A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27732  by Xylitol
 Mon Jan 25, 2016 12:42 am
Spotted by benkow_ here https://twitter.com/benkow_/status/689568349102161920
Signatures are too generic for having a correct name..
Delivered via spam according to screenshots from the cnc and TechHelpList.com

Image Image Image

Password stealer targeting various browsers,ftp clients,email clients and poker applications, ability to keylog datas and taking screenshots.

https://www.virustotal.com/en/file/5c41 ... 453681028/
https://www.virustotal.com/en/file/c9c8 ... 453680851/

Patched version (40E3CD on the unpacked binary) to help tracing behavior with hybrid-analysis:
https://www.hybrid-analysis.com/sample/ ... onmentId=1

Strings list:
Code: Select all
Text strings referenced in 00090000..0012EFFF
00092750   PUSH EBP                                  (Initial CPU selection)
000928FB   MOV ESI,0A2090                            UNICODE "Kernel32.dll"
0009290B   MOV ESI,0A20AC                            UNICODE "ntdll.dll"
0009292D   MOV ESI,0A20C0                            UNICODE "SHLWAPI.dll"
00092943   MOV ESI,0A20D8                            UNICODE "CRYPT32.dll"
00092959   MOV ESI,0A20F0                            UNICODE "WININET.dll"
0009296F   MOV ESI,0A2108                            UNICODE "urlmon.dll"
00092986   MOV ESI,0A2120                            UNICODE "NETAPI32.dll"
00092991   MOV ESI,0A213C                            UNICODE "WS2_32.dll"
000929AE   MOV ESI,0A2154                            UNICODE "USER32.dll"
000929BF   MOV ESI,0A216C                            UNICODE "ADVAPI32.dll"
000929CA   MOV ESI,0A2188                            UNICODE "SHELL32.dll"
000929DD   MOV ESI,0A21A0                            UNICODE "gdiplus.dll"
000929ED   MOV ESI,0A21B8                            UNICODE "gdi32.dll"
00093587   PUSH 0A2258                               UNICODE "%s\%s\%s%s"
00093598   PUSH 0A224C                               UNICODE "%s\%s"
000935CC   PUSH 0A2270                               UNICODE "%s\%s%s"
0009364D   PUSH 0A2214                               UNICODE "%s\*"
0009369E   PUSH 0A2220                               UNICODE "Windows"
000936B5   PUSH 0A2230                               UNICODE "Program Files"
000936EE   PUSH 0A224C                               UNICODE "%s\%s"
00093763   PUSH 0A224C                               UNICODE "%s\%s"
000937D0   PUSH 0A224C                               UNICODE "%s\%s"
00093A4A   PUSH 0A2208                               UNICODE ".tmp"
00093B21   PUSH 0A21FC                               UNICODE "open"
000944A8   PUSH 0A224C                               UNICODE "%s\%s"
000948B0   MOV ESI,0A2294                            ASCII "SQLite format 3"
00094ABE   PUSH 0A2288                               ASCII "UNIQUE"
00095545   MOV ESI,0A2368                            ASCII "http://"
00095558   MOV ESI,0A2370                            ASCII "https://"
000955DA   MOV ESI,0A2384                            ASCII "80"
00095642   MOV ESI,0A22A4                            ASCII "DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW"
000956C0   MOV ESI,0A22E8                            UNICODE "U2XpekVvtYq0fwsx7EDuZjrCo9GcF1B6Hl358mbznyLWdMANa4TSKJhIiOPgQR"
00095BB1   PUSH 0A2388                               UNICODE "%s"
00095E10   PUSH 0A23C4                               UNICODE "SeDebugPrivilege"
00095F17   PUSH 0A23E8                               UNICODE " %02d-%02d-%02d %02d:%02d"
00095F30   PUSH 0A2398                               ASCII "MachineGuid"
00095F35   PUSH 0A23A4                               ASCII "SOFTWARE\Microsoft\Cryptography"
000960D8   PUSH 0A2220                               UNICODE "Windows"
00096156   PUSH 0A2390                               UNICODE "exe"
00096737   PUSH 0A24EC                               ASCII "ZwResumeThread"
00096874   PUSH 0A2480                               ASCII "RtlCreateUserThread"
000968F9   PUSH 0A20AC                               UNICODE "ntdll.dll"
00096906   PUSH 0A2434                               ASCII "RtlNtStatusToDosError"
00096912   PUSH 0A244C                               ASCII "RtlSetLastWin32Error"
00096965   PUSH 0A2494                               ASCII "ZwAllocateVirtualMemory"
00096A0C   PUSH 0A24AC                               ASCII "NtFreeVirtualMemory"
00096AA6   PUSH 0A24C0                               ASCII "NtWriteVirtualMemory"
00096E63   PUSH 0A241C                               ASCII "LdrGetProcedureAddress"
00096F49   PUSH 0A20AC                               UNICODE "ntdll.dll"
00096FB3   PUSH 0A2464                               ASCII "ZwQueryInformationProcess"
00097029   PUSH 0A24D8                               ASCII "ZwReadVirtualMemory"
000970C9   PUSH 0A24FC                               ASCII "/%s"
000972B4   PUSH 0A2558                               UNICODE "%s\%s\User Data\Default\Login Data"
000972E2   PUSH 0A25A0                               UNICODE "%s\%s\User Data\Default\Web Data"
0009730C   PUSH 0A25E4                               UNICODE "%s%s\Login Data"
00097336   PUSH 0A2604                               UNICODE "%s%s\Default\Login Data"
000973AD   MOV ESI,0A2634                            UNICODE "Comodo\Dragon"
000973BA   MOV ESI,0A2650                            UNICODE "MapleStudio\ChromePlus"
000973E5   MOV ESI,0A2680                            UNICODE "Google\Chrome"
000973F2   MOV ESI,0A269C                            UNICODE "Nichrome"
00097412   MOV ESI,0A26B0                            UNICODE "RockMelt"
00097431   MOV ESI,0A26C4                            UNICODE "Spark"
0009744D   MOV ESI,0A26D0                            UNICODE "Chromium"
00097476   MOV ESI,0A26E4                            UNICODE "Titan Browser"
00097485   MOV ESI,0A2700                            UNICODE "Torch"
000974A4   MOV ESI,0A270C                            UNICODE "Yandex\YandexBrowser"
000974CE   MOV ESI,0A2738                            UNICODE "Epic Privacy Browser"
000974ED   MOV ESI,0A2764                            UNICODE "CocCoc\Browser"
000974FF   MOV ESI,0A2784                            UNICODE "Vivaldi"
0009751C   MOV ESI,0A2794                            UNICODE "Comodo\Chromodo"
00097532   MOV ESI,0A27B4                            UNICODE "Superbird"
00097556   MOV ESI,0A27C8                            UNICODE "Coowon\Coowon"
00097569   MOV ESI,0A27E4                            UNICODE "Mustang Browser"
0009758B   MOV ESI,0A2804                            UNICODE "360Browser\Browser"
000975A5   MOV ESI,0A282C                            UNICODE "CatalinaGroup\Citrio"
000975C3   MOV ESI,0A2858                            UNICODE "Google\Chrome SxS"
00097625   MOV ESI,0A287C                            UNICODE "\Opera\Opera Next\data"
00097648   MOV ESI,0A28AC                            UNICODE "\Opera Software\Opera Stable"
0009766F   MOV ESI,0A28E8                            UNICODE "\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer"
00097685   MOV ESI,0A2950                            UNICODE "\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer"
000977BA   PUSH 0A2524                               ASCII "password_value"
000977BF   PUSH 0A2534                               ASCII "username_value"
000977C4   PUSH 0A2544                               ASCII "origin_url"
000977CD   PUSH 0A2550                               ASCII "logins"
00097851   PUSH 0A250C                               ASCII "last_compatible_version"
00097AB6   PUSH 0A29BC                               UNICODE "vaultcli.dll"
00097AD8   PUSH 0A29D8                               ASCII "VaultEnumerateItems"
00097AE0   PUSH 0A29EC                               ASCII "VaultEnumerateVaults"
00097AF2   PUSH 0A2A04                               ASCII "VaultFree"
00097B04   MOV EBX,0A2A10                            ASCII "VaultGetItem"
00097B25   PUSH 0A2A20                               ASCII "VaultOpenVault"
00097B37   PUSH 0A2A30                               ASCII "VaultCloseVault"
00097D4F   PUSH 0A2AC8                               UNICODE "file:///"
00097F7C   PUSH 0A2AE0                               UNICODE "Software\Microsoft\Internet Explorer\TypedURLs"
00098095   PUSH 0A2A40                               UNICODE "Software\Microsoft\Internet Explorer\IntelliForms\Storage2"
000981A0   PUSH 80800                                UNICODE "="6595b64144ccf1df",type="win32",version="5.2.2.3"C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows."
0009831B   PUSH 0A2AB8                               UNICODE "%s%02X"
00098485   MOV ESI,0A2C90                            UNICODE "%s\Mozilla\Firefox\profiles.ini"
00098495   MOV ESI,0A2CD0                            UNICODE "%s\Mozilla\Firefox\Profiles\%s"
000984B2   MOV ESI,0A2D10                            UNICODE "%s\Mozilla\SeaMonkey\profiles.ini"
000984D1   MOV ESI,0A2D58                            UNICODE "%s\Mozilla\SeaMonkey\Profiles\%s"
000984EE   MOV ESI,0A2D9C                            UNICODE "%s\Flock\Browser\profiles.ini"
0009850D   MOV ESI,0A2DD8                            UNICODE "%s\Flock\Browser\Profiles\%s"
0009852A   MOV ESI,0A2E14                            UNICODE "%s\Thunderbird\profiles.ini"
00098547   MOV ESI,0A2E4C                            UNICODE "%s\Thunderbird\Profiles\%s"
0009856D   MOV ESI,0A2E84                            UNICODE "%s\K-Meleon\profiles.ini"
0009858F   MOV ESI,0A2EB8                            UNICODE "%s\K-Meleon\%s"
000985B1   MOV ESI,0A2ED8                            UNICODE "%s\Comodo\IceDragon\profiles.ini"
000985CB   MOV ESI,0A2F20                            UNICODE "%s\Comodo\IceDragon\Profiles\%s"
000985EC   MOV ESI,0A2F60                            UNICODE "%s\NETGATE Technologies\BlackHawk\profiles.ini"
00098610   MOV ESI,0A2FC0                            UNICODE "%s\NETGATE Technologies\BlackHawk\Profiles\%s"
0009862D   MOV ESI,0A301C                            UNICODE "%s\Postbox\profiles.ini"
0009863D   MOV ESI,0A304C                            UNICODE "%s\Postbox\Profiles\%s"
00098667   MOV ESI,0A3080                            UNICODE "%s\8pecxstudios\Cyberfox\profiles.ini"
00098674   MOV ESI,0A30D0                            UNICODE "%s\8pecxstudios\Cyberfox\Profiles\%s"
00098698   MOV ESI,0A3120                            UNICODE "%s\Moonchild Productions\Pale Moon\profiles.ini"
000986AF   MOV ESI,0A3180                            UNICODE "%s\Moonchild Productions\Pale Moon\Profiles\%s"
000986D7   MOV ESI,0A31E0                            UNICODE "%s\FossaMail\profiles.ini"
000986EA   MOV ESI,0A3214                            UNICODE "%s\FossaMail\Profiles\%s"
0009870F   PUSH 0A3248                               UNICODE "%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data"
0009877F   PUSH 0A32F4                               UNICODE "Path"
000987A3   PUSH 0A3300                               UNICODE "Profiles/"
00098806   PUSH 0A32E0                               UNICODE "Profile%i"
0009884E   PUSH 0A364C                               UNICODE "(x86)"
0009885F   PUSH 0A3658                               UNICODE "%ProgramW6432%"
0009886E   PUSH 0A3678                               UNICODE "%s\NETGATE\Black Hawk"
000988AC   PUSH 0A37F4                               UNICODE "RootDir"
000988B1   PUSH 0A3808                               UNICODE "SOFTWARE\8pecxstudios\Cyberfox86"
000988E2   PUSH 0A3498                               UNICODE "CurrentVersion"
000988E7   PUSH 0A35F0                               UNICODE "SOFTWARE\Mozilla\Flock"
000988FC   PUSH 0A3620                               UNICODE "SOFTWARE\Flock\Flock"
00098901   PUSH 0A34FC                               UNICODE "%s\%s\Main"
00098915   PUSH 0A3514                               UNICODE "Install Directory"
00098956   PUSH 0A3498                               UNICODE "CurrentVersion"
0009895B   MOV EDI,0A3584                            UNICODE "SOFTWARE\Mozilla\FossaMail"
00098972   PUSH 0A34FC                               UNICODE "%s\%s\Main"
0009898A   PUSH 0A3514                               UNICODE "Install Directory"
000989C9   PUSH 0A3794                               UNICODE "SetupPath"
000989CE   PUSH 0A37A8                               UNICODE "SOFTWARE\ComodoGroup\IceDragon\Setup"
000989FE   PUSH 0A3498                               UNICODE "CurrentVersion"
00098A03   MOV EDI,0A3770                            UNICODE "SOFTWARE\K-Meleon"
00098A1A   PUSH 0A34FC                               UNICODE "%s\%s\Main"
00098A32   PUSH 0A3514                               UNICODE "Install Directory"
00098A72   PUSH 0A36E0                               UNICODE "%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}"
00098AA5   PUSH 0A3498                               UNICODE "CurrentVersion"
00098AAA   MOV EDI,0A34B8                            UNICODE "SOFTWARE\Mozilla\Mozilla Firefox"
00098AC5   PUSH 0A34FC                               UNICODE "%s\%s\Main"
00098AE7   PUSH 0A3514                               UNICODE "Install Directory"
00098C5C   PUSH 0A3498                               UNICODE "CurrentVersion"
00098C61   MOV EDI,0A36A4                            UNICODE "SOFTWARE\Mozilla\Pale Moon"
00098C78   PUSH 0A34FC                               UNICODE "%s\%s\Main"
00098C90   PUSH 0A3514                               UNICODE "Install Directory"
00098CF9   PUSH 0A2B48                               ASCII "SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins"
00098E28   PUSH 0A2BA8                               ASCII "{,""
00098E5E   PUSH 0A2BAC                               ASCII "hostname"
00098EC7   PUSH 0A2BB8                               ASCII "encryptedUsername"
00098F37   PUSH 0A2BCC                               ASCII "encryptedPassword"
00098FEC   PUSH 0A2BA8                               ASCII "{,""
00099040   PUSH 0A2BA0                               ASCII ""
00099146   PUSH 0A2BA0                               ASCII ""
00099178   PUSH 0A3498                               UNICODE "CurrentVersion"
0009917D   MOV EDI,0A35BC                            UNICODE "SOFTWARE\Postbox\Postbox"
00099194   PUSH 0A34FC                               UNICODE "%s\%s\Main"
000991AC   PUSH 0A3514                               UNICODE "Install Directory"
000991F3   MOV EBX,0A3498                            UNICODE "CurrentVersion"
000991FA   PUSH 0A384C                               UNICODE "SOFTWARE\mozilla.org\SeaMonkey"
00099212   PUSH 0A384C                               UNICODE "SOFTWARE\mozilla.org\SeaMonkey"
00099217   PUSH 0A34FC                               UNICODE "%s\%s\Main"
00099238   PUSH 0A3514                               UNICODE "Install Directory"
0009926B   PUSH 0A388C                               UNICODE "%s\Mozilla\Profiles"
000992A3   PUSH 0A38B4                               UNICODE "*.s"
000992DE   MOV EBX,0A38BC                            UNICODE "SOFTWARE\Mozilla\SeaMonkey"
000992F8   PUSH 0A34FC                               UNICODE "%s\%s\Main"
00099316   PUSH 0A3514                               UNICODE "Install Directory"
000993AD   PUSH 0A3498                               UNICODE "CurrentVersion"
000993B2   MOV EDI,0A3538                            UNICODE "SOFTWARE\Mozilla\Mozilla Thunderbird"
000993C9   PUSH 0A34FC                               UNICODE "%s\%s\Main"
000993E1   PUSH 0A3514                               UNICODE "Install Directory"
0009947A   MOV ESI,0A3314                            UNICODE "PATH"
000994C7   PUSH 0A3324                               UNICODE "%s\nss3.dll"
0009950E   PUSH 0A333C                               ASCII "NSS_Init"
00099546   PUSH 0A3348                               ASCII "NSS_Shutdown"
00099558   PUSH 0A3358                               ASCII "PK11_GetInternalKeySlot"
0009956A   PUSH 0A3370                               ASCII "PK11_FreeSlot"
0009957C   PUSH 0A3380                               ASCII "PK11_Authenticate"
0009958E   PUSH 0A3394                               ASCII "PK11SDR_Decrypt"
000995A0   PUSH 0A33A4                               ASCII "PK11_CheckUserPassword"
000995B2   PUSH 0A33BC                               ASCII "SECITEM_FreeItem"
0009962E   PUSH 0A33D0                               UNICODE "sqlite3.dll"
00099634   PUSH 0A224C                               UNICODE "%s\%s"
00099658   MOV DWORD PTR SS:[ESP],0A33E8             UNICODE "mozsqlite3.dll"
00099660   PUSH 0A224C                               UNICODE "%s\%s"
00099684   MOV DWORD PTR SS:[ESP],0A3408             UNICODE "nss3.dll"
0009968C   PUSH 0A224C                               UNICODE "%s\%s"
000996CC   PUSH 0A341C                               ASCII "sqlite3_finalize"
000996F2   PUSH 0A3430                               ASCII "sqlite3_step"
00099704   PUSH 0A3440                               ASCII "sqlite3_close"
00099716   PUSH 0A3450                               ASCII "sqlite3_column_text"
00099728   PUSH 0A3464                               ASCII "sqlite3_open16"
0009973A   PUSH 0A3474                               ASCII "sqlite3_prepare_v2"
00099755   PUSH 0A3488                               ASCII "sqlite3_prepare"
0009981F   PUSH 0A2BE0                               UNICODE "%s\prefs.js"
00099845   PUSH 0A2BF8                               UNICODE "%s\signons.sqlite"
00099871   PUSH 0A2C1C                               UNICODE "%s\logins.json"
000998A1   MOV ESI,0A2C3C                            UNICODE "signons.txt"
000998B5   MOV ESI,0A2C54                            UNICODE "signons2.txt"
000998C4   MOV ESI,0A2C70                            UNICODE "signons3.txt"
000998D8   PUSH 0A224C                               UNICODE "%s\%s"
00099952   MOV EDI,128D30                            UNICODE "C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem"
00099973   PUSH 0A3314                               UNICODE "PATH"
00099991   PUSH 128D30                               UNICODE "C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem"
00099996   PUSH 0A3314                               UNICODE "PATH"
00099A09   PUSH 0A3910                               UNICODE "%s\Opera"
00099A0F   PUSH 0A3924                               UNICODE "wand.dat"
00099A28   MOV ESI,0A3938                            ASCII "X!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb"
00099AEF   MOV ESI,0A39B8                            UNICODE "Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete"
00099B45   PUSH 0A3960                               UNICODE "form_password_control"
00099B72   PUSH 0A398C                               UNICODE "form_username_control"
00099C19   PUSH 0A3A28                               UNICODE "%s\QupZilla\profiles\default\browsedata.db"
00099EC8   PUSH 0A3AAC                               UNICODE "InstallDir"
00099ECD   PUSH 0A3AC8                               UNICODE "SOFTWARE\Apple Computer, Inc.\Safari"
00099EEE   PUSH 0A3B18                               UNICODE "%s\Apple Computer\Preferences\keychain.plist"
00099F14   PUSH 0A3B78                               UNICODE "%s\Apple Application Support\plutil.exe"
00099F40   PUSH 0A3BC8                               UNICODE ".xml"
00099F59   PUSH 0A3BD4                               UNICODE "-convert xml1 -s -o %s "%s""
0009A020   PUSH 0A3A84                               ASCII "array"
0009A03B   PUSH 0A3A8C                               ASCII "dict"
0009A058   PUSH 0A3A8C                               ASCII "dict"
0009A067   PUSH 0A3A94                               ASCII "data"
0009A095   PUSH 0A3A9C                               ASCII "string"
0009A0A4   PUSH 0A3AA4                               ASCII "Server"
0009A0B9   PUSH 0A3A9C                               ASCII "string"
0009A135   MOV DWORD PTR SS:[ESP],0A3A8C             ASCII "dict"
0009A170   PUSH 0A3C0C                               UNICODE "*Mailbox.ini"
0009A186   PUSH 0A3C28                               UNICODE "%s\DeskSoft\CheckMail"
0009A18D   PUSH 0A3C54                               UNICODE "Account*.dcf"
0009A1A5   PUSH 0A3C70                               UNICODE "%s\Data\AccCfg\Accounts.tdat"
0009A1D3   PUSH 0A3CAC                               UNICODE "%s\Storage"
0009A1FB   PUSH 0A3CC4                               UNICODE "Account.rec0"
0009A23A   PUSH 0A3CE0                               UNICODE "%s\Foxmail\mail"
0009A263   PUSH 0A3D00                               UNICODE "*.stg"
0009A283   PUSH 0A3D0C                               UNICODE "%SYSTEMDRIVE%"
0009A29D   PUSH 0A3D28                               UNICODE "Foxmail*"
0009A2C6   PUSH 0A3D40                               UNICODE "%s\GmailNotifierPro\ConfigData.xml"
0009A2E9   MOV ESI,0A3E70                            UNICODE "Software\IncrediMail\Identities"
0009A350   PUSH 0A3D88                               UNICODE "EmailAddress"
0009A369   PUSH 0A3DA4                               UNICODE "Technology"
0009A375   PUSH 0A3DBC                               UNICODE "PopServer"
0009A383   PUSH 0A3DD0                               UNICODE "PopPort"
0009A392   PUSH 0A3DE0                               UNICODE "PopAccount"
0009A3AC   PUSH 0A3DF8                               UNICODE "PopPassword"
0009A3B8   PUSH 0A3E10                               UNICODE "SmtpServer"
0009A3C7   PUSH 0A3E28                               UNICODE "SmtpPort"
0009A3D6   PUSH 0A3E3C                               UNICODE "SmtpAccount"
0009A3F3   PUSH 0A3E54                               UNICODE "SmtpPassword"
0009A50E   PUSH 0A3D0C                               UNICODE "%SYSTEMDRIVE%"
0009A521   PUSH 0A3EB0                               UNICODE "%s\Softwarenetz\Mailing\Daten\mailing.vdt"
0009A568   MOV ESI,0A3F54                            UNICODE "Software\WinChips\UserAccounts"
0009A5BE   PUSH 0A3F04                               UNICODE "UserName"
0009A5E7   PUSH 0A3F18                               UNICODE "Passwd"
0009A5F3   PUSH 0A3F28                               UNICODE "POP3Server"
0009A601   PUSH 0A3F40                               UNICODE "POP3Port"
0009A69E   PUSH 0A3F98                               UNICODE "%s\Opera Mail\Opera Mail\wand.dat"
0009A6CB   PUSH 0A4340                               UNICODE "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook"
0009A6D9   PUSH 0A43F8                               UNICODE "Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook"
0009A6E7   PUSH 0A4468                               UNICODE "Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook"
0009A722   PUSH 0A3FDC                               UNICODE "Email"
0009A759   MOV ESI,0A3FE8                            UNICODE "SMTP Email Address"
0009A76C   MOV ESI,0A4010                            UNICODE "SMTP Server"
0009A77F   MOV ESI,0A4028                            UNICODE "SMTP User Name"
0009A7AF   MOV ESI,0A4048                            UNICODE "SMTP User"
0009A7BF   MOV ESI,0A405C                            UNICODE "POP3 Server"
0009A7D9   MOV ESI,0A4074                            UNICODE "POP3 User Name"
0009A807   MOV ESI,0A4094                            UNICODE "POP3 User"
0009A814   MOV ESI,0A40A8                            UNICODE "NNTP Email Address"
0009A82F   MOV ESI,0A40D0                            UNICODE "NNTP User Name"
0009A854   MOV ESI,0A40F0                            UNICODE "NNTP Server"
0009A864   MOV ESI,0A4108                            UNICODE "IMAP Server"
0009A87F   MOV ESI,0A4120                            UNICODE "IMAP User Name"
0009A8AD   MOV ESI,0A4140                            UNICODE "IMAP User"
0009A8BA   MOV ESI,0A4154                            UNICODE "HTTP User"
0009A8D8   MOV ESI,0A4168                            UNICODE "HTTP Server URL"
0009A902   MOV ESI,0A4188                            UNICODE "HTTPMail User Name"
0009A90E   MOV ESI,0A41B0                            UNICODE "HTTPMail Server"
0009A965   MOV ESI,0A41D0                            UNICODE "POP3 Port"
0009A970   MOV ESI,0A41E4                            UNICODE "SMTP Port"
0009A97D   MOV ESI,0A41F8                            UNICODE "IMAP Port"
0009A9B5   MOV ESI,0A420C                            UNICODE "POP3 Password2"
0009A9D6   MOV ESI,0A422C                            UNICODE "IMAP Password2"
0009A9F3   MOV ESI,0A424C                            UNICODE "NNTP Password2"
0009AA11   MOV ESI,0A426C                            UNICODE "HTTPMail Password2"
0009AA1C   MOV ESI,0A4294                            UNICODE "SMTP Password2"
0009AA41   MOV ESI,0A42B4                            UNICODE "POP3 Password"
0009AA4E   MOV ESI,0A42D0                            UNICODE "IMAP Password"
0009AA6A   MOV ESI,0A42EC                            UNICODE "NNTP Password"
0009AA86   MOV ESI,0A4308                            UNICODE "HTTP Password"
0009AA9F   MOV ESI,0A4324                            UNICODE "SMTP Password"
0009AB6B   PUSH 0A44D8                               UNICODE "%s\.purple\accounts.xml"
0009AB7E   MOV ESI,0A4508                            UNICODE "%s\Pocomail\accounts.ini"
0009ABBA   PUSH 0A454C                               UNICODE "imap.auth.pass"
0009ABBF   MOV EBX,0A456C                            UNICODE "SOFTWARE\flaska.net\trojita"
0009ABD9   PUSH 0A45A4                               UNICODE "imap.host"
0009ABEC   PUSH 0A45B8                               UNICODE "imap.auth.user"
0009ABF1   MOV ESI,0A456C                            UNICODE "SOFTWARE\flaska.net\trojita"
0009AC03   PUSH 0A45D8                               UNICODE "imap.port"
0009AC89   MOV EBX,0A456C                            UNICODE "SOFTWARE\flaska.net\trojita"
0009AC8F   PUSH 0A45EC                               UNICODE "msa.smtp.auth.pass"
0009ACA9   PUSH 0A4614                               UNICODE "msa.smtp.host"
0009ACBC   PUSH 0A4630                               UNICODE "msa.smtp.auth.user"
0009ACC1   MOV ESI,0A456C                            UNICODE "SOFTWARE\flaska.net\trojita"
0009ACD3   PUSH 0A4658                               UNICODE "msa.smtp.port"
0009AD68   PUSH 0A4678                               UNICODE "SOFTWARE\flaska.net\trojita\identities"
0009ADA3   PUSH 0A453C                               UNICODE "address"
0009ADE7   PUSH 0A46C8                               UNICODE "%s\TrulyMail\Data\Settings\user.config"
0009ADFC   PUSH 0A4718                               UNICODE "%s\yMail2\POP3.xml"
0009AE09   PUSH 0A4740                               UNICODE "%s\yMail2\SMTP.xml"
0009AE15   PUSH 0A4768                               UNICODE "%s\yMail2\Accounts.xml"
0009AE22   PUSH 0A4798                               UNICODE "%s\yMail\ymail.ini"
0009AE38   PUSH 0A47C0                               UNICODE "%s\32BitFtp.TMP"
0009AE46   PUSH 0A47E0                               UNICODE "%s\32BitFtp.ini"
0009AE5B   PUSH 0A4800                               UNICODE "%s\Estsoft\ALFTP\ESTdb2.dat"
0009AE70   PUSH 0A4838                               UNICODE "%s\site.xml"
0009AE82   PUSH 0A4850                               UNICODE "%s\BitKinex\bitkinex.ds"
0009AEA2   PUSH 0A4880                               UNICODE "*.tlp"
0009AEB2   PUSH 0A488C                               UNICODE "*.bscp"
0009AEC1   PUSH 0A489C                               UNICODE "LastUsedProfile"
0009AEC6   PUSH 0A48BC                               UNICODE "Software\Bitvise\BvSshClient"
0009AF3D   PUSH 0A48F8                               UNICODE "%s\BlazeFtp\site.dat"
0009AF4A   MOV ESI,0A4928                            UNICODE "Software\FlashPeak\BlazeFtp\Settings"
0009AF5F   PUSH 0A4974                               UNICODE "LastPassword"
0009AF7B   PUSH 0A4990                               UNICODE "LastUser"
0009AF8C   PUSH 0A49A4                               UNICODE "LastAddress"
0009AF9E   PUSH 0A49BC                               UNICODE "LastPort"
0009B036   PUSH 0A49D0                               UNICODE "Server"
0009B04F   PUSH 0A3F04                               UNICODE "UserName"
0009B05B   PUSH 0A49E0                               UNICODE "Password"
0009B074   PUSH 0A49F4                               UNICODE "_Password"
0009B11C   MOV ESI,0A4A08                            UNICODE "Software\NCH Software\ClassicFTP\FTPAccounts"
0009B1A1   PUSH 0A4A64                               ASCII "settings"
0009B1E6   PUSH 0A4A74                               ASCII "name"
0009B1F1   PUSH 0A4A7C                               ASCII "value"
0009B29F   PUSH 0A4A84                               UNICODE "%s\Cyberduck"
0009B2A6   MOV ESI,0A4AA0                            UNICODE "user.config"
0009B2B4   PUSH 0A4AB8                               UNICODE "%s\iterate_GmbH"
0009B2D1   PUSH 0A4AD8                               UNICODE "%s\EasyFTP\data"
0009B303   MOV ESI,0A4B20                            UNICODE "%s\ExpanDrive"
0009B30D   PUSH 0A4B3C                               UNICODE "*favorites.js"
0009B31D   PUSH 0A4B58                               UNICODE "drives.js"
0009B3B8   PUSH 0A4AFC                               ASCII "%s"
0009B3CA   PUSH 0A4B00                               ASCII "server"
0009B407   PUSH 0A4AFC                               ASCII "%s"
0009B419   PUSH 0A4B08                               ASCII "username"
0009B434   PUSH 0A4AFC                               ASCII "%s"
0009B448   PUSH 0A2BCC                               ASCII "encryptedPassword"
0009B4DE   PUSH 0A4B14                               ASCII "protocol"
0009B55E   PUSH 0A49E0                               UNICODE "Password"
0009B57E   MOV DWORD PTR SS:[ESP],0A4B78             UNICODE "User"
0009B58E   PUSH 0A4B84                               UNICODE "HostName"
0009B656   PUSH 0A4B6C                               UNICODE "%s%c"
0009B697   PUSH 0A4B98                               UNICODE "Software\Far\Plugins\FTP\Hosts"
0009B6A5   PUSH 0A4BD8                               UNICODE "Software\Far2\Plugins\FTP\Hosts"
0009B6D2   PUSH 0A4C18                               UNICODE "%s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db"
0009B6E9   PUSH 0A4CB0                               UNICODE "%s\FileZilla\Filezilla.xml"
0009B6F6   PUSH 0A4CE8                               UNICODE "%s\FileZilla\filezilla.xml"
0009B703   PUSH 0A4D20                               UNICODE "%s\FileZilla\recentservers.xml"
0009B710   PUSH 0A4D60                               UNICODE "%s\FileZilla\sitemanager.xml"
0009B736   MOV ESI,0A4D9C                            UNICODE "%s\FlashFXP"
0009B742   MOV EBX,0A4DB4                            UNICODE "*Sites.dat"
0009B75F   MOV ESI,0A4DCC                            UNICODE "*quick.dat"
0009B773   PUSH 0A4D9C                               UNICODE "%s\FlashFXP"
0009B789   PUSH 0A4D9C                               UNICODE "%s\FlashFXP"
0009B811   PUSH 0A4DE4                               UNICODE "FtpServer"
0009B82A   PUSH 0A4DF8                               UNICODE "FtpUserName"
0009B836   PUSH 0A4E10                               UNICODE "FtpPassword"
0009B84F   PUSH 0A4E28                               UNICODE "_FtpPassword"
0009B8F7   MOV ESI,0A4E48                            UNICODE "Software\NCH Software\Fling\Accounts"
0009B959   PUSH 0A4E98                               UNICODE "%s\FreshWebmaster\FreshFTP\FtpSites.SMF"
0009B96B   PUSH 0A4EE8                               UNICODE "%s\FTPBox\profiles.conf"
0009B97D   PUSH 0A4F18                               UNICODE "%s\FTPGetter\Profile\servers.xml"
0009B98B   PUSH 0A4F5C                               UNICODE "%s\FTPGetter\servers.xml"
0009B9A0   PUSH 0A4F90                               UNICODE "%s\FTPInfo\ServerList.xml"
0009B9AE   PUSH 0A4FC4                               UNICODE "%s\FTPInfo\ServerList.cfg"
0009B9C3   PUSH 0A4FF8                               UNICODE "%s\FTP Navigator\Ftplist.txt"
0009B9D8   PUSH 0A5034                               UNICODE "%s\FTP Now\sites.xml"
0009B9ED   PUSH 0A5034                               UNICODE "%s\FTP Now\sites.xml"
0009BA02   PUSH 0A5060                               UNICODE "%s\FTPShell\ftpshell.fsi"
0009BA17   PUSH 0A5098                               UNICODE "%s\.config\fullsync\profiles.xml"
0009BA2C   PUSH 0A50DC                               UNICODE "%s\DeluxeFTP\sites.xml"
0009BA41   PUSH 0A5110                               UNICODE "%s\GoFTP\settings\Connections.txt"
0009BA52   PUSH 0A5164                               UNICODE "AbleFTP"
0009BA5E   PUSH 0A5174                               UNICODE "Automize"
0009BA87   PUSH 0A5188                               UNICODE "%s\%s%i\encPwd.jsd"
0009BAB2   PUSH 0A51B0                               UNICODE "%s\%s%i\data\settings\sshProfiles-j.jsd"
0009BADD   PUSH 0A5200                               UNICODE "%s\%s%i\data\settings\ftpProfiles-j.jsd"
0009BB15   PUSH 0A5154                               UNICODE "JaSFtp"
0009BB36   MOV ESI,0A5274                            UNICODE "Software\LinasFTP\Site Manager"
0009BB8C   PUSH 0A5250                               UNICODE "Pass"
0009BBA5   PUSH 0A4B78                               UNICODE "User"
0009BBB1   PUSH 0A525C                               UNICODE "Host"
0009BBBF   PUSH 0A5268                               UNICODE "Port"
0009BC5B   PUSH 0A52B4                               UNICODE "%s\oZone3D\MyFTP\myftp.ini"
0009BC71   PUSH 0A52EC                               UNICODE "%s\NetDrive\NDSites.ini"
0009BC7E   MOV ESI,0A531C                            UNICODE "%s\NetDrive2\drives.dat"
0009BCA1   PUSH 0A5350                               UNICODE "%s\Fastream NETFile\My FTP Links"
0009BCBD   PUSH 0A5398                               UNICODE "%s\NexusFile\userdata\ftpsite.ini"
0009BCCB   PUSH 0A53DC                               UNICODE "%s\NexusFile\ftpsite.ini"
0009BCE0   PUSH 0A5410                               UNICODE "%s\INSoftware\NovaFTP\NovaFTP.db"
0009BCF5   PUSH 0A5458                               UNICODE "%s\Notepad++\plugins\config\NppFTP\NppFTP.xml"
0009BD0A   PUSH 0A54B8                               UNICODE "%s\Odin Secure FTP Expert\QFDefault.QFQ"
0009BD18   PUSH 0A5508                               UNICODE "%s\Odin Secure FTP Expert\SiteInfo.QFP"
0009BD42   MOV ESI,0A55A8                            UNICODE "Software\9bis.com\KiTTY\Sessions"
0009BD5C   MOV ESI,0A55F0                            UNICODE "Software\SimonTatham\PuTTY\Sessions"
0009BDDB   PUSH 0A4B84                               UNICODE "HostName"
0009BE04   PUSH 0A49E0                               UNICODE "Password"
0009BE10   PUSH 0A3F04                               UNICODE "UserName"
0009BE1F   PUSH 0A5558                               UNICODE "PublicKeyFile"
0009BE2E   PUSH 0A5574                               UNICODE "TerminalType"
0009BE3C   PUSH 0A5590                               UNICODE "PortNumber"
0009BF55   PUSH 0A56F8                               UNICODE "lck"
0009BFAB   MOV EBX,0A5700                            UNICODE "%s\Microsoft\Credentials"
0009BFF4   PUSH 0A5638                               UNICODE "_dec"
0009C335   PUSH 0A5644                               UNICODE "%s_dec"
0009C624   PUSH 0A5654                               UNICODE "lsasrv.dll"
0009C641   PUSH 0A566C                               ASCII "LsaICryptUnprotectData"
0009C65E   PUSH 0A5684                               UNICODE "kernel32.dll"
0009C678   PUSH 0A56A0                               ASCII "CloseHandle"
0009C695   PUSH 0A56AC                               ASCII "CreateFileW"
0009C6B2   PUSH 0A56B8                               ASCII "WriteFile"
0009C70F   PUSH 0A56C4                               UNICODE "lsass.exe"
0009C730   PUSH 0A56D8                               ASCII "GetProcAddress"
0009C735   PUSH 0A5684                               UNICODE "kernel32.dll"
0009C740   PUSH 0A56E8                               ASCII "LoadLibraryW"
0009C745   PUSH 0A5684                               UNICODE "kernel32.dll"
0009C767   PUSH 0A5684                               UNICODE "kernel32.dll"
0009C783   PUSH 0A56D8                               ASCII "GetProcAddress"
0009C78C   PUSH 0A5684                               UNICODE "kernel32.dll"
0009C7AE   PUSH 0A56E8                               ASCII "LoadLibraryW"
0009C7E6   PUSH 0A56C4                               UNICODE "lsass.exe"
0009C80D   PUSH 0A56C4                               UNICODE "lsass.exe"
0009C959   PUSH 0A5734                               UNICODE "Config Path"
0009C95E   PUSH 0A574C                               UNICODE "Software\VanDyke\SecureFX"
0009C973   PUSH 0A5780                               UNICODE "%s\Sessions"
0009C9A6   PUSH 0A5798                               UNICODE "*.ini"
0009C9E9   PUSH 0A57C8                               UNICODE "%s\SftpNetDrive"
0009C9F0   PUSH 0A57E8                               UNICODE "*.cfg"
0009CA47   PUSH 0A3AA4                               ASCII "Server"
0009CA61   PUSH 0A57A4                               ASCII "Port"
0009CA6C   PUSH 0A57AC                               ASCII "<>"
0009CAB1   PUSH 0A4AFC                               ASCII "%s"
0009CAC1   PUSH 0A57B0                               ASCII "UserName"
0009CAE7   PUSH 0A4AFC                               ASCII "%s"
0009CAFA   PUSH 0A57BC                               ASCII "Password"
0009CB14   PUSH 0A57AC                               ASCII "<>"
0009CBDA   PUSH 0A57F8                               UNICODE "%s\Sherrod Computers\sherrod FTP\favorites"
0009CBE1   PUSH 0A5850                               UNICODE "#document.favoriteManager*"
0009CBF7   PUSH 0A5888                               UNICODE "%s\SmartFTP"
0009CBFE   PUSH 0A58A0                               UNICODE "{*.xml"
0009CC13   PUSH 0A58B0                               UNICODE "%s\Staff-FTP\sites.ini"
0009CC28   PUSH 0A58E0                               UNICODE "%s\Steed\bookmarks.txt"
0009CC3F   PUSH 0A5910                               UNICODE "%s\SuperPutty"
0009CC46   PUSH 0A592C                               UNICODE "Sessions*"
0009CCAC   PUSH 0A59E4                               UNICODE "%s\Syncovery"
0009CCB3   PUSH 0A5A00                               UNICODE "Syncovery.ini"
0009CDD9   PUSH 0A5940                               UNICODE "sftp://"
0009CDEC   PUSH 0A5950                               UNICODE "ftp://"
0009CDFF   PUSH 0A5960                               UNICODE "ftps://"
0009CE12   PUSH 0A5970                               UNICODE "http://"
0009CE25   PUSH 0A5980                               UNICODE "https://"
0009CE48   MOV EBX,0A5998                            UNICODE "{.:CRED:.}"
0009CE61   PUSH 0A59B0                               UNICODE "{CREN}"
0009CE78   PUSH 0A59C0                               UNICODE "{CRDB}"
0009CE86   PUSH 0A59C0                               UNICODE "{CRDB}"
0009CEF3   PUSH 0A59D0                               UNICODE "Profiles"
0009CF1D   PUSH 0A59D0                               UNICODE "Profiles"
0009CF75   MOV ESI,0A5A1C                            UNICODE "*.vnc"
0009CF9F   MOV ESI,0A5A28                            UNICODE "%s\wcx_ftp.ini"
0009CFC0   PUSH 0A5A48                               UNICODE "%s\GHISLER\wcx_ftp.ini"
0009CFCF   PUSH 0A5A78                               UNICODE "FtpIniName"
0009CFD4   PUSH 0A5A90                               UNICODE "Software\Ghisler\Total Commander"
0009D018   PUSH 0A5AD4                               UNICODE "%s\UltraFXP\sites.xml"
0009D02D   PUSH 0A5B00                               UNICODE "%s\WinFtp Client\Favorites.dat"
0009D050   MOV ESI,0A5B58                            UNICODE "Software\Martin Prikryl"
0009D0B7   PUSH 0A4B84                               UNICODE "HostName"
0009D0E0   PUSH 0A49E0                               UNICODE "Password"
0009D0EC   PUSH 0A3F04                               UNICODE "UserName"
0009D0FB   PUSH 0A5558                               UNICODE "PublicKeyFile"
0009D10A   PUSH 0A5B40                               UNICODE "FSProtocol"
0009D118   PUSH 0A5590                               UNICODE "PortNumber"
0009D230   PUSH 0A5B88                               UNICODE "%s\WS_FTP\WS_FTP.INI"
0009D23D   PUSH 0A5BB4                               UNICODE "%s\WS_FTP.INI"
0009D24A   PUSH 0A5BD0                               UNICODE "%s\Ipswitch"
0009D251   PUSH 0A5BE8                               UNICODE "ws_ftp.ini"
0009D26B   MOV EDI,0A5C00                            UNICODE "%s\NetSarang\Xftp\Sessions"
0009D278   MOV ESI,0A5C38                            UNICODE "*xfp"
0009D31E   PUSH 0A5C44                               UNICODE "%s\NoteFly\notes"
0009D324   PUSH 0A5C68                               UNICODE "*.nfn"
0009D37E   PUSH 0A5C78                               UNICODE "%s\Conceptworld\Notezilla\Notes8.db"
0009D3A2   PUSH 0A5CC0                               UNICODE "%s\stickies\images"
0009D3A8   PUSH 0A5CE8                               UNICODE "*.png"
0009D3BE   PUSH 0A5CF4                               UNICODE "%s\stickies\rtf"
0009D3C4   PUSH 0A5D14                               UNICODE "*.rtf"
0009D440   PUSH 0A5D20                               UNICODE "%s\Microsoft\Sticky Notes\StickyNotes.snt"
0009D46B   MOV ESI,0A5D74                            UNICODE "*.spn"
0009D4D5   PUSH 0A5D80                               UNICODE "%s\To-Do DeskList\tasks.db"
0009D4E6   PUSH 0A5DD4                               UNICODE "Full Tilt Poker"
0009D4FD   PUSH 0A7010                               UNICODE "Software"
0009D502   PUSH 0A224C                               UNICODE "%s\%s"
0009D549   PUSH 0A49E0                               UNICODE "Password"
0009D56B   PUSH 0A5DC0                               UNICODE "Username"
0009D628   PUSH 0A7010                               UNICODE "Software"
0009D66C   PUSH 0A5DB8                               UNICODE "c:\"
0009D729   PUSH 0A5DF4                               UNICODE "InstanceA"
0009D72E   MOV EBX,0A5E08                            UNICODE "Software\VB and VBA Program Settings\Plugin"
0009D741   PUSH 0A5E60                               UNICODE "InstanceB"
0009D763   PUSH 0A5E74                               ASCII "INSTALL=%08X%08X;"
0009D88A   PUSH 0A5E88                               ASCII "MAC=%02X%02X%02X%02X%02X%02X;"
0009D8F7   PUSH 0A5EA8                               ASCII "SYSVOL=%08X;"
0009D93C   PUSH 0A5ED0                               UNICODE "PokerStars*"
0009D968   PUSH 0A5EB8                               UNICODE "%s\user.ini"
0009DA63   PUSH 0A3D0C                               UNICODE "%SYSTEMDRIVE%"
0009DB73   PUSH 0A3D0C                               UNICODE "%SYSTEMDRIVE%"
0009DC0A   PUSH 0A5EE8                               UNICODE "%s\mSecure"
0009DC11   PUSH 0A5F00                               UNICODE "*.mscw"
0009DDCC   SUB EAX,10000                             UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
0009DDE9   MOV ESI,0A5F10                            UNICODE "-k netsvcs"
0009DE5C   PUSH 0A5F38                               UNICODE "explorer.exe"
0009DE9B   PUSH 0A5F54                               UNICODE "svchost.exe"
0009DEBC   PUSH 0A21FC                               UNICODE "open"
0009DEC1   PUSH 0A5F28                               UNICODE "http"
0009E01B   MOV DWORD PTR SS:[EBP-28],10004           UNICODE "LUSERSPROFILE=C:\Documents and Settings\All Users"
0009E63F   PUSH 0A5FA0                               UNICODE "CB: %s"
0009E709   PUSH 0A5F80                               UNICODE "Window: %s"
0009E7BC   PUSH 0A5FE4                               UNICODE "[DEL]"
0009E7CA   PUSH 0A5FB8                               UNICODE ""
0009E7D1   PUSH 0A5FD8                               UNICODE "[TAB]"
0009E7D8   PUSH 0A5FC0                               UNICODE "[BACKSPACE]"
0009E9AD   PUSH 0A5F78                               UNICODE "kdb"
0009E9D4   PUSH 0A5F78                               UNICODE "kdb"
0009EA86   PUSH 0A5F6C                               UNICODE "KL-%s"
0009EE36   PUSH 0A61E4                               ASCII ""
0009EF52   PUSH 0A6208                               UNICODE "hdb"
0009EFAA   PUSH 0A61EC                               UNICODE ".exe"
0009EFE6   PUSH 0A61FC                               UNICODE ".dll"
0009F004   PUSH 0A61EC                               UNICODE ".exe"
0009F08E   PUSH 0A6210                               UNICODE "-u"
0009F098   PUSH 0A61EC                               UNICODE ".exe"
0009F1D1   PUSH 0A6164                               UNICODE "%s\%s\%s.exe"
0009F204   PUSH 0A224C                               UNICODE "%s\%s"
0009F379   PUSH 0A6218                               ASCII "XXXXX11111"
0009F67E   PUSH 0A3D0C                               UNICODE "%SYSTEMDRIVE%"
0009F6E0   PUSH 0A6224                               UNICODE "%c:\"
0009F986   PUSH 0A6250                               UNICODE "img"
0009FE0E   PUSH 9BA52                                ASCII "hdQ"
0009FE1A   PUSH 9BB15                                ASCII "hTQ"
0009FE26   PUSH 9BA5E                                ASCII "htQ"
0009FF17   PUSH 9B722                                ASCII "SVWh"
000A000F   PUSH 9AB79                                ASCII "Vj"
000A00C3   PUSH 9ADF5                                ASCII "Vj"
000A0234   PUSH 0A6210                               UNICODE "-u"
000A02DD   MOV ESI,0A6258                            ASCII "KOSFKF"
000A06EF   PUSH 0A224C                               UNICODE "%s\%s"
000A0719   PUSH 0A62E8                               UNICODE "%s\%s.%s"
000A0B1A   PUSH 0A6218                               ASCII "XXXXX11111"
000A0EB0   PUSH 0A6208                               UNICODE "hdb"
Spawn a svchost.exe process, inject itself and Resume at 40DC73
405642, 403240 for crypto part and 41061E for CryptDecrypt

Gates:
Code: Select all
trafcounters.com/webstatBETA/ight.php
mompelie.ru/webstatBETA/ight.php
Files from VT positively reacting to "/ight.php":
Code: Select all
092f07af0b41409b1295947b56af2e0187cad4de
778e238c33426b7ec5dea807f6896899ce4ed8ea
4b350e37bb9a4b2a33162a46c34565f5010e8457
61a2114b55090144c3ef2eb5d788d163ff5444c2
a4d0d0694f271f42381ba5a2cc08c88659dd7ba1
60260e08b290cb6747b9b92a20b194daa577bda3
9fbc50624ad1e47b75ae053f05a6caa9bd422d7c
7fcdb17391c0e47afbb9d04c8f69f112d9d538ed
Attachments
infected
(143.38 KiB) Downloaded 104 times