R2 Ultimate

WIN_VER_WINDOWS2008R2_ULTIMATE

Windows 2008 R2 Web Server

WIN_VER_WINDOWS2008R2_WEB_SERVER

Windows 2008 R2 Web Server Core

WIN_VER_WINDOWS2008R2_WEB_SERVER_CORE

Windows 2008 R2 Unlicensed

WIN_VER_WINDOWS2008R2_UNLICENSED

Windows 7

WIN_VER_WINDOWSSEVEN

Windows 7 Business

WIN_VER_WINDOWSSEVEN_BUSINESS

Windows 7 Cluster Server

WIN_VER_WINDOWSSEVEN_CLUSTER_SERVER

Windows 7 Datacenter Server

WIN_VER_WINDOWSSEVEN_DATACENTER_SERVER

Windows 7 Datacenter Server Core

WIN_VER_WINDOWSSEVEN_DATACENTER_SERVER_CORE

Windows 7 Datacenter Server Core V

WIN_VER_WINDOWSSEVEN_DATACENTER_SERVER_CORE_V

Windows 7 Datacenter Server V

WIN_VER_WINDOWSSEVEN_DATACENTER_SERVER_V

Windows 7 Enterprise

WIN_VER_WINDOWSSEVEN_ENTERPRICE

Windows 7 Enterprise Server

WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER

Windows 7 Enterprise Server Core

WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER_CORE

Windows 7 Enterprise Server V

WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER_V

Windows 7 Enterprise Server Core V

WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER_CORE_V

Windows 7 Enterprise Server IA64

WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER_IA64

Windows 7 Home Basic

WIN_VER_WINDOWSSEVEN_HOME_BASIC

Windows 7 Home Premium

WIN_VER_WINDOWSSEVEN_HOME_PREMIUM

Windows 7 Home Server

WIN_VER_WINDOWSSEVEN_HOME_SERVER

Windows 7 Server For Small Business

WIN_VER_WINDOWSSEVEN_SERVER_FOR_SMALLBUSINESS

Windows 7 Small Business Server

WIN_VER_WINDOWSSEVEN_SMALLBUSINESS_SERVER

Windows 7 Small Business Server Premium

WIN_VER_WINDOWSSEVEN_SMALLBUSINESS_SERVER_PREMIUM

Windows 7 Medium Business Server Management

WIN_VER_WINDOWSSEVEN_MEDIUMBUSINESS_SERVER_MANAGEMENT

Windows 7 Medium Business Server Messaging

WIN_VER_WINDOWSSEVEN_MEDIUMBUSINESS_SERVER_MESSAGING

Windows 7 Medium Business Server Security

WIN_VER_WINDOWSSEVEN_MEDIUMBUSINESS_SERVER_SECURITY

Windows 7 Standard Server

WIN_VER_WINDOWSSEVEN_STANDARD_SERVER

Windows 7 Standard Server V

WIN_VER_WINDOWSSEVEN_STANDARD_SERVER_V

Windows 7 Standard Server Core

WIN_VER_WINDOWSSEVEN_STANDARD_SERVER_CORE

Windows 7 Standard Server Core V

WIN_VER_WINDOWSSEVEN_STANDARD_SERVER_CORE_V

Windows 7 Starter

WIN_VER_WINDOWSSEVEN_STARTER

Windows 7 Storage Enterprise Server

WIN_VER_WINDOWSSEVEN_STORAGE_ENTERPRISE_SERVER

Windows 7 Storage Express Server

WIN_VER_WINDOWSSEVEN_STORAGE_EXPRESS_SERVER

Windows 7 Storage Standard Server

WIN_VER_WINDOWSSEVEN_STORAGE_STANDARD_SERVER

Windows 7 Storage Workgroup Server

WIN_VER_WINDOWSSEVEN_STORAGE_WORKGROUP_SERVER

Windows 7 Undefined

WIN_VER_WINDOWSSEVEN_UNDEFINED

Windows 7 Ultimate

WIN_VER_WINDOWSSEVEN_ULTIMATE

Windows 7 Web Server

WIN_VER_WINDOWSSEVEN_WEB_SERVER

Windows 7 Web Server Core

WIN_VER_WINDOWSSEVEN_WEB_SERVER_CORE

Windows 7 Unlicensed

WIN_VER_WINDOWSSEVEN_UNLICENSED

Portuguese (Brazil)

Portuguese (Portugal)

Enigma_Plugin_OnSaveKey

Enigma_Plugin_OnLoadKey

ntdll.dll

LS_Enigma_Plugin_OnDeleteKey

ole32.dll

comctl32.dll

!"#$%&*;<=>@[]^_`{|}

TNT Internal Error: TWideComponentHelper.Create should never be encountered.

%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntClasses.pas

Library not found: %s

Function not found: %s.%s

RtlFormatCurrentUserKeyPath

TExported0

gN%Fj

USER32.DLL

EInvalidGraphicOperation

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

TComboBoxExEnumerator

ssHorizontal

OnKeyDown

OnKeyPress

OnKeyUp

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

HelpKeyword(;0

OnExecute

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

AutoHotkeys

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntActnList.pas

PasswordChar

%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntStdCtrls.pas

%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntForms.pas

%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntMenus.pas

Internal Error: SyncHotKeyPosition Failed ("%s" <> "%s").

%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntControls.pas

Internal Error: SubClassUnicodeControl.Control is not Unicode.

.UnicodeClass

TntUnicodeVcl.DestroyWindow

Internal Error: Control does not support ITntGlyphButton.

dtPostMsg

Software\Microsoft\Windows\CurrentVersion

ProductKey

Software\Microsoft\Windows NT\CurrentVersion

\\.\PhysicalDrive0

\\.\%s

\\.\Scsi0:

\\.\SMARTVSD

%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntRegistry.pas

#$%&'()* ,-./01234

PSAPI.dll

I*Rc<)%sHMJ 

VBoxService.exe

ÞFAULT FOLDER%

%SYSTEM FOLDER%

%WINDOWS FOLDER%

Mutex object: Unique: %d-%d. Number: %d

Uh%s:

^%V!%X

THookWindowsAPI

EP_RegCheckKey

EP_RegCheckKeyA

EP_RegCheckKeyW

EP_RegSaveKey

EP_RegSaveKeyA

EP_RegSaveKeyW

EP_RegLoadKey

EP_RegLoadKeyA

EP_RegLoadKeyW

EP_RegLoadAndCheckKey

EP_RegCheckAndSaveKey

EP_RegCheckAndSaveKeyA

EP_RegCheckAndSaveKeyW

EP_RegDeleteKey

EP_RegKeyExpirationDate

EP_RegKeyExpirationDateEx

EP_RegKeyCreationDate

EP_RegKeyCreationDateEx

EP_RegKeyExecutions

EP_RegKeyExecutionsTotal

EP_RegKeyExecutionsLeft

EP_RegKeyDays

EP_RegKeyDaysTotal

EP_RegKeyDaysLeft

EP_RegKeyRuntime

EP_RegKeyRuntimeTotal

EP_RegKeyRuntimeLeft

EP_RegKeyGlobalTime

EP_RegKeyGlobalTimeTotal

EP_RegKeyGlobalTimeLeft

EP_RegKeyRegisterAfterDate

EP_RegKeyRegisterAfterDateEx

EP_RegKeyRegisterBeforeDate

EP_RegKeyRegisterBeforeDateEx

EP_TrialExecutions

EP_TrialExecutionsTotal

EP_TrialExecutionsLeft

EP_TrialExecutionTime

EP_TrialExecutionTimeTotal

EP_TrialExecutionTimeLeft

EP_RegCheckKeyEx

EP_RegSaveKeyEx

EP_RegLoadKeyEx

EP_CheckUpStartupPasswordHashString

EP_ProtectedStringByKey

EP_RegKeyInformation

EP_RegKeyInformationA

EP_RegKeyInformationW

EP_RegKeyStatus

DLL_Loader_Import_Unit

TInitImport

Could not load library: %s

.gnu}

Function %s not found in module %s

File not found: %s

Can't find DLL entry point %s in %s

"%s" %s

%s %s

mscorwks.dll

mscoreei.dll

Jo.Ys

C9=O.WA

B.JAZ

coRegistratioKey

ZwOpenKey

ZwEnumerateValueKey

ZwQueryKey

ZwQueryValueKey

ZwCreateKey

ZwEnumerateKey

ZwSetValueKey

ZwDeleteKey

ZwDeleteValueKey

ZwFlushKey

ZwLoadKey

ZwLoadKey2

ZwNotifyChangeKey

ZwQueryMultipleValueKey

ZwReplaceKey

ZwRestoreKey

ZwSaveKey

ZwSetInformationKey

ZwUnloadKey

ZwOpenKeyEx

ZwQuerySection, Unsupported class %d

KeySetValue unsupported value type

ZwQueryValueKey, unsupported class %d

ZwQueryKey, unsupported class %d

ZwQueryObject with unsupported class

ZwReadFileInformation with unsupported class

ZwSetInformationFile with unsupported class

THookWindowsAPI

E.oNhZC

\\.\NTICE

\\.\SICE

\\.\SIWDEBUG

R.fm6$C

)O.bVJ

\.Na)

.xDHT

%s\%.8x%.8x-%.8x%.8x

)TEnigmaProtectorLoaderFormStartuppassword

DLL_Loader_RunPassword_Unit

^5(

b.HNNM

decrypt_on_execute_begin

ECRONEXECB

decrypt_on_execute_end

ECRONEXECE

.section

DLL_Loader.dll

@``@``@``@``@``@``@``@

@``@``@``@``@``

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

_enigma_keygen_routines

TntWindows

UrlMon

virtualboximportunit

KeyRoutines

nJwaWindows

 DLL_Loader_Import_Unit

i.nLn

%.byh?2

B.KI1d

.zhe=

.Pc 5

%xQ<NhgF

iu2.iu

user32.dll

advapi32.dll

version.dll

gdi32.dll

shell32.dll

SHFolder.dll

shlwapi.dll

GetWindowsDirectoryW

GetWindowsDirectoryA

GetCPInfo

GetKeyboardType

VkKeyScanW

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExA

MsgWaitForMultipleObjects

MapVirtualKeyW

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextW

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

RegOpenKeyExA

RegCloseKey

RegOpenKeyA

RegFlushKey

RegCreateKeyExA

SetViewportOrgEx

ShellExecuteW

ShellExecuteA

2-3i3}3

:&:.:6:>:

>!>%>)>->1>5>9>=>

; ;$;(;,;0;

1#1'1 1/13171;162\2

$141$3:3

? ?$?(?,?0?

8 :`:{:,;>;

?*?.???`?

4 4$4(4,4044484<4@4

6h6X6g6r6

70848<8@8

8!9%9)9-949

9&9*9=9^9

4]5R5`5

4G4C4O4X4a4f4y4

0 0$0(0,000

=!=$=)=-=1=5=9===

6%7x9

1 1$1(1,1

: :(:,:0:4:|:

mscoree.dll

_CorExeMain

.idat

}&@_~"$)

.Jx1?

:z.dk>d

%SJBy$1!

%U%>_

?qkX%SX

>h.MR

%s[idr,

%s_id]9x

aY.sG

1BK%u

DE.BY

0123456

S.ANR

Prkey

P{rþ_)

88E8F8A8U8L6T)

2.qSne

),-./:? 

&*;<=>@[

]^_`{|}>

tPSsh

)O3k%D

xport

$.Est'7

_%uL@K

a.nrw

$)S%d

>X.PC$'E(x':E

w`%do(

T$%Ci~

Ivy%u

12345678

%UG %

YS~.DZ

<.tR 

x(t7.aFz

 %SD3

uX%XN(

f.Pr7F

;AKeyC

jXLV%u

Ê[n

[email protected]

h.cp0Sn

#$%&'()*

 ,-./012834

)%sHMJ 

.VB22Z

KW.HK

hfTPh(

UrlQ

f<0%DuUD

L.ug$

#!v%U

u).ia

O.bVJ

5(

("%D<&

}1)JO%c

"ÕD

-Ah}`

{.Xtj

%.byh?

%xQ<N

%5x^Cb

P|%u!uM

KHT%x

L%dr{

?J.fJk

V0wXXNÝ

'%cJ/

.il\-yX

?D.dh^

2^(UDP[N

.eht:

<5=S%f

YP.xm

JKzV%xb

Site : hXXp://VVV.enigmaprotector.com/

E-mail : [email protected]

Lisence holder: %s

%Cookies FOLDER%

Unspecified error (%d) from %s.

debug.log

enigma_ide.dll

ÚysToKeyExp%

%RegKey%

%KeyExpYear%

%KeyExpMonth%

%KeyExpDay%

%CU_EXTFILES%

%CU_EXECPR%

%CU_INSTSERV%

%CU_WINVER%

%CU_VIRTTOOLS%

%TrialExecsTotal%

%TrialExecsLeft%

%TrialExecMinsTotal%

%TrialExecMinsLeft%

hh.exe

write.exe

attrib.exe

chkdsk.exe

compact.exe

find.exe

help.exe

winver.exe

regsvr32.exe

replace.exe

dllhost.exe

ntvdm.exe

tcpsvcs.exe

Was not able to create virtual value at ImportCall_ZwSetValueKey

Was not able to create virtual key at ImportCall_ZwSetValueKey

ImportCall_ZwLoadKey

ImportCall_ZwLoadKey2

ImportCall_ZwNotifyChangeKey

ImportCall_ZwQueryMultipleValueKey

ImportCall_ZwReplaceKey

ImportCall_ZwRestoreKey

ImportCall_ZwSaveKey

ImportCall_ZwSetInformationKey

ImportCall_ZwUnloadKey

evb*.tmp

Unsupported call of ZwSetVolumeInformationFile

Application requires password to start

Enter password

Change password

New password:

Confirm new password:

% )*0./(&'312-,

RichEdit line insertion error=This control requires version 4.70 or greater of COMCTL32.DLL

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt  Clipboard does not support Icons

Text exceeds memo capacity/Menu '%s' is already being used by another form

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Thread creation error: %s

Thread Error: %s (%d)7CreateClone not implemented for class %s with source %s

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

'%s' is an invalid mask at (%d)$''%s'' is not a valid component name

Ancestor for '%s' not found

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

Client.exe_2780_rwx_01850000_00004000:

Invalid NULL variant operation

Invalid variant operation

Variant method calls not supported

Access violation at address %p. %s of address %p

Invalid pointer operation

Invalid floating point operation

I/O error %d

'%s' is not a valid integer value

Client.exe_2780_rwx_019E0000_00038000:

C:\Windows\system32\IPHLPAPI.DLL0

C:\Windows\system32\CFGMGR32.dll0

/* Dr Brian Gladman ([email protected]) 14th January 1999 */

1.3.3.7

"C:\Users\"%CurrentUserName%"\AppData\Roaming\SubDir\Client.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dlD

wntdll.dll

ukernel32.dll

Mukernelbase.dll

huuser32.dll

dvgdi32.dll

)wlpk.dll

wusp10.dll

vmsvcrt.dll

vadvapi32.dll

,wsechost.dll

]urpcrt4.dll

uoleaut32.dll

vole32.dll

ushell32.dll

vshlwapi.dll

}tversion.dll

lmscoree.dll

*wimm32.dll

vmsctf.dll

ocomctl32.dll

pshfolder.dll

-uprofapi.dll

usspicli.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dllH

C:\Windows\system32\NSI.(

44ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

Steam Client Bootstrapper\license.dat

application.exe

taskhost.exe_2808:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

ole32.dll

OLEAUT32.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

USER32.dll

RPCRT4.dll

d:\w7rtm\admin\wmi\jobs\ubpmlibs\comtaskhost\comtaskapi.cpp

The likely culprit task is stuck on the same stack with %S.

d:\w7rtm\admin\wmi\jobs\ubpmlibs\closewinapp\closewinapp.cpp

Invalid parameter passed to C runtime function.

taskhost.pdb

_wcmdln

_amsg_exit

InitOnceExecuteOnce

SetProcessShutdownParameters

MsgWaitForMultipleObjects

EnumThreadWindows

EnumWindows

ntdll.dll

GetProcessHeap

CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]

bStartComTask() --> h=0x%x ret=%d

StopComTask(0x%x) --> ret=%d

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule

ComTaskMgrWnd(0x%x)::ShutdownTasksWorker()

ComTaskMgrWnd(0x%x)::Shutdown(%ws)

gCleanupSet()::Remove(0x%x)

ComTaskHost(0x%x)::WaitForTaskStartCompletion() --> 0x%x

ComTaskHost(0x%x)::WaitForTaskStartCompletion()

ComTaskHost(0x%x)::%ws() --> ReleaseLifetimeRef(this)

ComTaskHost(0x%x)::StopTaskWorker() --> 0x%x

ComTaskHost(0x%x)::StopTaskWorker()

ComTaskHost(0x%x)::Shutdown()

ComTaskHost(0x%x)::HandleReportingState(0x%x) --> 0x%x

ComTaskHost(0x%x): UbpmReportTaskStatus(0x%x) --> 0x%x

ComTaskHost(0x%x)::StartTaskWorker() --> 0x%x

ITaskHandler::Start(0x%x,"%ws") --> 0x%x

ComTaskHost(0x%x)::StartTaskWorker() --> ITaskHandler(0x%x)::Start(0x%x,"%ws")

ComTaskHost(0x%x)::StartTaskWorker()

ComTaskHost(0x%x)::Stop --> 0x%x

ComTaskHost(0x%x)::Stop - CreateThread failed with 0x%x

StartTaskThread(0x%x) bailed out because of shutdown

ComTaskHost(0x%x)::~ComTaskHost()

ComTaskHost(0x%x)::Start --> 0x%x

ComTaskHost(0x%x)::TaskCompleted() skipped because of shutdown

ComTaskHost(0x%x)::TaskCompleted(0x%x)

ComTaskHost(0x%x)::AddRef -> m_cRef = %d

ComTaskHost(0x%x)::Release -> m_cRef = %d

WinAppTerminator: found wnd 0x%x for pid %d.

WinAppTerminator: forced WM_CLOSE sent to top wnd 0x%x.

WinAppTerminator: EnumThreadWindows failed err=%d.

Host Process for Windows Tasks

6.1.7601.17514 (win7sp1_rtm.101119-1850)

taskhost.exe

Windows

Operating System

6.1.7601.17514

Client.exe_2780_rwx_01A20000_00014000:

API-MS-WIN-Service-winsvc-L1-1-0.dll4

C:\Windo

\\.\C:

1.3.3.7

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1944

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\SubDir\Client.exe (7705 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Steam Client Bootstrapper" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\SubDir\Client.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Steam Client Bootstrapper" = "c:\%original file name%.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.