Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #MalwareMustDie! [0x00000000:0x00400000]> !date
- Fri Jan 18 01:33:11 JST 2013
- // Stolen credential list from Cridex Infection 20130117
- // by Fareit Trojan Stealer:
- SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- UninstallString
- DisplayName
- Software\WinRAR
- My Documents
- AppData
- Local AppData
- Cache
- Cookies
- History
- My Documents
- Common AppData
- My Pictures
- Common Documents
- Common Administrative Tools
- Administrative Tools
- Personal
- Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- explorer.exe
- Software\Far\Plugins\FTP\Hosts
- Software\Far2\Plugins\FTP\Hosts
- Software\Far Manager\Plugins\FTP\Hosts
- Software\Far\SavedDialogHistory\FTPHost
- Software\Far2\SavedDialogHistory\FTPHost
- Software\Far Manager\SavedDialogHistory\FTPHost
- Password
- HostName
- User
- Line
- wcx_ftp.ini
- \GHISLER
- InstallDir
- FtpIniName
- Software\Ghisler\Windows Commander
- Software\Ghisler\Total Commander
- \Ipswitch
- Sites\
- \Ipswitch\WS_FTP
- \win.ini
- .ini
- WS_FTP
- DIR
- DEFDIR
- CUTEFTP
- QCHistory
- Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
- Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
- Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
- Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
- Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
- Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
- \GlobalSCAPE\CuteFTP
- \GlobalSCAPE\CuteFTP Pro
- \GlobalSCAPE\CuteFTP Lite
- \CuteFTP
- \sm.dat
- Software\FlashFXP\3
- Software\FlashFXP
- Software\FlashFXP\4
- InstallerDathPath
- path
- Install Path
- DataFolder
- \Sites.dat
- \Quick.dat
- \History.dat
- \FlashFXP\3
- \FlashFXP\4
- \FileZilla
- \sitemanager.xml
- \recentservers.xml
- \filezilla.xml
- Software\FileZilla
- Software\FileZilla Client
- Install_Dir
- Host
- User
- Pass
- Port
- Remote Dir
- Server Type
- Server.Host
- Server.User
- Server.Pass
- Server.Port
- Path
- ServerType
- Last Server Host
- Last Server User
- Last Server Pass
- Last Server Port
- Last Server Path
- Last Server Type
- FTP Navigator
- FTP Commander
- ftplist.txt
- \BulletProof Software
- .dat
- .bps
- Software\BPFTP\Bullet Proof FTP\Main
- Software\BulletProof Software\BulletProof FTP Client\Main
- Software\BPFTP\Bullet Proof FTP\Options
- Software\BulletProof Software\BulletProof FTP Client\Options
- Software\BPFTP
- LastSessionFile
- SitesDir
- InstallDir1
- .xml
- \SmartFTP
- Favorites.dat
- History.dat
- addrbk.dat
- quick.dat
- \TurboFTP
- Software\TurboFTP
- installpath
- Software\Sota\FFFTP
- CredentialSalt
- CredentialCheck
- Software\Sota\FFFTP\Options
- Password
- UserName
- HostAdrs
- RemoteDir
- Port
- HostName
- Port
- Username
- Password
- HostDirName
- Software\CoffeeCup Software\Internet\Profiles
- Software\FTPWare\COREFTP\Sites
- Host
- User
- Port
- PthR
- SSH
- profiles.xml
- \FTP Explorer
- Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
- Buttons
- Software\FTP Explorer\Profiles
- Password
- PasswordType
- Host
- Login
- Port
- InitialPath
- FtpSite.xml
- \Frigate3
- .ini
- \VanDyke\Config\Sessions
- \Sessions
- Software\VanDyke\SecureFX
- Config Path
- UltraFXP
- \sites.xml
- \FTPRush
- RushSite.xml
- Server
- Username
- Password
- FtpPort
- Software\Cryer\WebSitePublisher
- \BitKinex
- bitkinex.ds
- Hostname
- Username
- Password
- Port
- Software\ExpanDrive\Sessions
- \ExpanDrive
- \drives.js
- "password" : "
- Software\ExpanDrive
- ExpanDrive_Home
- Server
- UserName
- Password
- _Password
- Directory
- Software\NCH Software\ClassicFTP\FTPAccounts
- FtpServer
- FtpUserName
- FtpPassword
- _FtpPassword
- FtpDirectory
- SOFTWARE\NCH Software\Fling\Accounts
- Software\FTPClient\Sites
- Software\SoftX.org\FTPClient\Sites
- .oxc
- .oll
- ftplast.osd
- \GPSoftware\Directory Opus
- \SharedSettings.ccs
- \SharedSettings_1_0_5.ccs
- \SharedSettings.sqlite
- \SharedSettings_1_0_5.sqlite
- \CoffeeCup Software
- leapftp
- unleap.exe
- sites.dat
- sites.ini
- \LeapWare\LeapFTP
- SOFTWARE\LeapWare
- InstallPath
- DataDir
- Password
- HostName
- UserName
- RemoteDirectory
- PortNumber
- FSProtocol
- Software\Martin Prikryl
- \32BitFtp.ini
- NDSites.ini
- \NetDrive
- PassWord
- Url
- UserName
- RootDirectory
- Port
- Software\South River Technologies\WebDrive\Connections
- ServerType
- FTP CONTROL
- FTPCON
- .prf
- \Profiles
- ftp://
- opera
- wand.dat
- _Software\Opera Software
- Last Directory3
- Last Install Path
- Opera.HTML\shell\open\command
- wiseftpsrvs.bin
- \AceBIT
- Software\AceBIT
- MRU
- SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
- SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
- wiseftpsrvs.ini
- wiseftp.ini
- FTPVoyager.ftp
- FTPVoyager.qc
- \RhinoSoft.com
- nss3.dll
- NSS_Init
- NSS_Shutdown
- NSSBase64_DecodeBuffer
- SECITEM_FreeItem
- PK11_GetInternalKeySlot
- PK11_Authenticate
- PK11SDR_Decrypt
- PK11_FreeSlot
- sqlite3.dll
- sqlite3_open
- sqlite3_close
- sqlite3_prepare
- sqlite3_step
- sqlite3_column_bytes
- sqlite3_column_blob
- mozsqlite3.dll
- sqlite3_open
- sqlite3_close
- sqlite3_prepare
- sqlite3_step
- sqlite3_column_bytes
- sqlite3_column_blob
- profiles.ini
- Profile
- IsRelative
- Path
- PathToExe
- prefs.js
- signons.sqlite
- signons.txt
- signons2.txt
- signons3.txt
- SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
- Firefox
- \Mozilla\Firefox\
- Software\Mozilla
- ftp://
- ftp.
- fireFTPsites.dat
- SeaMonkey
- \Mozilla\SeaMonkey\
- Flock
- \Flock\Browser\
- Mozilla
- \Mozilla\Profiles\
- Software\LeechFTP
- AppDir
- LocalDir
- bookmark.dat
- SiteInfo.QFP
- Odin
- Favorites.dat
- WinFTP
- sites.db
- CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
- servers.xml
- \FTPGetter
- ESTdb2.dat
- QData.dat
- \Estsoft\ALFTP
- Internet Explorer
- WininetCacheCredentials
- MS IE FTP Passwords
- DPAPI:
- Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- Microsoft_WinInet_*
- ftp://
- Software\Adobe\Common
- SiteServers
- SiteServer %d\Host
- SiteServer %d\WebUrl
- SiteServer %d\Remote Directory
- SiteServer %d-User
- SiteServer %d-User PW
- %s\Keychain
- SiteServer %d\SFTP
- DeluxeFTP
- sites.xml
- Web Data
- Login Data
- SQLite format 3
- table
- CONSTRAINT
- PRIMARY
- UNIQUE
- CHECK
- FOREIGN
- logins
- origin_url
- password_value
- username_value
- ftp://
- \Google\Chrome
- \Chromium
- \ChromePlus
- Software\ChromePlus
- Install_Dir
- \Bromium
- \Nichrome
- \Comodo
- \RockMelt
- K-Meleon
- \K-Meleon
- \Profiles
- Epic
- \Epic\Epic
- Staff-FTP
- sites.ini
- \Sites
- \Visicom Media
- .ftp
- \Global Downloader
- SM.arch
- FreshFTP
- .SMF
- BlazeFtp
- site.dat
- LastPassword
- LastAddress
- LastUser
- LastPort
- Software\FlashPeak\BlazeFtp\Settings
- \BlazeFtp
- .fpl
- FTP++.Link\shell\open\command
- GoFTP
- Connections.txt
- 3D-FTP
- sites.ini
- \3D-FTP
- \SiteDesigner
- SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
- EasyFTP
- \NetSarang
- .xfp
- .rdp
- TERMSRV/*
- password 51:b:
- username:s:
- full address:s:
- TERMSRV/
- FTP Now
- FTPNow
- sites.xml
- SOFTWARE\Robo-FTP 3.7\Scripts
- SOFTWARE\Robo-FTP 3.7\FTPServers
- FTP Count
- FTP File%d
- Password
- ServerName
- UserID
- InitialDirectory
- PortNumber
- ServerType
- fMY
- Software\LinasFTP\Site Manager
- Host
- User
- Pass
- Port
- Remote Dir
- \Cyberduck
- .duck
- user.config
- <setting name="
- value="
- Software\SimonTatham\PuTTY\Sessions
- HostName
- UserName
- Password
- PortNumber
- TerminalType
- NppFTP.xml
- \Notepad++
- Software\CoffeeCup Software
- FTP destination server
- FTP destination user
- FTP destination password
- FTP destination port
- FTP destination catalog
- FTP profiles
- FTPShell
- ftpshell.fsi
- Software\MAS-Soft\FTPInfo\Setup
- DataDir
- \FTPInfo
- ServerList.xml
- NexusFile
- ftpsite.ini
- FastStone Browser
- FTPList.db
- \MapleStudio\ChromePlus
- Software\Nico Mak Computing\WinZip\FTP
- Software\Nico Mak Computing\WinZip\mru\jobs
- Site
- UserID
- xflags
- Port
- Folder
- .wjf
- winex="
- \Yandex
- My FTP
- project.ini
- .xml
- {74FF1730-B1F2-4D88-926B-1568FAE61DB7}
- NovaFTP.db
- \INSoftware\NovaFTP
- .oeaccount
- Salt
- <POP3_Password2
- <SMTP_Password2
- <IMAP_Password2
- <HTTPMail_Password2
- \Microsoft\Windows Live Mail
- Software\Microsoft\Windows Live Mail
- \Microsoft\Windows Mail
- Software\Microsoft\Windows Mail
- Software\RimArts\B2\Settings
- DataDir
- DataDirBak
- Mailbox.ini
- Software\Poco Systems Inc
- Path
- \PocoSystem.ini
- Program
- DataPath
- accounts.ini
- \Pocomail
- Software\IncrediMail
- EmailAddress
- Technology
- PopServer
- PopPort
- PopAccount
- PopPassword
- SmtpServer
- SmtpPort
- SmtpAccount
- SmtpPassword
- account.cfg
- account.cfn
- \BatMail
- \The Bat!
- Software\RIT\The Bat!
- Software\RIT\The Bat!\Users depot
- Working Directory
- ProgramDir
- Count
- Default
- Dir #%d
- SMTP Email Address
- SMTP Server
- POP3 Server
- POP3 User Name
- SMTP User Name
- NNTP Email Address
- NNTP User Name
- NNTP Server
- IMAP Server
- IMAP User Name
- Email
- HTTP User
- HTTP Server URL
- POP3 User
- IMAP User
- HTTPMail User Name
- HTTPMail Server
- SMTP User
- POP3 Port
- SMTP Port
- IMAP Port
- POP3 Password2
- IMAP Password2
- NNTP Password2
- HTTPMail Password2
- SMTP Password2
- POP3 Password
- IMAP Password
- NNTP Password
- HTTP Password
- SMTP Password
- Software\Microsoft\Internet Account Manager\Accounts
- Identities
- Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
- Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
- Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
- Software\Microsoft\Internet Account Manager
- Outlook
- \Accounts
- identification
- identitymgr
- inetcomm server passwords
- outlook account manager passwords
- identities
- {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
- Thunderbird
- \Thunderbird
- FastTrack
- ftplist.txt
- ---
- #malwareMustDie!!!
Add Comment
Please, Sign In to add comment