puush.daemon.exe (241664 bytes):
  SHA-1 sum: 752c880c4c47581d97f6f5261146e22d0587b20f
  MD5 sum: b4e349c935914a62ea1c1ead0bf8271e

payload (83456 bytes):
  SHA-1 sum: f40a64efee732466a86d557c1309ea44f89adc3c
  MD5 sum: ef98164367c1ea47db15085d911b9793

Implemented remote control commands:

1: communications test (ping/keepalive)
5: initialize communications channel and return system information
6: (threaded) HTTP GET to temp exe and create process
7: create process (expanding path)
9: exit
10: stop socket, sleep
11: uninstall self, exit
12: write .Identifier file
13: (threaded) HTTP GET to temp, optionally create process
14: get drive information
16: list directory
18: (threaded) list directory (recursive)
20: kill list directory thread (18)
21: send file?
22: fwrite
23: fclose
24: (threaded) copy file
25: create process
26: move file
27: delete file
28: create dir
29: delete directory tree
30: (threaded) create directory or send file list
31: fclose
32: (threaded) launch a shell
33: send shell command
34: kill shell thread (32)
36: get identity
38: list logon sessions
40: list processes
42: kill process
43: list windows
44: window control (show/hide window, send message, set window text)
45: (threaded) HTTP GET to local path, optionally create process
47: send key event
48: send key event (variant)
49: mouse event
50: mouse event (variant)
51: take screenshot, optionally JPEG compress, and (threaded) transfer it
54: list files in install path
56: get install path file size
57: delete file in install path
58: (threaded) read/write file in install path
61: steal browser credentials
62: steal browser credentials
    1,6: Steal Mozilla passwords (signons.sqlite and logins.json)
        1: Mozilla Firefox
        6: Mozilla SeaMonkey
    2: Steal IE credentials:
        - HTTP BASIC creds via advapi Cred API
        - Autocomplete passwords/data for all sites in the History
        - IE10/Win7 Vault
    3: Steal Opera credentials
        - wand.dat for default profile (pre-WebKit)
        - "Login Data" DB (post-WebKit)
    4,5: Google Chrome ("Login Data" DB for Default profile)
        4: Chrome
        5: Chromium
    default: all of the above
63: steal IM credentials
64: steal IM credentials
    1: Windows Live Messenger creds via advapi Cred API
    2: libpurple (GAIM/Pidgin) accounts.xml
    default: both
65: steal email credentials
66: steal email credentials
    1: Outlook (POP3, IMAP, HTTP, SMTP creds via registry)
    2: Mozilla Thunderbird (signons.sqlite and logins.json)
	default: both
67: create proxy connection
73: (threaded) recursive md5sum
76: kill md5sum thread (73)
77: get netstat
79: read registry key
81: write registry key

Skipped command numbers are unimplemented/unused.