Skip navigation.
Home

Looking for a sample of this Trojan

|

Hello All,

I'm doing some research on a particular Trojan and having some trouble locating it. Found it on company network, and then found some of the code online, here: http://pastebin.com/BhCPJ6Xa

At least according to the code online (written in VB.net surprisingly), the virus is key-logging, iterating through files, posting to a web server, creating command lines with redirected input/output and a lot more. . The actual executable references STM.EXE, but as I do a web search, I can't find a precise match (meaning the symptoms of infection aren't exactly the same)

Here is the version info for the two samples I found:

1 VERSIONINFO
FILEVERSION 3,3,0,0
PRODUCTVERSION 3,3,0,0
FILEOS 0x4
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
BLOCK "000004b0"
{
VALUE "CompanyName", "Microsoft Inc."
VALUE "FileDescription", "Microsoft Component"
VALUE "FileVersion", "3.3"
VALUE "InternalName", "STM.exe"
VALUE "LegalCopyright", "1989-2010 Microsoft Inc. ©"
VALUE "OriginalFilename", "STM.exe"
VALUE "ProductVersion", "3.3"
VALUE "Assembly Version", "3.3.0.0"
}
}

BLOCK "VarFileInfo"
{
VALUE "Translation", 0x0000 0x04B0
}
}

I figured the pros can help point me in the right direction. Any help would be appreciated. Also, I don't have a sample, as I had to re-image the PC's. Also, I've searched the offensive computing database, but didn't find it--but something tells me its in here :)

Also, here is the Trojan's string table, captured with Process Explorer:

!This program cannot be run in DOS mode.
.text
`.rsrc
@.reloc
poD
poD
poG
PoG
Jrf
Jrz
prX
Jrf
Jrz
poD
poG
pok
pss
poD
PrP
crT
doI
ooJ
ooL
qoJ
qoL
poQ
poI
poB
poB
poB
ADE
7+!7917+97QQ7uY7
a7ui7u
7u$7u,7u
uq7u
102030A@B@C@D@E@F@G@H@I@J@ML
Property can only be set to Nothing
WinForms_RecursiveFormCreate
WinForms_SeeInnerException
index.php
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Microsoft_WinInet_*
abe2869f-9b47-4cd9-a358-c22904dba7f7
\MSN Messenger\msidcrl.dll
ps:password

ps:membernameonly
Software\Microsoft\MessengerService
PasswordMSN Messenger Service
UserMSN Messenger Service
Software\Microsoft\MSNMessenger
Password.NET Messenger Service
User.NET Messenger Service
Passport.Net\*
82BD0E67-9FEA-4748-8672-D5EFE5B779B0
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
{220D5CC1-853A-11D0-84BC-00C04FD43F8F}
{417E2D75-84BD-11D0-84BB-00C04FD43F8F}
Account Name
POP3 User Name
POP3
IMAP User Name
IMAP
HTTPMail User Name
HTTPMail
User Name
Password2
Server
Prompt For Password
Secure Connection
Port
Timeout
SMTP Display Name
SMTP Email Address
SMTP Server
SMTP Secure Connection
SMTP Port
SMTP Timeout
Leave Mail On Server
Remove When Deleted
Remove When Expired
POP3 User
IMAP User
HTTP User
HTTP
User
Password
Server URL
Email
Software\Microsoft\Internet Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\
\9375CFF0413111d3B88A00104B2A6676
Inconnu
{8a078c30-3755-11d0-a0bd-00aa0061426a}
Default
joeboxserver.exe
joeboxcontrol.exe
wireshark.exe
sniff_hit.exe
sysAnalyzer.exe
username
user
currentuser
$this.Icon
The application failed to initialize properly (0xc000007b). Click Ok to terminate the application.
Application Error!
.exe
file.exe
Sample.exe
andy
Andy
Schmidti
/SEARCHFL/
WINDOWS
WINNT
/SEARCHFL/SEARCHEND
ARC.exe
Software\Microsoft\Windows\CurrentVersion\Run
AARC
\System
\SYS
\System32
System
Replace
Tahoma
ProgMan
Shell_TrayWnd
BUTTON
/CMDCMDGO/
Microsoft
Copyright
Software\Microsoft\Internet Explorer\TypedURLs
url
set CDAudio door open
set CDAudio door closed
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
{ESC}
/PSWRECOV/
Connect
Image
Capture
Disconnect
/WEBIMAGE/
/WEBCAPTR/
/REFRWIND/
/IPREVIEW/
image/jpeg
/STARTSEQ/SAME
/STARTSEQ/
Hello
POST
application/x-www-form-urlencoded
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
http://0mn3d6yunkn0wn.com
temp
/LISTPROC/
/LISTSERV/
/LISTDRVS/
(DIR).*(DIR)..*
(DIR)
/ONLYONEP/
/ERRORDIR/(DIR).*(DIR)..
/REGYVIEW/
/REGVIEWS/
bytearraystring
GetBytes
/REGVIEWV/
/STARTDOW/
/ERROR/
STOP
START
DISABLE
Disabled
MANUAL
Manual
AUTO
Auto
/PAKSSEND/
/FINEDOWN/
Trim
Split
/ANOTHEPK/
/ERRORUPL/
right
left
middle
open new type waveaudio alias capture
set capture samplespersec 6000 channels 8 bitspersample 1 alignment 1 bytespersec 6000
record capture
save capture test.wav
close capture
/SOUNDREC/
test.wav
\test.wav
winupdate
SELECT * FROM Win32_ComputerSystem
manufacturer
model
/INFOPCPC/
Computer Name =
Computer Manufacturer =
Computer Model =
OS Name =
OS Version =
System Type =
Total Physical Memory =
Total Virtual Memory =
Available Physical Memory =
Available Virtual Memory =
Username =
System Directory =
logdll.txt
Log file too big
/KEYSLOGG/
Set CDaudio door open
Set CDaudio door closed
/STARDESK/
/REFRESHP/
SAPI.SpVoice
Speak
/FIRSTINF/
/KEYSLOGR/
/OPENCDCD/
/CLOSECDD/
/RUNEXEFL/
/KILLFILE/
/KILLDIRS/
/FILESIZE/
/MAKEDIRS/
/STOPSERV/
STOP
/STRTSERV/
START
/DSBLSERV/
DISABLE
/MNULSERV/
MANUAL
/AUTOSERV/
AUTO
/STOPDOWN/
/DOWNFILE/
/ENCOREFL/
/STOPUPLD/
/UPLOADFL/
/OTHERPAK/
/FINEUPLD/
/DOWNDESK/
/STARTSQN/
/STOPPSEQ/
/KILLPROC/
/SHOWMESG/
ARI
YNC
/PRINTTXT/
/CLIPBOAR/
/SETCLIPB/
/RENAMEFL/
/REMOVESV/
_uninsep.vbs
On Error Resume Next
Dim WshShell, KV, Desc, oArgs
Set WshShell = WScript.CreateObject("WScript.Shell")
KV = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System"
WshShell.RegDelete KV
Set fso = CreateObject("Scripting.FileSystemObject")
Set aFile = fso.GetFile("
aFile.Delete
WScript.sleep(1000)
If fso.FileExists(afile) Then
aFile.Delete
Else
Exit Do
End If
If Err.Number <> 0 Then
WScript.sleep(1000)
Else
Exit Do
End If
loop until errorr = 0
Set aFile = fso.GetFile("
aFile.Delete
/LISTDIRS/
/ERRORDIR/
/DESKH/
/DESKS/
/STARTH/
/STARTS/
/HIDETASK/
/SHOWTASK/
/FLIP/
/UNFLIP/
/SWAPM/
/UNSWAPM/
/CADD/
/CADE/
/TMOFF/
/TMON/
/SCRSTART/
/SCRSTOP/
/IEVER/
Software\Microsoft\Internet Explorer
Version
/IEVERSIN/
/STRTPAGE/
Software\Microsoft\Internet Explorer\Main
Start Page
/IESTARTP/
/CHANGETL/
Window Title
/CHANGEHP/
/RUNSPAGE/
http://
https://
/LASTURLS/
/DLARUNVS/
Temp
/DLARUNHD/
/CLSEWIND/
/HIDEWIND/
/MINIWIND/
/MAXIWIND/
/RSTRWIND/
/DFLTWIND/
/SHOWWIND/
/RESTWIND/
shutdown -r
/TURNWIND/
shutdown -s
/LOGOWIND/
shutdown -l
/STARTCMD/
cmd
cmd.exe
/STOPCMD/
/STARTSQL/
/SETMOUSE/
/SETCLICK/
/MEUPDATE/
/REGCREAT/
/REGDELET/
/REGRENAM/
/SEARCHSS/
/WEBLISTC/
/WEBSTART/
/WEBIMAGA/
/WEBSTOPP/
/WEBDISCO/
/INSTALLK/
/UPANDRUN/
/DDATONWB/
/SENDKEYB/
/AVAILABL/
/SPEAKOUT/
/SOUNDSTP/
Times New Roman
Win32_Service.Name='
Description
StartMode
Automatic
ChangeStartMode
[ Windows Key ]
Software\Microsoft\Windows NT\CurrentVersion
DigitalProductID
BCDFGHJKMPQRTVWXY2346789
PROGRAMFILES
\Mozilla Firefox\
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
ssutil3.dll
sqlite3.dll
nssutil3.dll
softokn3.dll
nss3.dll
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
NSSBase64_DecodeBuffer
PK11SDR_Decrypt
[ FireFox 3.5+ ]
APPDATA
\Mozilla\Firefox\Profiles
signons.sqlite
SELECT * FROM moz_logins;
formSubmitURL
URL:
encryptedUsername
USER:
encryptedPassword
PASSWORD:
[ Chrome ]
\Google\Chrome\User Data\Default\Web Data
SELECT * FROM logins;
origin_url
username_value
password_value
Host:
User:
Password:
[ FileZilla ]
\FileZilla\recentservers.xml

User:

Pass:

\FileZilla\sitemanager.xml
[ IMVU ]
HKEY_CURRENT_USER\Software\IMVU
password
Username :
Password :
[ No IP ]
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
Username
Password
ProxyUsername
ProxyPassword
ProxyPort
Username:
Password:
Proxy Username:
Proxy Password:
Proxy Port:
[ DynDNS ]
\DynDNS\Updater\config.dyndns
Username=
Password=
t6KzXhCh
[ Pidgin ]
\.purple\accounts.xml

Protocol:

Name:

Password:
[ MSN - Live Messenger ]
Login:
Target Name:
[ Outlook Express, 2000, Xp, 2003, 2007]
Account:
Email:
Type:
Name:
[ FireFox 2-3 ]
signons3.txt
http
ftp.
login
email
AAAAAAAAA
[ Internet Explorer 7-8 ]
URL
UserName
Resources
String1
Error with opening database
SELECT name FROM sqlite_master WHERE type IN ('table','view') AND name NOT LIKE 'sqlite_%'UNION ALL SELECT name FROM sqlite_temp_master WHERE type IN ('table','view') ORDER BY 1
Error with executing non-query: "
resultTable
System.Int32
System.Single
System.String
System.Array
System Protected Storage
{8a078c30-3755-11d0-a0bd-00aa0061426a}
PFX Storage Provider
{3ca94f30-7ac1-11d0-8c42-00c04fc
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
poD
rIB
rWB
rHD
rYF
rxH
BSJB
#Strings
#GUID
#Blob
STM
AssemblyTitleAttribute
System.Reflection
mscorlib
.ctor
Void
System
String
DebuggableAttribute
System.Diagnostics
DebuggingModes
AssemblyFileVersionAttribute
CompilationRelaxationsAttribute
System.Runtime.CompilerServices
Int32
Boolean
RuntimeCompatibilityAttribute
ComVisibleAttribute
System.Runtime.InteropServices
STM.exe

ConsoleApplicationBase
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic
Computer
Microsoft.VisualBasic.Devices
Object
ValueType
CRED_TYPE
Enum
PST_ERROR_CODE
PStoreLib
PST_KEY
Form
System.Windows.Forms
PrintDocument
System.Drawing.Printing
System.Drawing
ServiceController
System.ServiceProcess
MulticastDelegate
CryptProtectPromptFlags
Resources
My.Resources
SQLiteDataTypes
User
.cctor
get_Computer
get_GetInstance
get_Application
get_User
get_Forms
get_WebServices
Application
Forms
WebServices
Hashtable
System.Collections
get_MainFrm
set_MainFrm
ArgumentException
Create__Instance__
Instance
TargetInvocationException
Control
get_IsDisposed
Type
GetTypeFromHandle
RuntimeTypeHandle
ContainsKey
Utils
Microsoft.VisualBasic.CompilerServices
GetResourceString
InvalidOperationException
Add
Activator
CreateInstance
ProjectData
SetProjectError
Exception
get_InnerException
get_Message
Remove
Dispose__Instance__
Component
System.ComponentModel
Dispose
Equals
RuntimeHelpers
GetObjectValue
GetHashCode
GetType
ToString
MainFrm
instance
GetInstance
Init
get_URL
get_UserName
get_Password
URL
UserName
Password
FindFirstUrlCacheEntry
IntPtr
FindFirstUrlCacheEntryA
wininet.dll
FindNextUrlCacheEntry
FindNextUrlCacheEntryA
FindCloseUrlCache
lstrlenA
kernel32.dll
lstrcpyA
CryptAcquireContext
CryptAcquireContextA
advapi32.dll
CryptCreateHash
CryptHashData
CryptGetHashParam
Byte
CryptSignHash
CryptSignHashA
CryptDestroyHash
CryptReleaseContext
RegOpenKeyEx
RegOpenKeyExA
RegQueryValueEx
RegQueryValueExA
RegDeleteValue
RegDeleteValueA
LocalFree
RegCloseKey
CryptUnprotectData
crypt32.dll
CredEnumerate
CredEnumerateW
CredDelete
CredDeleteW
CredFree
SysAllocString
oleaut32.dll
GetStrFromPtrA
Marshal
PtrToStringAnsi
CheckSum
Strings
Len
Mid
Concat
Conversion
Val
Double
Math
Round
GetSHA1Hash
Array
CopyArray
SHA1
System.Security.Cryptography
Create
HashAlgorithm
ComputeHash
Hex
Right
ProcessIEPass
ClearProjectError
Information
UBound
ReadByte
PtrToStructure
ToInt32
Zero
op_Equality
PtrToStringUni
Space
CreateProjectError
AddPasswdInfo
Char
Split
get_Length
Replace
LCase
Encoding
System.Text
get_Unicode
GetBytes
AllocHGlobal
StringToHGlobalUni
FreeHGlobal
get_Item
get_Count
Refresh
Int16
WriteInt32
InStr
CompareMethod
ReadIntPtr
Asc
WriteInt16
GetEnumerator
IEnumerator
IEnumerable
Reset
get_Current
MoveNext
Item
Count
Current
value__
GENERIC
DOMAIN_PASSWORD
DOMAIN_CERTIFICATE
DOMAIN_VISIBLE_PASSWORD
MAXIMUM
FreeStruct
FreeCoTaskMem
Delete
get_Name
ReadBinary
Copy
Err
ErrObject
get_Description
Interaction
MsgBox
MsgBoxResult
MsgBoxStyle
ReadBinaryString
Name
ReadItem
get_Login
get_TargetName
Login
TargetName
$STATIC$Base64Dec$201E10E$Enc
lstrlen
RegEnumKeyEx
RegEnumKeyExA
SHGetSpecialFolderLocation
shell32.dll
SHGetPathFromIDList
SHGetPathFromIDListA
Initialize
msidcrl.dll
EnumIdentitiesWithCachedCredentials
NextIdentity
PassportFreeMemory
CloseEnumIdentitiesHandle
CreateIdentityHandle
HasPersistedCredential
RemovePersistedCredential
GetIdentityPropertyByName
BuildAuthTokenRequest
CloseIdentityHandle
Uninitialize
LoadLibrary
LoadLibraryA
FreeLibrary
getProgramFilesFolderPath
Left
getMSN75Passwords
FileSystem
Dir
FileAttribute
Operators
CompareString
op_Inequality
DeleteAllCred
WriteByte
Base64Dec
get_ASCII
GetString
Next
Skip
Clone
GetInfo
GetProvParam
SetProvParam
CreateType
GetTypeInfo
DeleteType
CreateSubtype
GetSubtypeInfo
DeleteSubtype
ReadAccessRuleset
WriteAccessRuleset
EnumTypes
EnumSubtypes
DeleteItem
WriteItem
OpenItem
CloseItem
EnumItems
PST_E_ALREADY_OPEN
PST_E_BAD_FLAGS
PST_E_CALLER_NOT_VERIFIED
PST_E_DISK_IMAGE_MISMATCH
PST_E_FAIL
PST_E_INVALID_HANDLE
PST_E_INVALID_RULESET
PST_E_INVALID_STRING
PST_E_ITEM_EXISTS
PST_E_ITEM_NO_EXISTS
PST_E_NO_PERMISSIONS
PST_E_NOT_OPEN
PST_E_NOTEMPTY
PST_E_NYI
PST_E_OK
PST_E_PROV_DLL_NOT_FOUND
PST_E_SERVICE_UNAVAILABLE
PST_E_STATE_INVALID
PST_E_STORAGE_ERROR
PST_E_TYPE_EXISTS
PST_E_TYPE_NO_EXISTS
PST_E_UNKNOWN_EXCEPTION
PST_E_WRONG_PASSWORD
PST_KEY_CURRENT_USER
PST_KEY_LOCAL_MACHINE
get_Email
get_AccountType
get_AccountName
get_Deleted
Email
AccountType
AccountName
Deleted
RegCreateKeyEx
RegCreateKeyExA
RegQueryValueExW
GetAccountInfo
GetAccountInfo2
Empty
IIf
Conversions
EnumAccounts
ServerComputer
get_Registry
RegistryProxy
Microsoft.VisualBasic.MyServices
get_CurrentUser
RegistryKey
Microsoft.Win32
OpenSubKey
GetSubKeyNames
ForEach
get_KeyType
set_KeyType
IDisposable
Class_Initialize_Renamed
Class_Terminate_Renamed
Finalize
KeyType
$STATIC$GetPStoreInterface$20012808C$gips
$STATIC$GetPStoreInterface$20012808C$gips$Init
StaticLocalInitFlag
lstrlenW
PStoreCreateInstance
pstorec.dll
GetPStoreInterface
Monitor
System.Threading
Enter
State
IncompleteInitialization
Exit
get_Types
get_Items
CreateSubType
DeleteSubType
Types
Items
get_TypeGuid
get_DisplayName
TypeGuid
DisplayName
get_SubTypes
SubTypes
CLSIDFromString
ole32.dll
GuidToString
StringToGuid
CopyString
getStrLengthA
IContainer
TcpClient
System.Net.Sockets
NetworkStream
StreamWriter
System.IO
StreamReader
Process
StringBuilder
Int64
FileStream
BinaryWriter
BinaryReader
MessageBoxIcon
MessageBoxButtons
Point
Rectangle
IDataObject
Image
ManagementObjectSearcher
System.Management
Thread
EventHandler
add_Shown
FormClosingEventHandler
add_FormClosing
Environment
get_OSVersion
OperatingSystem
get_Version
Version
get_Major
Screen
get_PrimaryScreen
get_Bounds
Main
Run
InitializeComponent
ComponentResourceManager
SizeF
Size
Padding
SuspendLayout
Single
ContainerControl
set_AutoScaleDimensions
set_AutoScaleMode
AutoScaleMode
set_ClientSize
set_ControlBox
set_FormBorderStyle
FormBorderStyle
ResourceManager
System.Resources
GetObject
Icon
set_Icon
set_Margin
set_MaximizeBox
set_MinimizeBox
set_Name
set_Opacity
set_ShowIcon
set_ShowInTaskbar
set_WindowState
FormWindowState
ResumeLayout
get_ServiceController1
set_ServiceController1
mciSendString
mciSendStringA
winmm.dll
SendMessage
SendMessageA
user32
capCreateCaptureWindowA
avicap32.dll
capGetDriverDescriptionA
mciExecute
FindWindow
user32.dll
GetWindow
UInt32
FindWindowEx
ShowWindow
IsWindowVisible
mouse_event
get_Manufacturer
get_Model
get_WindowsDirectory
SwapMouseButton
Form1_Shown
EventArgs
Hide
Parse
ToDouble
MessageBox
Show
DialogResult
ThreadStart
Start
get_Handle
DnsFlushResolverCache
dnsapi.dll
refreshdns
get_Connected
GetModuleHandle
GetModuleHandleA
kernel32
GetWindowText
GetWindowTextA
GetForegroundWindow
GetActiveWindowTitle
Substring
ProcessCheck
GetProcesses
get_ProcessName
GetValue
CompareObjectEqual
OrObject
ToBoolean
UserCheck
Environ
ConditionalCompareObjectEqual
AntiSandbox
get_ExecutablePath
Contains
get_StartupPath
SearchDirectory
Directory
GetDirectories
GetFiles
StartsWith
EndsWith
get_FileSystem
FileSystemProxy
GetFileInfo
FileInfo
TextWriter
WriteLine
Flush
GetEncoderInfo
ImageCodecInfo
System.Drawing.Imaging
GetImageEncoders
get_MimeType
trywrite
checkforprocess
IEnumerator`1
System.Collections.Generic
ReadOnlyCollection`1
System.Collections.ObjectModel
Path
GetFileName
get_MainModule
ProcessModule
get_FileName
get_Id
GetCurrentProcess
Kill
DeleteFile
NotObject
DeleteValue
get_SpecialDirectories
SpecialDirectoriesProxy
get_MyDocuments
GetFolderPath
SpecialFolder
writetoreg
DirectoryExists
CreateDirectory
File
Exists
SetValue
MainFrm_FormClosing
FormClosingEventArgs
Encrypt
CryptoStream
DESCryptoServiceProvider
MemoryStream
get_UTF8
CreateEncryptor
ICryptoTransform
Stream
CryptoStreamMode
Write
FlushFinalBlock
ToArray
Convert
ToBase64String
Decrypt
FromBase64String
CreateDecryptor
adrr
StopStream
Close
FileExists
GetAttr
Extract
ListProcess
get_BasePriority
get_WorkingSet64
ListServices
GetServices
get_Status
ServiceControllerStatus
get_ServiceName
killfile
Printer
NewLateBinding
LateGet
Font
Print
ListDriver
GetLogicalDrives
Delay
DateTime
TimeSpan
get_Now
AddSeconds
Subtract
DoEvents
Sleep
get_TotalSeconds
FileSize
Showdesk
Hidedesk
showSbtn
hideSbtn
hideT
op_Explicit
showT
Cleanup
CmdOutputDataHandler
DataReceivedEventArgs
get_Data
IsNullOrEmpty
Append
MSG
PopulateUrlList
Registry
CurrentUser
EjectCD
CloseCD
GetSettings
ChangeSettings
EnableTaskManager
CreateSubKey
RegistryValueKind
GetDesktopWindow
StartScreenSaver
SendKeys
SendWait
PSW
FindAndKillProcess
RandomNumber
Random
ReadClip
get_Clipboard
ClipboardProxy
GetText
cap
SetApartmentState
ApartmentState
Join
ReadClipobj
Clipboard
GetDataObject
DataFormats
Bitmap
GetData
ImageFormat
get_Jpeg
Save
set_Capacity
GetBuffer
SetClip
Clear
SetText
TextDataFormat
refreshwind
get_MainWindowTitle
prev
FromFile
get_Size
get_Width
get_Height
GetThumbnailImage
GetThumbnailImageAbort
screens
EncoderParameters
Graphics
get_Param
EncoderParameter
Encoder
Quality
PixelFormat
FromImage
get_X
get_Y
CopyFromScreen
CopyPixelOperation
set_InterpolationMode
InterpolationMode
System.Drawing.Drawing2D
set_CompositingQuality
CompositingQuality
DrawImage
Collect
HttpWebRequest
System.Net
HttpWebResponse
WebException
WebRequest
set_Method
set_ContentType
set_ContentLength
set_UserAgent
set_Referer
GetRequestStream
GetResponse
WebResponse
GetResponseStream
ReadToEnd
DDATONWB
ParameterizedThreadStart
UPANDRUN
GetTempPath
DirectoryInfo
WriteAllBytes
get_StartInfo
ProcessStartInfo
set_WorkingDirectory
set_FileName
set_WindowStyle
ProcessWindowStyle
proc
serv
listdr
listd
ReadRegistry
LocalMachine
Users
ReadRegistry1
regcreate
ConcatenateObject
regdelete
regrename
ReadRegistry2
GetValueNames
down
FileMode
FileAccess
FileShare
get_BaseStream
Seek
SeekOrigin
Read
Floor
Services
Stop
down2
upl
GetUpperBound
ToByte
upl2
Trim
upl3
setcl
setm
Cursor
set_Position
soundrec
ReadAllBytes
installk
sendkeyb
first
get_Info
ComputerInfo
get_OSFullName
get_ProductVersion
info
ManagementObjectEnumerator
ManagementObjectCollection
Get
ManagementBaseObject
LateIndexGet
get_OSPlatform
get_TotalPhysicalMemory
UInt64
get_TotalVirtualMemory
get_AvailablePhysicalMemory
get_AvailableVirtualMemory
get_SystemDirectory
log
WriteAllText
ReadAllText
runex
runex1
downd
killproc
GetProcessById
EnterDebugMode
LeaveDebugMode
speakout
CreateObject
LateCall
ChangeType
IsValidIP
Regex
System.Text.RegularExpressions
IsMatch
RunServer
IPAddress
IPHostEntry
List`1
Dns
GetHostEntry
get_AddressList
Connect
GetStream
ReadLine
DeleteDirectory
DeleteDirectoryOption
Microsoft.VisualBasic.FileIO
RenameDirectory
RenameFile
GetEnvironmentVariable
get_Network
Network
DownloadFile
ToInteger
get_MainWindowHandle
Shell
AppWinStyle
set_CreateNoWindow
set_UseShellExecute
set_RedirectStandardOutput
set_RedirectStandardInput
set_RedirectStandardError
DataReceivedEventHandler
add_OutputDataReceived
BeginOutputReadLine
get_StandardInput
_Lambda$__1
_Lambda$__2
_Lambda$__3
_Lambda$__4
_Lambda$__5
_Lambda$__6
_Lambda$__7
_Lambda$__8
_Lambda$__9
_Lambda$__10
_Lambda$__11
_Lambda$__12
_Lambda$__13
_Lambda$__14
_Lambda$__15
_Lambda$__16
_Lambda$__17
_Lambda$__18
_Lambda$__19
_Lambda$__20
_Lambda$__21
_Lambda$__22
_Lambda$__23
_Lambda$__24
_Lambda$__25
_Lambda$__26
_Lambda$__27
_Lambda$__28
_Lambda$__29
_Lambda$__30
_Lambda$__31
_Lambda$__32
_Lambda$__33
_Lambda$__34
_Lambda$__35
_Lambda$__36
_Lambda$__37
_Lambda$__38
_Lambda$__39
_Lambda$__40
_Lambda$__41
_Lambda$__42
_Lambda$__43
_Lambda$__44
_Lambda$__45
_Lambda$__46
_Lambda$__47
_Lambda$__48
_Lambda$__49
_Lambda$__50
_Lambda$__51
_Lambda$__52
ServiceController1
Manufacturer
Model
WindowsDirectory
EnumDisplaySettings
ChangeDisplaySettings
CreateDevmode
SizeOf
Fix
$STATIC$OnPrintPage$201112809D$intCurrentChar
get_Text
set_Text
OnBeginPrint
PrintEventArgs
get_Font
set_Font
OnPrintPage
PrintPageEventArgs
StringFormat
RectangleF
PageSettings
get_DefaultPageSettings
get_PaperSize
PaperSize
get_Margins
Margins
get_Top
get_Bottom
get_Left
get_Right
get_Landscape
StringFormatFlags
get_Graphics
MeasureString
Brushes
get_Black
Brush
DrawString
set_HasMorePages
UpgradeZeros
Text
ManagementObject
ManagementPath
get_StartupType
set_StartupType
InvokeMethod
Description
StartupType
GetXPKey
get_LocalMachine
Int
Insert
GetProcAddress
NSS_Init
GetDelegateForFunctionPointer
Delegate
PK11_GetInternalKeySlot
PK11_Authenticate
NSSBase64_DecodeBuffer
PK11SDR_Decrypt
DataTable
System.Data
DataRow
get_Rows
DataRowCollection
GetChrome
Crypt32.dll
GCHandle
Alloc
GCHandleType
AddrOfPinnedObject
Free
get_Default
filezilla
get_NewLine
GETIMVU
Hex2Ascii
ForLoopControl
ObjectFlowControl
ForLoopInitObj
Chr
AddObject
ForNextCheckObj
base64Decode
UTF8Encoding
Decoder
GetDecoder
GetCharCount
GetChars
NoIPRec
sDynDns
StringType
MidStmtStr
PidginRec
OpenTextFileReader
MSN
Outlook
DumpCache
ToLower
BeginInvoke
IAsyncResult
AsyncCallback
EndInvoke
Invoke
CRYPTPROTECT_PROMPT_ON_UNPROTECT
CRYPTPROTECT_PROMPT_ON_PROTECT
resourceMan
resourceCulture
CultureInfo
System.Globalization
get_ResourceManager
ReferenceEquals
get_Assembly
Assembly
get_Culture
set_Culture
get_String1
Culture
String1
HeapAlloc
GetProcessHeap
sqlite3_open
sqlite3
sqlite3_close
sqlite3_exec
sqlite3_errmsg
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_count
sqlite3_column_name
sqlite3_column_type
sqlite3_column_int
sqlite3_column_double
sqlite3_column_text
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_table_name
sqlite3_finalize
OpenDatabase
CloseDatabase
GetTables
ArrayList
get_ItemArray
ExecuteNonQuery
ExecuteQuery
ReadFirstRow
get_Columns
DataColumnCollection
DataColumn
ReadNextRow
StringToPointer
PointerToString
PointerToByte
GetPointerLenght
INT
FLOAT
TEXT
BLOB
NULL
Resources.resources
.resources
GeneratedCodeAttribute
System.CodeDom.Compiler
EditorBrowsableAttribute
EditorBrowsableState
DebuggerNonUserCodeAttribute
DebuggerHiddenAttribute
HideModuleNameAttribute
StandardModuleAttribute
HelpKeywordAttribute
System.ComponentModel.Design
MyGroupCollectionAttribute
ThreadStaticAttribute
CompilerGeneratedAttribute
InterfaceTypeAttribute
GuidAttribute
ComConversionLossAttribute
DesignerGeneratedAttribute
AccessedThroughPropertyAttribute
STAThreadAttribute
DebuggerStepThroughAttribute
UnmanagedFunctionPointerAttribute
CallingConvention
FlagsAttribute
Microsoft Library Component
WrapNonExceptionThrows
Configuration Data
Protected Storage
Protected Storage Provider List
{220D5CC1-853A-11D0-84BC-00C04FD43F8F}
{417E2D75-84BD-11D0-84BB-00C04FD43F8F}
String1
$this.Icon
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
FileDescription
Microsoft Library Component
FileVersion
InternalName
STM.exe
LegalCopyright
OriginalFilename
STM.exe
ProductVersion
Assembly Version
MyTemplate
My.Computer
My.Application
My.User
My.Forms
My.WebServices
System.Windows.Forms.Form
Create__Instance__
Dispose__Instance__
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
$5A6F1EC1-2DB1-11D0-8C39-00C04FD9126B
$5A6F1EBF-2DB1-11D0-8C39-00C04FD9126B
$789C1CBF-31EE-11D0-8C39-00C04FD9126B
$5A6F1EC0-2DB1-11D0-8C39-00C04FD9126B
ServiceController1
3System.Resources.Tools.StronglyTypedResourceBuilder
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADPa
B9WgkavlTxCqX5zF5pYDywacQ/w9BAWt/XnI7fvzCgl4gHe9pg9iQDSnMVtPO91yFwYkreDA3lA=$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
IconData
IconSize
System.Drawing.Size
System.Drawing.Size
width
height
_CorExeMain
mscoree.dll

If you want to utilize File and Registry Virtualization for backward
compatibility then delete the requestedExecutionLevel node.